X.509 Proxy Certificates for Dynamic Delegation - PowerPoint PPT Presentation

About This Presentation
Title:

X.509 Proxy Certificates for Dynamic Delegation

Description:

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven Tuecke, – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 21
Provided by: illi53
Category:

less

Transcript and Presenter's Notes

Title: X.509 Proxy Certificates for Dynamic Delegation


1
X.509 Proxy Certificates for Dynamic Delegation
  • Ian Foster, Jarek Gawor, Carl Kesselman, Sam
    Meder, Olle Mulmo, Laura Perlman, Frank
    Siebenlist, Steven Tuecke,Von Welch
  • (Presenter vwelch_at_ncsa.uiuc.edu)

2
Outline
  • Problem Statement, Motivations, Approach
  • Proxy Certificate Solution
  • What are they?
  • What can they do?
  • Status Standardization, Implementation,
    Deployment

3
Use Case
Domain C
Data Store
Domain B
Doman A
Job Broker
Job
Domain D
4
Motivation
  • Dynamic Delegation
  • Run-time decision on who and what
  • Support late binding of jobs to resources
  • Dynamic Entities
  • Entities (e.g. Jobs) created at same time
  • Single Sign On
  • Avoid repeated manual authentication
  • Easy (user-driven) cross-domain use

5
Approach
  • Start with PKI
  • Aids cross-domain trust issues since trust
    relationships can be set up by individual
  • Build off of existing standards
  • Needs to be easily understood by security folks
    at many sites
  • Ease of implementation
  • Use with existing PKI libraries as much as
    possible
  • Start with identity-based authz systems

6
Our solution Proxy Certificates
  • Allow users to delegate on the fly by granting
    other entities the right to use their name
  • Prototypes in 98
  • Standardized in IETF/PKIX 2004
  • Fully implemented, deployed and widely used

7
Proxy Certificates
  • Same format as X.509 Public Key Identify
    Certificate, but signed by user (or another proxy
    certificate)
  • Name scoped to issuers name
  • Support restricted delegation from issuer to
    bearer
  • Includes critical extension to identify as Proxy
    and express delegation

8
Certificate attribute X.509 Public key certificate X.509 Proxy Certificates
Issuer/ Signer A certification authority A public key certificate or another Proxy Certificate
Name Any as allowed by issuers policy Unique, scoped to namespace defined by issuers name
Delegation from Issuer None Allows for arbitrary delegation policies
Key pairs Uses unique key pair Uses unique key pair
9
ProxyCertInfo Extension
  • Critical X.509 Extension
  • Identifies a certificate as a Proxy Cert
  • Allows issuer to express delegation intentions

10
ProxyCertInfo Delegation Policy
  • Does not specify any method of expression
  • No language will be right for everyone all the
    time
  • Instead OID to identify language and
    language-specific field
  • Any language can be used as long as understood by
    relying party
  • Two methods defined All and none

11
Single Sign On
  • User creates key pair locally
  • Signs new public key with identity private key
  • Gives short life span
  • E.g. 8 hours
  • Probably all rights
  • Allows for weak (filesystem) protection of
    private key and easy use

12
Delegation
13
Performance and Security Issues
  • Proxy generate requires key pair generation
  • Those accepting delegation must take care to
    prevent DoS
  • Validate delegation request before generating key
    pair

14
Authorization Methods
  • All rights/impersonation
  • Works great if you dont mind ignoring least
    privilege
  • Delegation with restrictions
  • Issue How does authentication mechanisms know
    restrictions will be enforced?
  • Identity from Proxy Certificate plus addition
    assertions to grant rights

15
Standardization Status
  • Proxy certificates have passed PKIX and IETF last
    calls
  • Awaiting editorial process to become RFC
  • Latest version is draft-ietf-pkix-proxy-10
  • http//www.ietf.org/internet-drafts/draft-ietf-pki
    x-proxy-10.txt
  • Defines specifics of Proxy certificate creation
    and path validation

16
Implementation
  • Fully implemented in Globus Toolkits Grid
    Security Infrastructure (GSI)
  • www.globus.org/security/
  • Build on OpenSSL
  • Changes are additions to handle Proxy Cert path
    validation as error handlers to normal path
    validation
  • Similar Java implementation
  • GSSAPI-based library
  • Also integrated with SSH, FTP, CVS

17
Deployment
  • Many CAs issuing certificates for use with Proxy
    certificates for production Grids around the
    world
  • Master CA list at http//www.gridpma.org/
  • Two dozen plus CAs, including DOE, NSF, NASA
  • Old Globus CA with 5k certs

18
Future Work
  • One-time passwords/Two-factor authentication
  • Lot of recent attacks using keyboard sniffing
  • Service that hands out proxies authenticating
    with OTP
  • Poor mans hardware tokens
  • Reasonable Restrictions
  • Where from? Intended use?
  • IP addresses too fragile (NAT, mobility,
    multi-homed)
  • Allow for late binding to resources
  • Revocation
  • Even with short lifetime, interest in revocation

19
Summary
  • Proxy Certificates are extension to X.509
    identify certificates to allow for real-time
    delegation and naming
  • Implemented with minimal changes to existing PKI
    libraries
  • In production use in Grids world-wide
  • Implementation available as part of Globus
    Toolkit (www.globus.org)

20
Acknowledgements
  • DOE
  • SciDAC Security for Group Collaboration
  • Many colleagues in Global Grid Forum and IETF for
    ideas and discussions
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com