GSI Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure

1
GSI Grid Security Infrastructureand the EU
DataGrid Authentication Infrastructure

• For the EDG CACG David Groep
• ltdg-eur-ca_at_services.cnrs.frgt

2
Outline

• The Grid in one line
• The Grid Security Infrastructure (from Globus)
• EU DataGrid (EDG)
• The EDG CA Coordination Group (CACG)

3
The Grid

• coordinated resource sharing and problem solving
• in dynamic, multi institutional virtual
  organizations
• Carl Kesselman, Ian Foster, The Anatomy of the
  Grid
• Extension of meta-computing to ubiquitous
  resources
• Pioneered by the I-WAY, GUSTO and the Globus
  Project
• Vision getting resources like you get
  electricity nowadays

4
A Quick Refresher

• Grid Security Infrastructure (GSI)
• X.509 (PKI certificate format)
• proxy certificates (single sign-on
  delegation)
• TLS/SSL (authentication msg protection)
• delegation protocol (remote delegation)
• GSS-API (standard API)
• GSS-API Extensions (better Grid support)
• Existing IETF standards
• Others are GGF IETF drafts

5
X.509 Proxy Certificates Work

• Defines how a short term, restricted credential
  can be created from a normal, long-term X.509
  credential
• A proxy certificate is a special type of X.509
  certificate that is signed by the normal end
  entity cert, or by another proxy
• Supports single sign-on delegation through
  impersonation
• ANL, ISI, LBNL

6
Restricted Proxies

• Q How to restrict rights of delegated proxy to a
  subset of those associated with the issuer?
• A Embed restriction policy in proxy cert
• Policy is evaluated by resource upon proxy use
• Reduces rights available to the proxy to a subset
  of those held by the user
• But how to avoid policy language wars?
• Proxy cert just contains a container for a policy
  specification, without defining the language
• Container OID blob
• Can evolve policy languages over time

7
Delegation Tracing

• Often want to know through what entities a proxy
  certificate has been delegated
• Audit (retrace footsteps)
• Authorization (deny from bad entities)
• Solved by adding information to the signed proxy
  certificate about each entity to which a proxy is
  delegated.
• Does NOT guarantee proper use of proxy
• Just tells you which entities were purposely
  involved in a delegation

8
Proxy Certificate Standards Work

• Internet Public Key Infrastructure X.509 Proxy
  Certificate Profile
• draft-ietf-pkix-proxy-00.txt
• Draft being considered by IETF PKIX working
  group, and by GGF GSI working group
• Defines proxy certificate format, including
  restricted rights and delegation tracing
• LBNL student is implementing into OpenSSL
• Demonstrated a prototype of restricted proxies at
  HPDC as part of CAS demo

9
Delegation Protocol Work

• TLS Delegation Protocol
• draft-ietf-tls-delegation-01.txt
• Draft being considered by IETF TLS working group,
  and by GGF GSI working group
• Defines how to remotely delegate an X.509 Proxy
  Certificate using extensions to the TLS (SSL)
  protocol

10
Community Authorization Service

• Question How does a large community grant its
  users access to a large set of resources?
• Should minimize burden on both the users and
  resource providers
• Solution Community Authorization Service (CAS)
• Community negotiates access to resources
• Resource outsources fine-grain authorization to
  CAS
• Resource only needs to know about CAS user
  credential
• CAS handles user registration, group membership
• User who wants access to resource asks CAS for a
  capability credential
• Restricted proxy of the CAS user credential,
  checked by resource

11
CAS Operation
1. CAS request, with

user/group
CAS

resource names

membership

Does the
and operations

collective policy
resource/collective
authorize this
2. CAS reply, with

membership

request for this

capability

and resource CA info

user?

collective policy
information

User

Resource

3. Resource request,

authenticated with

Is this request
capability

authorized by
the
local policy
capability?

information

4. Resource reply

Is this request
authorized for
the CAS?

12
Community Authorization Service

• CAS provides user community with information
  needed to authenticate resources
• Sent with capability credential, used on
  connection with resource
• Resource identity (DN), CA
• This allows new resources/users (and their CAs)
  to be made available to a community through the
  CAS without action on the other users/resources
  part

13
The EU DataGrid (EDG) Project

• DataGrid generic Grid middleware and test bed
  for
• High Energy Physics
• Earth Observation and ozone modelling
• Bio-informatics bio-medicine
• Middleware components (on top of Globus)
• scheduling and accounting
• data replication and management
• monitoring
• data storage
• fabric and farm management

14
EDG Work Package Overview
15
The EDG Test Bed

• Started end 2000 beginning 2001 with Test Bed
  0
• Globus installations in several countries
• Implement core infrastructure to get this to work
• Test Bed 1, deployed Nov 2001, successful demo in
  March 1st
• Continuous upgrades till December 2003

16
The first Grid CAs

• The Globus Project has been running a worthless
  CA
• authentication based on non-bouncing e-mail
  address only
• not accepted by many of the participating sites
• For EDG production test bed need for just a bit
  stronger auth
• grass-roots effort by volunteers in various
  countries
• policies and practices all different
• various degrees of subject authentication
• a (very) few CAs are still in need of a written
  policy

17
Current EDG Certification Authorities

• CERN (HEP-only, Grid-only)
• Czech Republic (CESNET)
• France (CNRS)
• Spain (IFCA, HEP-only, Grid-only)
• Netherlands (NIKHEF/DutchGrid, Grid-only)
• Italy (INFN, HEP-only, Grid-only)
• Portugal (LIP, HEP-only, Grid-only)
• Nordic Countries (NBI, Grid-only)
• Russia (Moscow State Uni, HEP-only, Grid-only)
• GridPP/UKHEP (CLRC/RAL, Grid-only)

• DoESG CA (ESnet, Grid-only)
• Germany (FZK, Grid-only)

18
EDG CA Minimum Requirements (1)

• Still largely defined by common practice
• An acceptable procedure for confirming the
  identity of the requestor e.g. by personal
  contact or some other rigorous method
• One CA per country ? basic trust in personal
  authentication by CA/RA
• Subject name includes full given name and
  affiliation
• Specific nameforms per CA (but all different)
• Most use personal voice recognition of known
  persons, or check official ID papers via an RA
• RA-to-CA communications by integrity-protected
  e-mail
• Affiliation usually checked by looking in
  public directories
• Host certificates introduced by a pre-certified
  administrator

19
EDG CA Minimum Requirements (2)

• Technical controls better specified
• machine with CA private key not connected to any
  network
• CA RSA key length 2048 bits ? lifetime 5 years
• Subscriber key length gt 1024 bits ? 1 year
• All CAs issue a CRL with a 30-day lifetime
  (updated weekly)
• Relying parties must update every 24 hrs
• Audit logs must be kept
• but no auditing is done! (no funding)
• Strongly recommends running a directory service

20
EDG CA CP/CPS and the Matrices

• Every EDG CA must provide a CP/CPS (combined)
• RFC2527 preferred
• a per-CA feature matrix is made
• Cross-evaluation of CP/CPS by every CA Manager
• tries to make up for lack of auditing
• provide trust guidelines for local site
  administrators
• Every CA Manager should inspect all other CP/CPSs
• Yields the Acceptance Matrix

21
CA Feature Matrix
by Brian Coghlan, TCD, Ireland
22
CA Acceptance Matrix

• The Acceptance Matrix Problem
• This does not scale
• Already 12 CAs
• Numbers growing rapidly
• CrossGrid Project 7 countries
• CERN/LHC 120 countries
• ....
• Automate the evaluation
• move work to proper forums

23
Grid CA Standardization Efforts

• Global Grid Forum (GGF)
• standardization body modeled like IETF/IRTF
• 2 working groups in security area
• Grid Security Infrastructure wg
• GridCP wg
• http//www.globalgridforum.org/
• GridCP working group
• define a reference CP (with four? levels)
• every compliant CA should add own appendix with
  CPS (few pages)
• not clear on cross-certifying, root, or bridge CA

24
EDG and GGF CA References

• The EU DataGrid http//www.eu-datagrid.org/
• The Globus Project http//www.globus.org/security/
  
• EDG CACG site http//marianne.in2p3.fr/datagrid/c
  a/
• GGF GridCP wg http//www.gridcp.es.net/
• DoESG site http//envisage.es.net/