A Community Authorization Service for Group Collaboration

1
A Community Authorization Service for Group
Collaboration

• Von Welch et. al.
• Kailash Bhoopalam
• Computer Security

2
Contents

• Introduction
• Background - Grid Security Infrastructure
• Proxy Credentials, enabling restricted
  delegation.
• Community Authorization
• Community and Resource Provider Perspective
• Enabling Mechanisms
• Restricted Proxy Credentials, etc.
• Security Considerations of the proposed solution
• Compromise of CAS Server, Resource - Revocation

3
Introduction

• The Problem
• Sharing and co-ordination of information between
  resource providers and consumers defining clearly
• What is shared and to who is allowed to share.
• Conditions under which sharing occurs

• The Challenges
• Scalability
• Flexibility and expressibility
• Policy Hierarchy

• Proposed Solution ? Delegated Authorization
• Community Authorization Server

4
Introduction Contd.

• Community Authorization Server
• Keep track of community memberships
• Performs delegated access evaluation
• Distribute access policy administration
• Maintains Fine grained access policies
• Builds on PKI and GSI

5
BackgroundGrid Security Infrastructure

• Focus
• Focuses primarily on authentication and message
  protection
• Based on PKI and uses X.509
• Proxy Credentials
• Single sign-on, cross domain authentication
• Restricted Delegation mechanisms
• Temporary credentials

6
Community Authorization Service

• Briefly
• A CAS represents a community of grid users
• Resource provides CAS with certain privileges
  CASP
• A user in the community accesses the CAS to
  obtain privileges to access the resource
• The CAS provides the user with a capability
  certificate (X.509 extensions) based on the users
  role. UP
• The user presents the request and the capability
  certificate to the resource.
• The resource provides the CASP ? UP to the user.

7
CAS Community View

• An individual representing the community
  instantiates the CAS Server
• Acquires credentials from the resource after
  presenting the an X.509 identity certificate
• Creates roles and assigns privilege subsets to
  the roles
• Allows members of the community to register and
  optionally assigns roles to the members.
• If users are not assigned to groups, they are
  assigned privileges individually.

8
CAS Community View

• Accept identity certificates from community
  representatives
• Agree up accepted roles, credentials user
  verification policies.
• Must be able to enforce community policies
  encoded in the CASs capability cert
• Allow local access policies to override access
  privileges encoded in the capability cert.

Reduces trust relationship from CP to CP
9
Enabling Mechanisms

• Restricted Proxy Credentials
• CAS has long term certificate and credentials
• Creates a proxy for each user using its keys to
• Provide temporary credentials based on Least
  Privilege model.
• Enable restricted role based delegation and
  hierarchic groups using Proxy Group mechanism.
• Policy Language
• Theoretically, language neutral
• A field in the proxy certificate extension
  specifies the language used to encode privileges.
• Policy Language, generally Right Right ?
  (Object, Action)
• Libraries and API
• Based on Generic Authorization and Access Control
  API.

10
Security Considerations

• Restricted Proxy Certificates
• Entity should not be able to delegate more
  authority than it has.
• A server that does not know to interpret the
  credentials specified in the extensions should
  reject the certificate.
• Effective Validity time should be the interval of
  all the certs in the chain.
• Effective set of operations should be the
  intersection of all allowed operations in the
  cert chain.
• Compromised CAS server
• May grant more privileges than it is authorized
  to (or) may grant privileges to a community it is
  not authorized to
• Does not harm the system as the resource would
  detect it.
• Results in Denial of service for the user.
• Resource servers can revoke permissions granted
  to the CAS server.

11
Security Considerations, Contd.

• Revocation Mechanisms
• Revocation is not used.
• Community members are provided short lived
  certificates typically of a few hours.
• Un-enroll compromised users.
• Refusal to delegate any further privileges to the
  user.
• Previously issued credentials are honored.
• Compromised Resource Server
• A serious problem but a local one no cascading
  effect.
• Usually occurs in denial of service.
• May cause a serious security problem if this
  compromise occurs in conjunction with the
  compromised CAS server.

12
References

• Primary Reference
• A Community Authorization Service for Group
  Collaboration, Laura Pearlman, Von Welch, Ian
  Foster, Carl Kesselman, Steven Tuecke, 3rd
  International Workshop on Policies for
  Distributed Systems and Networks(Policy 02),
  June 05 07, Monterey, CA
• Other References
• Internet X.509 Public Key Infrastructure Proxy
  Certificate Profile, Steven Tuecke, et al,
• http//www.ggf.org/security/gsi/draft-ggf-gsi-pro
  xy-04.pdf
• Security Architecture for Computational Grids,
  Ian Foster et al, In the proceedings of the 5th
  ACM Conference of Computer and Communications
  Security, 1998
• The Anatomy of a Grid Enabling Scalable Virtual
  Organizations, Ian Foster et al, International
  Journal of High Performance