Grid Security: What is it? Where is it going? Why?

1
Grid SecurityWhat is it?Where is it going?Why?

• Von Welch
• vwelch_at_ncsa.uiuc.edu
• National Center for Supercomputing Applications
• Globus Alliance

2
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

3
Authentication, Authorization, Delegation
4
Public Key Infrastructure

• Used in almost all Grids today
• Allows for two entities to authenticate with
  minimal cross-organizational supprt
• Based on asymmetric cryptography
• Private and Public Key
• Public key is encoded in a Certificate by a
  Certificate Authority (CA)
• Certificate and Private key are used to establish
  identity

5
Certificates

• Allow for binding of an Identity (John Doe) to a
  key or person

6
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

7
Grid Securitys goal is to support the virtual
organization.
Site D
Site A
Site C
Site B
8
Example NSF TeraGrid
9
Instrumented Structures and Sites
Remote Users
Simulation Tools Repository
High-Performance Network(s)
Laboratory Equipment
Field Equipment
Curated Data Repository
Leading Edge Computation
Global Connections (FY 2005 FY 2014)
Remote Users (K-12 Faculty and Students)
Laboratory Equipment
10
Controlled Resource Sharing

• Globally
• User must agreeto AUP
• User must use strong authentication

ComputeCenter
20 Mbytes/sec max
BIO VO
5pm-9amonly
HEP VO
100 Tbytes max
20 Tflops per month max
Chem EngVO
11
Grid Authorization Flow
VO
User
Resource
Process
12
So, what are the challenges?

• Resources being used may be valuable the
  problems being solved sensitive
• Both users and resources need to be careful
• VOs arent static
• Large, dynamic, unpredictable
• VO Resources and users are often located in
  distinct administrative domains
• Cant assume cross-organizational trust
  agreements
• Different mechanisms, trust roots credentials
• X.509 vs Kerberos
• Different CAs
• X.509 attribute certs vs SAML assertions

13
More challenges

• Interactions are not just client/server, but
  service-to-service on behalf of the user
• Requires delegation of rights by user to service
• Services may be dynamically instantiated
• Standardization of interfaces to allow for
  discovery, negotiation and use
• Implementation must be broadly available
  applicable
• Standard, well-tested, well-understood protocols
  integrated with wide variety of tools
• Policy from sites, VO, users need to be combined
• Varying formats SAML, XACML, local custom, etc.
• Want to hide as much as possible from
  applications!

14
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

15
Grid Security Infrastructure (GSI)

• Open source libraries, tools and standards which
  provide security functionality of the Globus
  Toolkit
• Provides for cross-organizational
• Authentication
• Message protection
• Authorization
• Single sign-on

16
GSI Stack

• GSI uses a standard PKI for identity
  certificates.
• Each entity (user, service) has an X.509
  certificate from a CA that uniquely names it.

PKI (Certs, CAs)
17
GSI Stack

• SSL, using the certificates, is used as the
  network protocol
• Performs authentication, like in the web, but
  client as well as server
• Also provides message protection as needed
  (integrity, encryption)

SSL
PKI (Certs, CAs)
18
GSI Stack

• X.509 Proxy Certificates are our extension
• Standardized in IETF (pkix)
• Allow for dynamic delegation

X.509 Proxy Certificates
SSL
PKI (Certs, CAs)
19
GSI Stack

• Grid-Mapfile maps Grid users (identified by
  certificates) to local users (e.g. Unix account)
• Allows authorization using normal local methods
  (e.g. filesystem perms, quotas)

Grid-Mapfile
X.509 Proxy Certificates
SSL
PKI (Certs, CAs)
20
GSI-Enabled Coordination
Site B
Site C
Proxy Certificate
Allows for delegation to allow for coordinated
resource Usage.
Allows for standard authentication method
Site A
21
Grid Security Services

• How does a site with an existing sophisticated
  security infrastructure leverage that for Grids?
• E.g. Kerberos
• How do I carry X.509 credentials around with me?
  How do I use with non-GSI aware applications?
• E.g. Web portals?
• How does a VO manage the resources contributed to
  it?

22
Kerberos CA Grid access from Krb5
KCA
Krb5 to Grid ID Mappings
Krb5 Ticket
X509 Certificate
GSI
Kerberos User
Grid Site

• Allows use of Kerberos credentials to geton the
  Grid
• In use at FNAL, USC

KRB5 Resources
23
MyProxy Credential Wallet
MyProxy
Username Password
Web Server
Username Password
Username Password

• Allows users to acquire Grid credentials from
  Username/Password
• Enables mobility anduse of non-GSI
  awareapplications

The Grid
24
Community Authorization Service (CAS)
VO decides how its users Can use those resources.
Resources are Contributed to VO From a number of
sites
CAS
CAS Gives user Assertion Granting access
VO User requests access
User presents assertion to resource to gain access
CAS Allows VO to set Fine-grain access policy on
its resources
25
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

26
Grid EvolutionOpen Grid Services Architecture

• Goals
• Refactor Globus protocol suite to enable common
  base and expose key capabilities
• Service orientation to virtualize resources and
  unify resources/services/information
• Embrace key Web services technologies for
  standard IDL, leverage commercial efforts
• Result standard interfaces behaviors for
  distributed system mgmt the Grid service
• Standardization within Global Grid Forum and
  OASIS
• Open source commercial implementations

27
The Grid Service

• Use WSDLto advertiseinterface
• WS-Policyto advertisesecurityrequirements(Krb
  5, GSI,etc.)
• Allow forautomateddiscoveryand binding

• Hostingenvironmenthandles msgsincludingauthen
  tication,msg protection,authorization,etc.
• Allows appdeveloper tofocus on app-specific
  logic.

Application
Interface
Hosting Environment
28
Based on Standards

• Web Services
• SOAP
• WSDL
• Extensions (follow-on to OGSI)
• WSRF
• Lifetime control
• WS-ResourceProperties
• Expose state
• WS-Notification
• WS-ServiceGroup
• WS-RenewableReference

29
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

30
Leverage existing/emerging Security Standards

• WS-Security/Policy/Trust/Federation/Authorization
  /SecureConversation/Privacy
• XKMS, XML-Signature/Encryption, SAML, XACML, XrML
• But
• Need to OGSAfy
• Need to define Profile/Mechanisms
• Need to define Naming conventions
• Need to address late/missing specs
• Support for delegation, transient services

31
WS SecurityCurrent/proposed WSS-specs
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
32
Current/proposed specs Building on the SOAP
Foundation
Today describes SOAP extensions for secure
messaging, provides foundation for other building
blocks
WS-Security
SOAP Foundation
33
Current/proposed specs Building on the SOAP
Foundation
Today how to express capabilities and
constraints of security policies. Along with
WS-SecurityPolicy, WS-PolicyAsserts,
WS-PolicyAttachment
WS-Policy
WS-Security
SOAP Foundation
34
Current/proposed specs Building on the SOAP
Foundation
Today describes the model for establishing both
direct and brokered trust relationships
(including third parties and intermediaries)
WS-Policy
WS-Trust
WS-Security
SOAP Foundation
35
Current/proposed specs Building on the SOAP
Foundation
Today how to manage and authenticate message
exchanges between parties including security
context exchange and establishing and deriving
session keys
WS-Secure Conversation
WS-Policy
WS-Trust
WS-Security
SOAP Foundation
36
Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
Planned will be a model for how users state
privacy preferences, and for how Web Services
state and implement privacy practices
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
37
Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
WS-Federation
Planned will describe how to manage and broker
the trust relationships in a heterogeneous
federated environment including support for
federated identities
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
38
Current/proposed specs Building on the SOAP
Foundation
WS-Secure Conversation
WS-Federation
WS-Authorization
Planned will define how Web services manage
authorization data and policies
WS-Policy
WS-Trust
WS-Privacy
WS-Security
SOAP Foundation
39
WS SecurityCurrent/proposed WSS-specs
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
40
Other Standards

• SAML looks good for assertions
• XACML as language for policy exchange?
• But dont fit nicely together (NASA work).
• SAML 2.0 will hopefully help.
• XACML delegation of rights?
• XrML
• Another policy language
• Liberty Alliance
• Federated Identity like WS-Federation

41
WS Security(Confusing Picture)
Liberty Alliance
XrML
WS-Secure Conversation
WS-Authorization
WS-Federation
XACML
WS-Policy
WS-Trust
WS-Privacy
SAML
WS-Security
In progress
SOAP Foundation
proposed
promised
42
How does all this fit into Grids?

• WS-Policy/XACML/XrML for expressing security
  constraints
• What credentials (Kebreros, GSI) are accepted and
  preferred
• Encryption supported? Required? Rejected?
• WS-Authorization/XACML/XrML for managing
  authorization data
• e.g. in CAS
• WS-Privacy (?) for managing privacy

43
OGSA Security Roadmap Goal

• Address the Grid Security Architecture
  Requirements
• Make Implementations Possible
• Address Interoperability
• Address Pluggability/Replaceability
• Address missing/late/insufficient Standards
• OGSA Security Roadmap
• submitted to GGF co-authored with IBM

44
OGSA Security

• Security implemented by pluggable security
  services
• Usable by clients and services
• Allow for more agnostic approach to security
  mechanisms
• As implementations are created for a mechanism
  they can be plugged into existing tools to enable
  use.
• Applications and services can examine published
  security policies and convert/acquire credentials
  as needed

45
Remove Security from Applications

• Allow deployment-time selection of supported
  mechanisms and policies
• OGSA resource virtualization allows for policy on
  application-independent operation invocation
• Place as much security functionality as possible
  into sophisticated hosting environments

46
Transparent Call-outs from WS-Stubs
47
Outline

• Some quick terminology
• What is Grid Security?
• Current State of the Art
• OGSA Grid Evolution
• OGSA Security and Web Services Security
• Globus Toolkit Implementation and Futures

48
Whats actually in GT3?

• SOAP-based wire protocol
• WS-Security (XML-Signature, XML-Encryption) for
  authentication, message protection
• GSI-SecureConversation
• Based on GT2s TLS/GSSAPI implementation
• Based on a poor-mans interpretation of
  WS-Trust/WS-SecureConversation specs plus
  XML-Signature/XML-Encryption/WS-Security
• Waiting for WS-Trust WS-SecureConversation
  WS-Kerberos specs to be submitted to standards
  body

49
Whats Actually in GT3?

• SAML assertions in Community Authorization
  Service (GT 3.2)
• Allow VOs to set and distribute policy on file
  access
• Standardized Proxy Certificates
• Java and C implementations
• Java based on Axis with security implemented in
  handlers

50
GT Security Futures (1)

• Authorization is KEY for the coming year
• Includes communicating/sharing/matching of
  authz-policies and capabilities
• Profiles for Attributes
• Standards for authorization services
• GGF OGSA Authorization WG
• Restricted Delegation
• By service and operation
• By domains

51
GT Security Futures (2)

• Securely route through firewalls/network-hurdles
• Tackle the firewall/NAT traversal issues
  transparently in the runtime
• Integration of Group authentication/key-exchange
  protocols
• Going from 2 parties to N parties should be
  seamless
• Secure Logging and Audit
• Another undefined, unstandardized missing link
  while the requirements are there!

52
Conclusion

• Grids requirements maybe few years ahead, but
  industry will face same challenges soon
• Few new distributed computing requirements
• Our security requirements are conceptually 1-2
  levels above what is available now as
  specifications, standards and open source
• Ideally, we want to be end-users of WSS not
  plumbers
• The standards circus is very worrisome
• And distracting and time consuming
• Come help us at the Global Grid Forum
• Exciting security stuff!
• We need your help (www.ggf.org)
• Play with the Globus Toolkit (GT3.2)
• Downloaded 100k times already (www.globus.org)

53
Thanks

• Many colleagues at Argonne, NCSA, ISI PDC
• Frank Siebenlist, Sam Meder, Olle Mulmo, Leaur
  Pearlman, Jarek Garow, Jim Basney, Steve Tuecke,
  Ian Foster, Carl Kesselman, Rachana
  Ananthakrishnan and many others.
• Funding from DOE, NSF and IBM
• Questions?