Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Resear

1
Policy Enforcement Framework for Web Services and
Grid Operational Security Advanced Internet
Research Group Update

• Yuri Demchenko ltdemch_at_science.uva.nlgt
• AIRG, University of Amsterdam

2
Outline

• Goals
• AIRG projects and Generic AAA Architecture
  development
• Implementation in CNL project Access Control
  infrastructure
• Grid Operational Security and Grid Security
  Incident definition

3
Goals

• Update TF-EMC2 on AIRG research and developments
• Discuss possible approaches for early detection
  of the security credentials compromise

4
AIRG projects

• Gigaport NG - NL
• Further development of the Generic AAA
  architecture for policy/token based networking
• Collaboratory.nl (CNL)
• Security Architecture for Open Collaborative
  Environment and RBAC
• Considered as a use case for EGEE and OGSA
• EGEE and other Grid related projects - EU
• Grid operational security and WS/Grid security
  threats analysis
• Policy enforcement framework and Authorisation
  portType
• WS-Security and OGSA Security

5
Generic AAA Architecture by AIRG (UvA)

• Policy based Authorization decision
• Req AuthNtoken, Attr/Roles, PolicyTypeId,
  ConditionExt
• RBE (Req Policy) gt gt Decision ResponseAAA,
  ActionExt
• ActionExt ReqAAAExt, ASMcontrol
• ResponseAAA AckAAA/RejectAAA, ReqAttr,
  ReqAuthN, BindAAA (Resource, Id/Attr)

• Translate logDecision gt Action
• Translate State gt LogCondition

• Defined by Resource owner

6
Generic AAA implementations

• Bandwidth-on-demand (BoD) for optical network
• Using driving policy approach for multidomain
  optical path building
• Access control and privilege management for
  Collaborative environment
• Policy/role based access control to experimental
  equipment and resources
• Authorisation Web Service and Authorisation
  portType for Grid applications
• Policy binding to Web/Grid service definition
• Technology background
• AAA Policy Rule Based Engine (RBE) and XACML
  based policy exchange format
• XML Web Services
• Attempting to use WSRF and trying to avoid OGSI
  and ProxyCert

7
Distributed Security Architecture for
Collaborative environment

• Based on the Job-centric security model
• Extended RBAC functionality including RBAC
  administration terminal (using GAAA Toolkits)
• XACML based policy exchange and integration
• Uses WS-Security Framework and OGSA/WSRF
• Policy binding to WSDL and AuthZ portType
  definition
• VO functionality - policy based user and
  resource management
• Proxy-Certificate (Grid approach) vs SAML
  security credentials management

8
Security built around Job description

• Job Description as a semantic object defining Job
  attributes and User attributes
• Requires document based or semantic oriented
  Security paradigm
• Trust domain based on Business Agreement (BA) or
  Trust Agreement (TA) via PKI

9
XACML implementation library for CNL

• Contains specific modules for AAA services
• PEP, PDP, PAP and XACML messaging
• Implemented in Java
• Policy editor in XACML
• XACML provides standard solution for RBAC with
  powerful policy combination functionality
• Version 0.1 is available for policy construction
  and translating to AAA-policy format
• Set of typical policy profiles in XACML (with
  correspondent profiles in AAA) are under
  development

10
Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement Point)/AEF
(authorisation enforcement function) PDP (Policy
Decision Point)/ADF (authorisation decision
function) PIP (Policy Information Point)/AA
(Attribute Authority) PA Policy Authority
11
GAAA API flow diagram (implements RBAC)
12
GAAAPI implementation XACML Request message
format (1)
13
GAAAPI implementation XACML Request message
format (2)

• lt?xml version"1.0" encoding"UTF-8"?gt
• ltAAAAAARequest xmlnsAAA"http//www.AAA.org/ns/A
  AA_BoD" xmlnsxsi"http//www.w3.org/2001/XMLSchem
  a-instance" xsischemaLocation"http//www.AAA.org
  /ns/AAA_BoD http//146.50.22.64/CNLdemo1.xsd"
  version"0.1" type"CNLdemo1"gt
• ltSubjectgt
• ltSubjectIDgtWHO740_at_users.collaboratory.nllt/Subjec
  tIDgt
• ltRolegtAnalystlt/Rolegt
• ltJobIDgtJobID-XPS1-212lt/JobIDgt
• ltTokengt2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90lt/
  Tokengt
• lt/Subjectgt
• ltResourcegtltResourceIDgt
• http//resources.collaboratory.nl/Phillips_XPS1
• lt/ResourceIDgt
• lt/Resourcegt
• ltActiongt
• ltActionIDgtControlInstrumentlt/AttributeIDgt
• lt/Actiongt
• lt/AAAAAARequestgt

14
GAAAPI implementation XACML Response message
format (1)
15
GAAAPI implementation XACML Response message
format (2)

• lt?xml version"1.0" encoding"UTF-8"?gt
• ltAAAAAAResponse xmlnsxsi"http//www.w3.org/2001
  /X_LSchema-instance" xsinoNamespaceSchemaLocation
  "aaa-cnl-response-00.xsd" version"0.0"gt
• ltResult ResourceId"String"gt
• ltDecisiongtPermitlt/Decisiongt
• ltStatusgt
• ltStatusCode Value"OK"/gt
• ltStatusMessagegtRequest succes7fullt/StatusMessag
  egt
• lt/Statusgt
• lt/Resultgt
• lt/AAAAAAResponsegt

16
Binding policy to WSDL service description

• WS-PolicyAttachment defines two mechanisms that
  together allow to bind policy to the WSDL
  components (portType, Operation, Message)
• wspPolicyRefs"URI QName"
• ltwspUsingPolicy wsdlRequired"true"/gt

17
Binding policy to WSDL - Example

• ltdefinitions xmlns"http//schemas.xmlsoap.org/wsd
  l/" xmlnssoap"http//schemas.xmlsoap.org/wsdl/so
  ap/" xmlnsxs"http//www.w3.org/2001/XMLSchema"
  xmlnswsa"http//schemas.xmlsoap.org/ws/2003/03/a
  ddressing" xmlnswsp"http//schemas.xmlsoap.org/w
  s/2002/12/policy" xmlnswsse"http//schemas.xmlso
  ap.org/ws/2002/12/secext" xmlnswst"http//schema
  s.xmlsoap.org/ws/2004/04/trust"
  xmlnscnl"http//cnl.telin.nl/cnl"
  xmlnspolicy"cnl-policy-schema.xsd"
  targetNamespace"http//cnl.telin.nl/cnl"gt
      ltmessage name"ViewExperimentRequest"
  wspPolicyRefs"cnl-policy-02example.xml"gt
          ltpart name"JobID" type"xsstring"/gt
          ltpart name"coordinateX"
  type"xsstring"/gt         ltpart
  name"coordinateY" type"xsstring"/gt        
  ltpart name"zoom" type"xsint"/gt     lt/messagegt
  ltltlt snip gtgtgtgt     ltwspUsingPolicy
  wsdlRequired"true"/gt lt/definitionsgt

18
Security related activities in EGEE - FYI

• EGEE Enabling Grids for E-sciencE
• JRA3 Security
• MWSG Middleware Security Group
• JSPG Joint with LCG and OSG Security Policy
  Group
• OSG Incident Handling Activity
• Recent Security related deliverables
• Grid User/Site Security Requirements MJRA3.1
  (https//edms.cern.ch/document/485295/1)
• Global Security Architecture (GSA) rev. 1 -
  DJRA3.1 (https//edms.cern.ch/document/487004/1.1)
  
• Grid Security Incident definition and exchange
  format MJRA3.4
• Ongoing development, current version -
  https//edms.cern.ch/document/501422/1
• As a part of joint OSG/LCG/EGEE Operational
  Security activity

19
Grid Security Incident (GSInc) definition

• GSInc definition
• Depends on the scope and range of the Security
  Policy, ULA, or SLA - TODO
• Should be based on threats analysis and
  vulnerabilities model MJRA3.4
• Should be based on Grid processes/workflow
  analysis - TODO
• GSInc definition is a base for GSInc description
  format
• What information should be collected and how to
  exchange and handle it
• Requirements to Events logging and
  Intrusion/compromise detection
• Common format is a basis for community wide
  statistics and coordinated response
• Incident statistics provides feedback for the
  Security Policy improvement
• Note. Grid Security model is based on delegation
  of security credentials to a service

20
Security credentials related GSInc and audit
events

• Security credentials compromise (e.g., private
  key, proxy credentials, etc.) 
• patterns of credential usage
• broken chain of PKC/keys/credentials
• copy is discovered in not a proper place
• originated not from the default location
• sequent fault attempt to request action(s)
• PDP/PEP logging/audit
• Remaining problems and topics for discussion
• How to define at the early stage that a private
  key has been compromised?
• May require credentials storing (not caching) and
  adding history/evidence chain to credentials
  format
• X.509 credentials are not capable of this
• Does SAML have required functionality
• Note Audit/log events together with related data
  can be also referred to as an Evidence

21
Discussion security credentials compromise
detection

• How to define at the early stage that a private
  key or other security credentials have been
  compromised?
• Will it require credentials storing (not caching)
  and adding history/evidence chain to credentials
  format?
• X.509 credentials are not capable of this
• Does SAML have required functionality