Title: Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update
1Policy Enforcement Framework for Web Services and
Grid Operational Security Advanced Internet
Research Group Update
- Yuri Demchenko ltdemch_at_science.uva.nlgt
- AIRG, University of Amsterdam
2Outline
- Goals
- AIRG projects and Generic AAA Architecture
development - Implementation in CNL project Access Control
infrastructure - Grid Operational Security and Grid Security
Incident definition
3Goals
- Update TF-EMC2 on AIRG research and developments
- Discuss possible approaches for early detection
of the security credentials compromise
4AIRG projects
- Gigaport NG - NL
- Further development of the Generic AAA
architecture for policy/token based networking - Collaboratory.nl (CNL)
- Security Architecture for Open Collaborative
Environment and RBAC - Considered as a use case for EGEE and OGSA
- EGEE and other Grid related projects - EU
- Grid operational security and WS/Grid security
threats analysis - Policy enforcement framework and Authorisation
portType - WS-Security and OGSA Security
5Generic AAA Architecture by AIRG (UvA)
- Policy based Authorization decision
- Req AuthNtoken, Attr/Roles, PolicyTypeId,
ConditionExt - RBE (Req Policy) gt gt Decision ResponseAAA,
ActionExt - ActionExt ReqAAAExt, ASMcontrol
- ResponseAAA AckAAA/RejectAAA, ReqAttr,
ReqAuthN, BindAAA (Resource, Id/Attr)
- Translate logDecision gt Action
- Translate State gt LogCondition
- Defined by Resource owner
6Generic AAA implementations
- Bandwidth-on-demand (BoD) for optical network
- Using driving policy approach for multidomain
optical path building - Access control and privilege management for
Collaborative environment - Policy/role based access control to experimental
equipment and resources - Authorisation Web Service and Authorisation
portType for Grid applications - Policy binding to Web/Grid service definition
- Technology background
- AAA Policy Rule Based Engine (RBE) and XACML
based policy exchange format - XML Web Services
- Attempting to use WSRF and trying to avoid OGSI
and ProxyCert
7Distributed Security Architecture for
Collaborative environment
- Based on the Job-centric security model
- Extended RBAC functionality including RBAC
administration terminal (using GAAA Toolkits) - XACML based policy exchange and integration
- Uses WS-Security Framework and OGSA/WSRF
- Policy binding to WSDL and AuthZ portType
definition - VO functionality - policy based user and
resource management - Proxy-Certificate (Grid approach) vs SAML
security credentials management
8Security built around Job description
- Job Description as a semantic object defining Job
attributes and User attributes - Requires document based or semantic oriented
Security paradigm - Trust domain based on Business Agreement (BA) or
Trust Agreement (TA) via PKI
9XACML implementation library for CNL
- Contains specific modules for AAA services
- PEP, PDP, PAP and XACML messaging
- Implemented in Java
- Policy editor in XACML
- XACML provides standard solution for RBAC with
powerful policy combination functionality - Version 0.1 is available for policy construction
and translating to AAA-policy format - Set of typical policy profiles in XACML (with
correspondent profiles in AAA) are under
development
10Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement Point)/AEF
(authorisation enforcement function) PDP (Policy
Decision Point)/ADF (authorisation decision
function) PIP (Policy Information Point)/AA
(Attribute Authority) PA Policy Authority
11GAAA API flow diagram (implements RBAC)
12GAAAPI implementation XACML Request message
format (1)
13GAAAPI implementation XACML Request message
format (2)
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltAAAAAARequest xmlnsAAA"http//www.AAA.org/ns/A
AA_BoD" xmlnsxsi"http//www.w3.org/2001/XMLSchem
a-instance" xsischemaLocation"http//www.AAA.org
/ns/AAA_BoD http//146.50.22.64/CNLdemo1.xsd"
version"0.1" type"CNLdemo1"gt - ltSubjectgt
- ltSubjectIDgtWHO740_at_users.collaboratory.nllt/Subjec
tIDgt - ltRolegtAnalystlt/Rolegt
- ltJobIDgtJobID-XPS1-212lt/JobIDgt
- ltTokengt2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90lt/
Tokengt - lt/Subjectgt
- ltResourcegtltResourceIDgt
- http//resources.collaboratory.nl/Phillips_XPS1
- lt/ResourceIDgt
- lt/Resourcegt
- ltActiongt
- ltActionIDgtControlInstrumentlt/AttributeIDgt
- lt/Actiongt
- lt/AAAAAARequestgt
14GAAAPI implementation XACML Response message
format (1)
15GAAAPI implementation XACML Response message
format (2)
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltAAAAAAResponse xmlnsxsi"http//www.w3.org/2001
/X_LSchema-instance" xsinoNamespaceSchemaLocation
"aaa-cnl-response-00.xsd" version"0.0"gt - ltResult ResourceId"String"gt
- ltDecisiongtPermitlt/Decisiongt
- ltStatusgt
- ltStatusCode Value"OK"/gt
- ltStatusMessagegtRequest succes7fullt/StatusMessag
egt - lt/Statusgt
- lt/Resultgt
- lt/AAAAAAResponsegt
16Binding policy to WSDL service description
- WS-PolicyAttachment defines two mechanisms that
together allow to bind policy to the WSDL
components (portType, Operation, Message) - wspPolicyRefs"URI QName"
- ltwspUsingPolicy wsdlRequired"true"/gt
17Binding policy to WSDL - Example
- ltdefinitions xmlns"http//schemas.xmlsoap.org/wsd
l/" xmlnssoap"http//schemas.xmlsoap.org/wsdl/so
ap/" xmlnsxs"http//www.w3.org/2001/XMLSchema"
xmlnswsa"http//schemas.xmlsoap.org/ws/2003/03/a
ddressing" xmlnswsp"http//schemas.xmlsoap.org/w
s/2002/12/policy" xmlnswsse"http//schemas.xmlso
ap.org/ws/2002/12/secext" xmlnswst"http//schema
s.xmlsoap.org/ws/2004/04/trust"
xmlnscnl"http//cnl.telin.nl/cnl"
xmlnspolicy"cnl-policy-schema.xsd"
targetNamespace"http//cnl.telin.nl/cnl"gt
ltmessage name"ViewExperimentRequest"
wspPolicyRefs"cnl-policy-02example.xml"gt
ltpart name"JobID" type"xsstring"/gt
ltpart name"coordinateX"
type"xsstring"/gt ltpart
name"coordinateY" type"xsstring"/gt
ltpart name"zoom" type"xsint"/gt lt/messagegt
ltltlt snip gtgtgtgt ltwspUsingPolicy
wsdlRequired"true"/gt lt/definitionsgt
18Security related activities in EGEE - FYI
- EGEE Enabling Grids for E-sciencE
- JRA3 Security
- MWSG Middleware Security Group
- JSPG Joint with LCG and OSG Security Policy
Group - OSG Incident Handling Activity
- Recent Security related deliverables
- Grid User/Site Security Requirements MJRA3.1
(https//edms.cern.ch/document/485295/1) - Global Security Architecture (GSA) rev. 1 -
DJRA3.1 (https//edms.cern.ch/document/487004/1.1)
- Grid Security Incident definition and exchange
format MJRA3.4 - Ongoing development, current version -
https//edms.cern.ch/document/501422/1 - As a part of joint OSG/LCG/EGEE Operational
Security activity
19Grid Security Incident (GSInc) definition
- GSInc definition
- Depends on the scope and range of the Security
Policy, ULA, or SLA - TODO - Should be based on threats analysis and
vulnerabilities model MJRA3.4 - Should be based on Grid processes/workflow
analysis - TODO - GSInc definition is a base for GSInc description
format - What information should be collected and how to
exchange and handle it - Requirements to Events logging and
Intrusion/compromise detection - Common format is a basis for community wide
statistics and coordinated response - Incident statistics provides feedback for the
Security Policy improvement - Note. Grid Security model is based on delegation
of security credentials to a service
20Security credentials related GSInc and audit
events
- Security credentials compromise (e.g., private
key, proxy credentials, etc.) - patterns of credential usage
- broken chain of PKC/keys/credentials
- copy is discovered in not a proper place
- originated not from the default location
- sequent fault attempt to request action(s)
- PDP/PEP logging/audit
- Remaining problems and topics for discussion
- How to define at the early stage that a private
key has been compromised? - May require credentials storing (not caching) and
adding history/evidence chain to credentials
format - X.509 credentials are not capable of this
- Does SAML have required functionality
- Note Audit/log events together with related data
can be also referred to as an Evidence
21Discussion security credentials compromise
detection
- How to define at the early stage that a private
key or other security credentials have been
compromised? - Will it require credentials storing (not caching)
and adding history/evidence chain to credentials
format? - X.509 credentials are not capable of this
- Does SAML have required functionality