GT4 Security Tutorial

About This Presentation

Title:

GT4 Security Tutorial

Description:

... data is the signature ... XML Signature using private key. XML Encryption using public key. Replay ... Signature and encryption using symmetric key ... – PowerPoint PPT presentation

Number of Views:100

Avg rating:3.0/5.0

Slides: 115

Provided by: glo5

Category:

more less

Transcript and Presenter's Notes

Title: GT4 Security Tutorial

1
GT4 Security Tutorial

Rachana Ananthakrishnan
Charles Bacon

2
Presentation 1

Encryption
Signature
Certificates

3
Encryption

Encryption is the process of taking some data and
a key and feeding it into a function and getting
encrypted data out
Encrypted data is, in principal, unreadable
unless decrypted
Decryption is the reverse process

4
Asymmetric Encryption

Encryption and decryption functions that use a
key pair are called asymmetric
Data is encrypted with one key, the other key
must be used to decrypt the data
And vice versa

Data
Data
Decrypt
Encrypt
Encrypt
Decrypt
Data
Data
5
Public and Private Keys

With asymmetric encryption each user can be
assigned a key pair a private and public key

Public key is given away to the world
Private key is known only to owner
6
Public and Private keys

Anything encrypted with the public key can only
be decrypted with the private key
And vice versa
Since the private key is known only to the owner,
this is very powerful.

Data
Encrypt
Decrypt
Data
7
Digital Signatures

Digital signatures allow the world to
determine if the data has been tampered
verify who created a chunk of data

8
Digital Signatures
Run whoami

Digital signatures are generated by
Creating hash of the data
encrypting the hash with my private key
The resulting encrypted data is the signature
This hash can then be decrypted only by my public
key

Hash
Encrypt
Signature
9
Digital Signature

Recipient of data and signature
Compute hash of data
Decrypt signature to get hash
Compare hash to see if they match

Hash
Compute Hash
Run whoami
?
Decrypt
Hash
Signature
10
Public Key Infrastructure (PKI)

PKI allows you to know that a given public key
belongs to a given user
PKI builds off of asymmetric encryption
Each entity has two keys public and private
The private key is known only to the entity
The public key is given to the world encapsulated
in a X.509 certificate

11
Certificates

A X.509 certificate binds a public key to a name
It includes a name and a public key (among other
things) bundled together and signed by a trusted
party (Issuer)

12
Certificates

Question Who signs certificates?
Answer A small set of trusted entities known as
Certification Authorities (CAs)

Name Validity Public Key
Issuer?
13
Certification Authorities (CAs)

A Certification Authority is an entity that
exists only to sign user certificates
The CA signs its own certificate which is
distributed

14
Certification Authorities (CAs)

The public key from the CA certificate can then
be used to verify issued certificates

Name Issuer Validity Public Key Signature
Hash
Hash
?
Decrypt
Hash
15
Certificate Policy (CP)

Each CA has a Certificate Policy (CP) which
states
who it will issue certificates to
how it identifies people to issue certificates to
Lenient CAs dont pose security threat, since
resources determine the CAs they trust.

16
Requesting a Certificate

To request a certificate a user starts by
generating a key pair
Private key is pass-phrase protected

17
Certificate Request

The user then signs their own public key to form
what is called a Certificate Request
Email/Web upload

Sign
Certificate Request Public Key
18
Registration Authority (RA)

The user then takes the certificate to a
Registration Authority (RA)
Vetting of users identity
Often the RA coexists with the CA and is not
apparent to the user

Registration Authority
Certificate Request Public Key
State of Illinois
ID
19
Certificate Issuance
Certificate Request Public Key

The CA then takes the identity from the RA and
the public key from the certificate request
It then creates, signs and issues a certificate
for the user

Registration Authority
Name
CA
Name Issuer Validity Public Key Signature
20
Certificate Revocation

Why revoke
Key compromised
Malicious user
Certificate Revocation Lists
List of serial numbers revoked
Signed by CA
Periodic Updates

21
GSI Proxy Credentials

Proxy credentials are short-lived credentials
created by user
Proxy signed by certificate private key
Short term binding of users identity to
alternate private key
Same effective identity as certificate

SIGN
22
GSI Proxy Credentials

Stored unencrypted for easy repeated access
Chain of trust
Trust CA -gt Trust User Certificate -gt Trust Proxy
Key aspects
Generate proxies with short lifetime
Set appropriate permissions on proxy file
Destroy when done

23
Exercise 1

Acquiring a certificate
Starting a webservices container

24
The Exercise Code

Well be starting with a GT4 counter service and
adding different kinds of security to the service
and clients
To start, well need to get an X.509 certificate
and install the GT4 webservices container
All your exercise instructions are in the
student-notes.html file
Follow the instructions until you get to the
beginning of Exercise 2

25
Exercise Corrections

Files are in HOME rather than HOME/tutorial
GT core file is gt-install.tar.gz rather than
ws-core.gz
If your machines date is incorrect, please
contact us so we can fix it

26
Presentation 2

Authentication
Message Protection
Security Descriptors

27
Introduction

Authentication
Establishing identity of remote entity
Prove holder of private key corresponding to
presented certificate
Message Protection
Integrity of message, digital signatures
Privacy of message, encryption

28
Authentication Schemes

GSI Secure Message
Each individual message is secured
XML Signature using private key
XML Encryption using public key
Replay Attack Prevention
Performance hits due to XML handling

29
Authentication Schemes

GSI Secure Conversation
Handshake to establish secure context
Signature and encryption using symmetric key
Anonymous access support
Most effective on repeated use of context
GT initializes Apache XML Security Library
appropriately

30
Authentication Schemes

GSI Secure Transport
Secure Sockets
Encryption and signature using symmetric key
https protocol
Standalone container-level configuration
Default configuration
If routed, end to end security is not feasible

31
GT4 Server-side features

Configure required authentication as policy
At service or resource level
Programmatic or security descriptors
Message Protection options
Integrity and Privacy
Server response
Same authentication scheme as request

32
GT4 Client-side features

Configurable client side authentication
Per invocation granularity
Properties on the Stub
Programmatically or Security Descriptors
Message Protection options
Integrity and Privacy
Default Integrity protection

33
Security Descriptor Overview

GT way of configuring security properties
Declarative security
Configure properties in files
Programmatic security
Descriptors as Java objects
Types of descriptors
Container
Service
Resource
Client

34
Container Security Descriptor

Configured in global section of deployment
descriptor
GLOBUS_LOCATION/etc/globus_wsrf_core/server-confi
g.wsdd
Parameter containerSecDesc
Can be done only in this file
Programmatically created
Only one instance of container security
descriptor per JVM
Initialized at container startup only

35
Service Security Descriptor

Services deployment descriptor as file
Parameter securityDescriptor
Loaded as file or resource stream
Programmatically in service constructor
Initialized from file only on service
initialization
Can be programmatically altered at any time

36
Service Descriptor Example

Method specific authentication policy
ltmethod name"createCounter"gt
ltauth-methodgt
ltGSITransportgt
ltprotection-levelgt
ltprivacy/gt
lt/protection-levelgt
lt/GSITransportgt
lt/auth-methodgt
lt/methodgt
Default authentication policy
ltauth-methodgt
ltnone/gt
lt/auth-methodgt

37
Resource Security Descriptor

Resource descriptor set programmatically
Load from file or use ResourceSecurityDescriptor
object
Security Framework does not load or initialize
Identical to service security descriptor
Can be loaded as file or resource stream

38
Client Security Descriptor

Security descriptor file
((Stub)port).setProperty(Constants.CLIENT_DESCRIPT
OR_FILE, fileName)
Absolute path or as resource stream or relative
to GLOBUS_LOCATION
Security descriptor object
((Stub)port).setProperty(Constants.CLIENT_DESCRIPT
OR, instance of ClientSecurityDescriptor)

39
Client Descriptor Example

ltGSISecureConversationgt
ltprivacy/gt
lt/GSISecureConversationgt
ltGSISecureMessagegt
ltintegrity/gt
lt/GSISecureMessagegt
GSI Secure Transport, based on protocol https

40
Exercise 2

Service Security Descriptor
Starting a webservices container

41
The Exercise Code

In this exercise we will take a simple counter
service with create/add/subtract/query operations
and add authentication
To do this, we will first add a service security
descriptor to add authentication to the
operations
Then we will modify the four clients to use the
appropriate kinds of authentication

42
Adding the service sec. desc.

To add the security descriptor to the service,
first we add a securityDescriptor property to the
server-config.wsdd
Then we will edit the securityDescriptor file to
define the kinds of authentication we want
Because we want to show as much variety as
possible, well set a number of different
authentication methods on the different operations

43
Adding the client sec. desc.

For the clients, we need to make the
authentication method correspond to the matching
operations authentication method
Well use both the Stub/properties approach and
the client-side descriptor approach

44
Presentation 3

Authorization

45
Introduction

Authorization
Determine if said entity can perform a said
action on a said resource
Without this, any entity with valid certificate
can access resource
Authentication required before authorization

46
Server-side Authorization Framework

Establishes if a client is allowed to invoke an
operation on a resource
Only authenticated calls are authorized
Attribute-based Authorization
Identity and Properties of an entity used in
decision making
Authorization policy configurable at resource,
service or container level

47
Server-side Authorization Components

Policy Information Points (PIPs)
Collect attributes (subject, action, resource)
Policy Decision Points (PDPs)
Evaluate authorization policy
Authorization Engine
Orchestrates authorization process
Enforce authorization policy
Combining algorithm to renders a decision

48
GT 4.0 Authorization Framework
Message Context (store attributes)

Permit
Permit
Deny
Permit
Appropriate Authorization Engine
Deny
Permit
Authorization Handler
Authentication Framework
Identity and public credential of client
49
PIP Examples

X509 Certificate details as attributes
Method parameters as attributes
Attributes from an attribute service
VOMS, Shibboleth

50
PDP Examples

Self Authorization
Same identity as remote entity
Gridmap Authorization
Entry in configuration file, gridmap file
Mapping from DN to local account
Identity Authorization
Matches configured identity

51
Descriptor Configuration

Container/Service/Resource descriptor
ltauthz valuens1org.globus.someAuthz, gridmap,
ns2org.globus.testAuthz"/gt
Precedence order
Parameters
Configured in deployment descriptor
Prefix and parameter name
ltparameter namens1fileName valuesomeFile/gt
Exception is gridmap

52
Client-side Authorization

Determines if said service/resource is allowed to
cater to the clients request
Pluggable authorization scheme
Defined interface, implement custom schemes
Configured as property on stub or using security
descriptors
Examples Self, Host, Identity, None
Default Host

53
Client-side Authorization

GSI Secure Transport
Done after handshake is completed
GSI Secure Conversation
Done after handshake is completed
GSI Secure Message
Done after operation is complete
Use encryption to ensure correct server
Use client-side authorization to validate response

54
Client Descriptor Example

Authorization Element
ltauthz valueself/gt
Values
none
host
self
Expected DN as string
Does not support custom authorization
configuration

55
Exercise 3

Adding authorization to the service
Adding authorization to the clients

56
The Exercise Code

This exercise will make the client and service
both perform self authorization
First, exchange CounterService endpoints with a
neighbor, and see that you can create/add/subtract
/query/destroy on your neighbors service
Then add self authorization to the service and
client

57
Benefits of Self Authorization

Dont forget that this authorization is mutual!
Your client will reject a service if you are
somehow tricked into reaching a service that
isnt being run with your identity
Your service will reject clients who are not
running with your identity

58
Presentation 4

Resource Security

59
Resource-level Security

Security Properties
Credentials
Authentication policy
Authorization policy
Resource Security Descriptor
Similar to service security descriptor
From file or programmatically
Highest precedence

60
Writing Secure Resource

public class TestResource implement
SecureResource
ResourceSecurityDescriptor desc null
public TestResource()
this.desc new ResourceSecurityDescriptor(desc
FileName)
public ResourceSecurityDescriptor getSecurityD
escriptor()
return this.desc

this.desc new ResourceSecurityDescriptor() //
set properties programmatically this.desc.setGridM
ap(new GridMap())
61
Resource Security Descriptor

Toolkit does not initialize, up to resource
developer
Authorization parameters programmatically set
ResourceSecurityConfig class
Hashmap of properties

62
Presentation 5

Secure Notifications

63
Notifications

Server side
Resource property is exposed as notification
topics
Service has subscribe operation port type
Operation provider SubscribeProvider
Client side
Consumer, embedded container
Notification callback

64
Notification
EPR
subscribe(EPR)
Notification Consumer Manager
NotificationCallback
65
Notification Security

Client side
Secure container
Secure consumer resource
Secure subscribe invocation
Server side
Secure subscribe operation
Secure notification
Only one container descriptor per JVM

66
Exercise 4

Adding auth/authz to resources
Gridmap authorization

67
The Exercise Code

What if we want other clients to access our
counters?
In this exercise, well let a list of authorized
clients access our counters
Creating new counters will still be self
authorized
New users will be added to the authorization list
(or gridmap) via the addAuthorizedDN operation

68
SecureTutorial CounterService

Well add the addAuthorizedDN operation to the
service
The service will, in turn, call the
addAuthorizedDN operation on the counter resource
The resource will implement SecureResource and
set a PolicyDecisionPoint (PDP) with the
GridMapAuthorization class

69
Gridmap authorization

The gridmap authorization on the resource will
let the authorized users use the
add/subtract/query operations
But dont forget that authorization is mutual!
We cant use the self authorization on the client
for this exercise, because well be interacting
with services running under other identities

70
Exercise Notes

Shared EPR at
/eprs/shared/lab-
Example /eprs/shared/lab-16

71
Exercise 5

Notification security

72
The Exercise Code

Almost all of the new code in the exercise is
just to produce/consume notifications
The security is handled via a descriptor on the
service side, and Stubs on the add client

73
Presentation 6

Credential Configuration
Host Authorization

74
Types of Credentials

User
Private key is encrypted
Cannot be directly used in GT
Proxy
Both keys in same file
Private key unencrypted
Host
Private key unencrypted.
Typically protected by file system priviledges
Service
Similar to host key

75
Descriptor Example

Can be configured in any descriptor file, server
and client side
Proxy file name
ltproxy-file valueproxy file/gt
Certificate and key filename
ltcredentialgt
ltkey-file valuekey file"/gt
ltcert-file valuecertificate file/gt
lt/credentialgt
Absolute file name, as resource stream, relative
to GLOBUS_LOCATION

76
Related Utility API

To get resource credential
SecurityManager.getManager().getResourceSubject()
To get service credential
SecurityManager.getManager().getServiceSubject()
To get container credential
SecurityManager.getManager().getSystemSubject()
To get effective credential
SecurityManager.getManager().getSubject()

77
Host Authorization

Expect host certificates used by remote entity
Typically container or service
Reverse resolution IP to hostname

78
Presentation 7

Anonymous Access

79
Secure Transport Anonymous

Client does not need certificates
Service explicitly should allow such access
Authorization mechanism might fail

80
Presentation 8

GSI Secure Message

81
Secure Message Encryption

Encrypt with public key of remote entity
Host certificates, use hostcert.pem
User certificates, use usercert.pem
But encrypted private key, so not feasible in
practice
Proxy certificates, use same proxy certificate!
Internally symmetric key is generated for
performance reasons
Privacy better than integrity
since client authorization done after operation
is invoked

82
Exercise 6

Acquire hostcerts
Setup host authorization for clients
Add service-wide gridmap

83
The Exercise Code

The last time we used our neighbors service, we
used None authorization on the client. We can do
better!
Well get a host certificate, and set it as the
default identity container-wide. Remember that
we can override at the service/resource level if
we want

84
Service gridmap

We will also setup a service-level gridmap. This
will let us have authorized users create and
destroy counters without having to use something
like addAuthorizedDN
On the client side, we will only change to Host
authorization. The client will expect a hostname
that matches the IP address in the certificate
subject

85
Exercise 7

Anonymous access

86
The Exercise Code

This is a brief exercise to show how to anonymous
access works
Well show that clients dont need a proxy to use
anonymous access
Well also show how unauthenticated operations
bypass authorization, allowing anonymous clients
to access them
getValue is okay to expose to the world, but this
lets us keep https//

87
Exercise 8

GSI Secure Message

88
The Exercise Code

This is a brief exercise to show how to setup GSI
Secure Message security
Well need to have a copy of the services public
key (in this case, the hostcert.pem we just
setup) available to the client
The exercise also demonstrates the post-operation
authorization

89
Presentation 9

Delegation
Run-As Configuration

90
Delegation

Empower an entity with rights of another
Typical scenario
Client empower server
One service empower another
Use of proxies for delegation

91
GSI Delegation
Certificate Request
Certificate
Delegated Credential
92
Delegation

Types of delegation
Limited
Full
Services can choose to reject limited proxies
Per service or resource configuration
Applies to all methods
Clients can control delegation path length
Limits misuse

93
Delegation

Secure Conversation
Can delegate as part of protocol
Extra round trip with delegation
Full or limited delegation
Client side authorization is required
Secure Message and Secure Transport
Cannot delegate as part of protocol

94
Run As Configuration

Determines credential to associate with operation
Significant when callouts are used
Options system, service, resource, caller
Default resource
With caller, delegation required

95
Exercise 9

Delegation
The Bank Service

96
The Exercise Code

This new service models a very simple bank
account.
Bank Factory Service can create accounts for
users and also stores number of accounts created
Users can then deposit and withdraw funds
The depost/withdraw operations highlight run-as,
operating under the callers identity

97
Presentation 10

Delegation Service

98
Delegation Service

Higher level service stores delegated credential
Two remote operations
Delegate
Refresh
Delegated credential as WSRF resource
Protected with resource security

99
Delegation Service

Client delegates and gets EPR
EPR as part of invocation to service
Service uses EPR to get credential
Client can refresh credential

Hosting Environment
Service1
Resources
Service2
EPR
Delegation Service
Service3
Delegate
Refresh
Refresh
EPR
Delegate
Client
100
Delegation Service

Two ways to get delegated credential
Use Delegation EPR to get credential
Register a listener to get refresh updates
Advantages of Delegation Service
Shared across multiple invocations
Shared across multiple services
Authentication protocol independent

101
Exercise 10

The Delegation Service
The Finance Service

102
The Exercise Code

Pretend that we want to run a retirement planning
service
The user wants to let us access the their bank
account so we can tell them when they can retire
To accomplish this, they will create a delegated
credential in the Delegation Service, then allow
our finance service to access it

103
The Exercise Code

This new service models a very simple bank
account. You can create accounts, then deposit
and withdraw funds
The depost/withdraw operations highlight run-as,
operating under the callers identity

104
The Finance Service

Our Finance Service also rejects limited proxy,
so the client needs to delegate full proxies
Our simple Finance Service only takes an interest
rate and number of years, then computes the
result of that interest rate applied to that
account for that number of years

105
Presentation 11