Policy Specification and Restricted Delegation in Globus Proxies

1
Policy Specification and Restricted Delegation in
Globus Proxies
Babu Sundaram, University of Houston Christopher
Nebergall, Western Illinois University Steven
Tuecke, Argonne National Laboratory
2
Background

• Security Issues in 'Grids
• Users need a SINGLE SIGN-ON mechanism to gain
  access to the users 'grid resources'
• User credentials should never be passed
  insecurely across the network
• Sites often have highly heterogeneous local
  policies
• How do we meet these goals?

3
Background

• Proxy A short lived credential that acts as a
  stand-in for the user
• Can be used without user intervention
• Created when the user signs on
• Eliminates the need to have the user stay on-line
• Why are proxies delegated?
• To authenticate the user and acquire resources at
  a remote site without requiring the users
  intervention
• Delegated proxies can be further delegated to
  other sites indefinitely
• There is a serious drawback

4
Motivation

• Proxy credentials can be stolen !!!
• ANYONE who steals your proxy credential can use
  it to impersonate YOU
• ANY of your Grid resources can be acquired using
  the stolen credential until it expires
• Proxy credentials lack the ability to carry fine
  grained security policies and restrictions and
  thus can easily be abused

5
Motivating Example

• Theft of Delegated Credentials

Machine A

• Delegation of Full Proxy CredentialsName Jane
  Doe

• Full Proxy Credentials Name Jane Doe

If full proxy credentials are stolen, they can be
used to impersonate their owner and allow access
to any site for which the owner has access.
Machine B
6
The Problem

• The consequences of proxy credentials being
  compromised are drastic
• With the existing setup, proxy credentials cannot
  carry security policies dictating their use
• The use of proxy credentials is not restricted to
  particular sites or resources
• We prototyped a solution for this problem for the
• GLOBUS TOOLKIT

7
Approach

• Classified Advertisements (Classads)
• A language for expressing and evaluating
  attributes
• A product of Condor technology from the
  University of Wisconsin
• Introduction
• Attributes are named expressions
• A classad is a set of attributes
• Two classads can be evaluated for a match
• A simple, flexible and efficient mechanism
• Potentially, classads can be used to specify
  policies

8
Approach Cont.

• Proxy credentials can be modified to carry
  security policies as X.509 certificate extensions
• The extensions can be dropped into the proxy
  certificate by the user during the sign-on
  process
• The extensions can be evaluated on the server
  side to check the validity of the proxy credential

9
Restricted Proxy Certificate
Certificate Data Version 3 (0x2)
Serial Number 2251 (0x8cb)
Signature Algorithm md5WithRSAEncryption
Issuer OGrid, OGlobus, OUmcs.anl.gov,
CNChristopher Nebergall Validity
Not Before Oct 20 193443 2000 GMT
Not After Oct 29 073943 2000 GMT
Subject OGrid, OGlobus, OUmcs.anl.gov,
CNChristopher Nebergall, CNproxy
Subject Public Key Info Public Key
Algorithm rsaEncryption RSA Public
Key (512 bit) Modulus (512
bit) Value Skipped Exponent 65537 (0x10001)
X509v3 extensions
1.3.6.1.4.1.3536.1.1.1.1
StartTime '90000' EndTime '170000'
ctime CurrentTime ( ) requirements (
ctime StartTime ) ( ctime . Signature Algorithm md5WithRSAEncryption
Value Skipped
The extensions of the certificate contain a
classad which defines that this proxy certificate
can only be used from 1000 A.M. to 500 P.M. but
the proxy is still valid for several days.
10
Restricted Proxy Example

• Theft of Delegated Credentials

Machine A

• Delegation of
• Restricted Proxy Credentials
• Name Jane Doe
• RestrictionSitesMachine A

Classad match failed Access Denied!

• Full Proxy Credentials Name Jane Doe

Restricted proxy credentials contain restrictions
which prevent them from being used at unintended
sites.
Machine B
11
What can be specified as policies?

• From the user perspective
• Detailed time restrictions specifying when the
  proxy credential can be used
• Restrictions specifying the sites where the proxy
  credential can be used and a list of sites from
  which the proxy can be delegated
• Resources which can be accessed using the proxy
  credential
• Simply, fine-grained usage specification in the
  proxy credentials to gain more protection if the
  proxy is compromised

12
What can be specified as policies?

• From the perspective of the remote site
• The time in which a specific user is allowed to
  login
• The sites from which credentials can be accepted
• The resources and the executables that the user
  is allowed to access

13
Other Restrictions

• Intermediate Sites - A list of sites that a
  proxy can be trusted to be delegated through.
• Globus Version - Restrictions based on the
  version of the software being run on the server.
• Limited- If this flag is set the proxy can be
  used for authentication but not delegation
• Executables- This is a list of executables that
  can be executed using a particular proxy

14
Site Policy Specification

• Sites often have highly heterogeneous local
  policies
• Using this mechanism, the site admins can specify
  time and resource restrictions for anyone
  accessing their site
• These restrictions are placed in the Gridmap file
• A dynamic server-side classad is created to match
  against when a client makes a request

15
Site Policy Specification

• Gatekeeper Grid Map File
• Subject "/OGrid/OGlobus/OUmcs.anl.gov/CNCh
  ristopher Nebergall"
• login "CNebergall"
• UserTimeList valid false, start
  '080000'end '180000',
• valid true, start
  '080000'end '180000',
• valid true, start '100000'end
  '200000',
• valid false, start
  '080000'end '180000',
• valid true, start '080000'end
  '180000',
• valid true, start
  '080000'end '180000',
• valid false, start '080000'end
  '180000'
• AccountValid true
• ctime CurrentTime()
• DayOfWeek GetDayOfWeek(ctime)
• TimeRequirements UsertTimeListDayOfWeek.valid
  
• ctime UserTimeListDayOfWeek.start
• ctime
• Requirements AccountValid TimeRequirements
  Other.dynamic.Subject
  self.Subject

The Site Policies can be specified in Grid Map
file
16
Advanced Proxy Chaining

• Further restrictions can be added every time the
  proxy credential is delegated
• Once restrictions have been added they cannot be
  removed

P - Proxy Chain with restrictions a, b, and c
S - Server Restrictions with restriction a
Server (S)
Client
Pa,b,c
The servers restrictions are compared against
every restriction in the proxy chain.
17
Significance and Applications

• Added facilities for the user and site to specify
  policies for fine-grained control
• Protection against compromised proxies
• Proxies carry policies and hence promote more
  than simple authentication and authorization.
  Policies dictate their usage.
• This work can easily be extended to support other
  similar mechanisms

18
Simple Example
CLIENT CLASSAD userNamebabu targetSiteclari
net.mcs.anl.gov acceptFrombayou.uh.edu Require
mentstrue
SERVER CLASSAD Requirements
ismember(other.targetSite, myhost)
ismember(other.acceptFrom,clienthost)
During request for authentication, a match
between the two classads is evaluated to see if
the server is on the target site list and if the
client is on the accept from list
Successful match Authentication of client at
server side (which will happen only if this proxy
is presented by babu from bayou to clarinet
) Authorization would be based on a similar match
between client and GRAM / Job Manager Classads
19
Acknowledgements

• Douglas Engert (ANL)
• Darcy Quesnel, Jarek Gawor, Stuart Martin, Gregor
  von Laszewski ( MCS, ANL)
• Rajesh Raman, U of Wisconsin
• Dr. Barbara M. Chapman, U of Houston

20
For more information ...

• For further information
• Contact Globus Research booth R186
• Authors contact e-mail
• Babu Sundaram
• babusun_at_bayou.uh.edu
• Christopher Nebergall
• ct-nebergall_at_wiu.edu
• Steven Tuecke
• tuecke_at_mcs.anl.gov