caGrid 1.0 Trust Architecture 3rd TAGPMA FacetoFace Meeting Texas Advanced Computing Center Austin,

1
caGrid 1.0 Trust Architecture3rd TAGPMA
Face-to-Face MeetingTexas Advanced Computing
Center (Austin, Texas)November 29th, 2006

• Scott Oster
• oster_at_bmi.osu.edu
• Department of Biomedical Informatics
• The Ohio State University

2
Agenda

• caBIG/caGrid Overview
• Grid Trust Service (GTS) Overview
• Certificate Validation Profiles
• Managing Trust Fabric with GTS
• SyncGTS
• GTS Federation
• Dorian Overview
• Identity Federation
• Trusted Authorities
• Dorian Identity Provider
• Dorian/GTS Integration

3
Cancer Biomedical Informatics Grid (caBIGTM)

• The cancer Biomedical Informatics Grid
  (caBIG), is a voluntary network or grid
  connecting individuals and institutions to enable
  the sharing of data and tools, creating a World
  Wide Web of cancer research. The goal is to speed
  the delivery of innovative approaches for the
  prevention and treatment of cancer. The
  infrastructure and tools created by caBIG also
  have broad utility outside the cancer community.

NCIs 2015 Goal

• http//cabig.cancer.gov/
• National Cancer Institute Initiative
• Over 800 Participants
• Over 80 Organizations
• Over 70 Projects

Relieve suffering and death due to cancer by the
year 2015
4
caGrid

• Grid Infrastructure for caBIG
• Higher Level Components and Infrastructure for
  satisfying caBIG requirements
• caGrid Provided Components
• Grid Service Graphical Development Toolkit
  (Introduce)
• Metadata
• Advertisement and Discovery
• Semantic Services
• Data Service Infrastructure
• Analytical Service Infrastructure
• Identifiers
• Workflow
• Security

5
caGrid 1.0 Security Components

• Grid Trust Service (GTS)
• Creation and Management of a federated trust
  fabric
• Supports applications and services in deciding
  whether or not signers of digital
  credentials/user attributes can be trusted
• Dorian
• Grid User Account Management / Identity
  Management and Federation
• Enable users to use their institution-provided
  identity for authenticating to a Grid
• Grid Grouper
• Grid Group / VO Management
• Enables Group/VO Based Authorization
• Grid CA
• Command Line platform independent certificate
  authority.
• Security Communication Metadata
• The ability for two parties to negotiate a
  communication mechanism based on the servers
  requirements

6
Grid Trust Service (GTS)Provisioning and
Managing a Federated Trust Fabric
7
Problem

• How do the grid clients/services know which CA
  certificates to trust?

?????
?????
8
Certificate Validation Profiles

• Locally Stored Locally Validated Profile (LSLV)
• Trusted Certificates are locally stored
• Revocation Lists Store Locally
• Certificates received are validated against
  locally stored trusted certificates
• Equivalent to XKMS Tier 0
• Pros
• Almost no infrastructure required
• Cons
• Difficult to keep trusted CA list current
• Trust Fabric in the hands of users

9
Certificate Validation Profiles

• Remotely Retrieved Locally Validated Profile
  (RRLV)
• Trusted Certificates exist and are managed by a
  Trust Service
• Certificates received are validated against
  trusted certificates retrieved from a trust
  service
• Equivalent to XKMS Tier 1
• Pros
• Authentication performed against the current
  trust fabric
• Validation done locally, specialized validation
  requirements can be enforced.
• Cons
• Validation done locally, poor enforcement could
  lead to a potential security risk
• Relies on bootstrapping from the Trust Service

10
Certificate Validation Profiles

• Remotely Stored Remotely Validated Profile (RSRV)
• Trusted Certificates exist and are managed by a
  Trust Service
• Certificates received are sent to a Trust Service
  to be validated
• Equivalent to XKMS Tier 2
• Pros
• Authentication performed against the current
  trust fabric
• Validation done remotely and enforced globally
• Local deployment no longer responsible for
  validation
• Certificate Path Discovery Managed.
• Enforcement of CA Signing Policies
• Cons
• Network Overhead

11
Certificate Validation Profiles Supported Today

• Globus 4.0 employs the Locally Stored Locally
  Validated Profile (LSLV)
• File System Directory of Trusted Certificates
• Contains Certificate and Certificate Revocation
  List (CRL) for each trusted CA
• Certificate Validation
• Certificates are validated if they are signed by
  a certificate contained in the Globus Trusted
  Certificate Directory
• A number of difficulties arise employing this at
  the scale of caBIG
• Hard for grid administrators to manage
• Difficult to provision trusted authorities
• Difficult to provision CRLs
• Trust Fabric in the hands of users

12
Certificate Validation Profiles Adding Support
to Globus

• Supporting Remotely Retrieved Locally Validated
  Profile (RRLV) in Globus
• Use trust service to obtain trusted CA
  certificates and CRLS and store them in the
  Globus Trusted Certificate directory
• Trust Service client manages the Globus Trusted
  Certificate directory for Globus, keeping it up
  to date
• Limited changes to Globus required, just run the
  Trust Service Client for syncing Globus with the
  Trust Service
• Supporting Remotely Stored Remotely Validated
  Profile (RSRV) in Globus
• Globus contacts Trust Service during
  authentication to determine if the credentials in
  question are signed by a Trusted CA
• Trust Service performs all validation and
  enforces revocation lists
• Support requires source changes to the Globus
  Toolkit
• Several changes need to be made in the Globus
  communication layers
• Changes need to be made in the Proxy validation
  layer

13
Grid Trust Service (GTS)

• Grid Trust Service (GTS)
• WSRF Grid Service
• Trust Level Creation and Management
• Provides Support for Managing Trusted Certificate
  Authorities
• Administrators register/manage certificate
  authorities and CRLS with GTS
• Client tools synchronize Globus Trust Framework
  with GTS
• Remotely Retrieved Locally Validated Profile
  (RRLV)
• Globus is authenticating against the current
  trust fabric
• Distributed GTS, Enabling the creation of a
  scalable trust fabric

14
GTS Support for Certificate Validation Profiles

• Provide full support for the Remotely Retrieved
  Locally Validated Profile (RRLV)
• Support the trust service side of Retrieved
  Remotely Validated Profile (RRRV)
• GTS provides a validation service interface (not
  used in current Globus integration)
• Full profile support will require changes to
  Globus to support a validation callout

15
Grid Trust Service (GTS)

• Trust Level Management
• GTS provides a mechanism for defining and
  managing Trust Levels
• GTS Administrators can Add/Update/Remove Trust
  Levels
• Requires grid credentials (GTS Administrator)
• Each Trusted Authority is assigned levels of
  trust
• GTS can be queried by level of trust

16
Grid Trust Service (GTS)

• Trusted Authorities
• GTS manages a set of certificate authorities that
  are trusted in the grid to sign grid credentials
  or grid proxy certificates
• Trusted Authority A certificate authority
  trusted by the GTS
• Name (Subject of the CA Certificate)
• Trust Levels The Levels of Trust associated
  with the CA
• Status The current status of the CA (Trusted or
  Suspended)
• Certificate The ca certificate that corresponds
  to the private key that is used by the ca to sign
  certificates. (credentials)
• Certificate Revocation List (CRL) CA signed
  list of revoked credentials
• Is Authority Specifies whether or not the GTS
  listing this Trusted Authority is the authority
  for it
• Authority GTS The authoritative GTS for the
  Trusted Authority
• Source GTS The GTS from which the current GTS
  obtained the Trusted Authority
• Expiration The date after which this Trusted
  Authority should no longer be trusted

17
Grid Trust Service (GTS)

• Managing Trusted Authorities
• GTS provides support for adding/updating
  /removing Trusted Authorities through its Grid
  Service Interface
• Requires Grid Credentials or Proxy Certificate of
  a GTS Administrator
• GTS Provides an administrative Java Client
• GTS Provides an administrative GUI

18
Grid Trust Service (GTS)

• Querying for Trusted Authorities
• GTS provides a public mechanism for
  discovering/querying the Trusted Certificate
  Authorities
• Query interface enables synchronization tools to
  be built to synchronize authorities trusted be
  Globus with those trusted by the GTS
• GTS Provides a Java Search Client
• GTS Provides a GUI built on top of the Search
  Client.
• Query Criteria
• Name
• Trust Level
• Status (Trusted, Suspended)
• Lifetime (Valid, Expired)
• Is Authority
• Authority GTS
• Source GTS

19
Sync GTS

• Toolkit used for synchronizing client and service
  containers with the GTS
• Takes in a set of GTS Queries and executes them
  on a set of GTS services, synchronizing the
  results of the queries with the Globus Trusted
  Certificates Directory
• Supports multiple execution mechanisms
• Grid Service in a grid service container
• Embedded in a client or service
• Command Line

20
Grid Trust Service (GTS) Federation

• GTS Federation
• A GTS can inherit Trusted Authorities and Trust
  Levels from other GTS instances
• Allows one to build a scalable Trust Fabric
• Allows institutions to stand up their own GTS,
  inheriting all the trusted authorities in the
  wider grid, yet being to add their own
  authorities that might not yet be trusted by the
  wider grid
• A GTS can also be used to join the trust fabrics
  of two or more grids

21
Grid Trust Service (GTS) Federation

• Each GTS contains a list of Authoritative Grid
  Trust Services
• Authority GTS
• GTS Service End Point
• Priority
• Specifies the priority of an authority GTS with
  respect to other authority GTS
• Used in resolving conflicts between authority
  grid trust services
• Time to Live
• Specifies how long a Trust Authority should be
  valid
• Synchronize Trust Level
• Specifies whether or not to sync the trust levels
• Perform Authorization
• Specifies whether or not to perform authorization
• If perform authorization is specified, the
  identity of the authority GTS must also be
  specified
• The GTS can be configured how often to sync with
  its authorities
• On syncing a GTS will obtain all valid Trusted
  Authorities and Trust Levels (if specified) from
  each authority GTS and organize them locally
  based on priority

22
Grid Trust Service (GTS) Federation
23
Grid Trust Service (GTS) Federation

• Managing GTS Authorities for a GTS
• GTS provides support for adding/updating
  /removing GTS Authorities through its Grid
  Service Interface
• Requires Grid Credentials or Proxy Certificate of
  a GTS Administrator
• GTS Provides an administrative Java Client
• GTS Provides an administrative GUI

24
DorianIdentity Management and Federation
25
Grid Security Authentication Overview

• Clients authenticate to the grid using a grid
  proxy
• Grid Proxy consists of a private key and proxy
  certificate signed by the users grid credentials
• Extension of X.509 Identity Certificates
• Short Lifetime
• Asserts Identity of users and services
• Enables single sign-on
• Short Term Certificate, signed by clients long
  term private key
• Supports Delegation
• Grid Credentials consist of a long term
  certificate and private key

26
caGrid Authentication

• Identity / User Provisioning Problem
• Hundreds of organizations, Tens of thousands of
  users
• How do we assign Identity to users, how do we
  provision user accounts?
• Who should assert the identity for a given user?
• Givens
• Access to data will be through a Grid
  Infrastructure
• Some users may need to have access to
  de-identified/identified medical data
• Local Institutional Review Boards (IRBs) will
  need their policies enforced
• Some Users already have accounts at their home
  institutions
• Local Account provisioning policies differ from
  institution to institution

27
Identity Management and Federation

• caBIG Security Whitepaper recommends the use of
  Identity Management and Federation to facilitate
  Authentication
• A system that allows individuals to use the same
  user name, password or other personal
  identification to sign on to the systems of more
  than one enterprise in order to conduct
  transactions
• Enable users to use their institution provided
  identity for authenticating to a Grid
• User should be able to authenticate to the Grid
  using their institutions existing mechanisms

Image taken from the caBIG Security Evaluation
White Paper
28
Identity Management and Federation

• Identity Provider (IdP)
• Federation partner that vouches for the identity
  of a user
• The IdP authenticates the user, and provides an
  authentication token (proof) to the service
  provider
• Service Provider (SP)
• A service provider is a federation partner that
  provides services to end user
• Relies on IdP to authenticate users
• Security Assertion Markup Language (SAML)
• XML Based Security Language for exchanging
  authentication and authorization information

29
Dorian Grid Identity Management and Federation

• Grid User Account Management
• Administrative interface for account provisioning
  and management
• Built in Certificate Authority
• Manages Grid Credentials for each user
• Enables users to authenticate and create grid
  proxies, which they may use to access the grid
• Identity Management and Federation
• Integration point between external security
  domains and the grid
• User may use existing credentials to obtain a
  grid proxy
• Users authenticate to IdP, obtain a SAML
  assertion (proof) which is then given to Dorian
  to facilitate the creation of a grid proxy
• Automated Account Creation and Provisioning

30
Dorian Grid Identity Management and Federation

• WSRF Compliant Web Service
• Secure Communication
• Administrative Operations
• User Operations
• Dorian Identity Provider
• Built in username/password IdP
• Enables developers, smaller groups, research
  labs, unaffiliated users, and other groups
  without an IdP to use Dorian as their IdP, such
  that they may leverage Dorian for creating grid
  credentials
• Administrative GUI

31
Dorian Grid Identity Management and Federation

• Users authenticate to IdP, obtain a SAML
  assertion (proof) which is then given to Dorian
  to facilitate the creation of a grid proxy
• Trust is established between
• Dorian and registered IdPs
• Dorian must trust the identity assertions
• Dorian and Clients
• Clients must trust Dorian to manage the exchange
• Dorian and Services
• Services must trust Dorian-created User
  credentials
• Dorian acts as a trust integration point between
  Identity Providers and Service Providers

32
Dorian Proxy Creation
SAML Assertion

• Proxy Creation Workflow
• Client authenticates with Local IdP
• Client creates public/private key pair to use for
  grid proxy
• Client requests Dorian to create a grid proxy
• Dorian verifies that the SAML assertion provided
  by the user is signed by a Trusted IdP and that
  the user has a valid account
• Dorian locates the users grid credentials,
  private key and certificate
• Dorian uses the public key provided to create a
  proxy certificate and signs it with the users
  private key
• Dorian returns the proxy certificate to the user
• The user may now use the proxy to authenticate to
  grid services

SAML Assertion
Username / Password (or other)
SAML Assertion
Signed
33
Dorian Grid User Account Creation

• A grid account is created the first time a user
  accesses Dorian with a SAML Assertion signed by a
  registered Trusted Identity Provider
• Each grid account has a status associated with it
• Active, Pending, Suspended, Expired
• Only users with an Active Status will be given
  access to the grid
• The initial status of a user account upon
  creation depends on the user policy configured
  with their IdP
• A User Policy is applied to a users account
  every time they request that a proxy is created
• Example User Policy
• Auto Approval Upon account creation, the users
  account status is set to active, they will be
  immediately granted access to the grid
• Manual Approval Upon account creation, the
  users account stats is set to Pending, and
  administrator will need to grant them access to
  the grid
• User Policies enable the administration of Dorian
  to be as hands on/off as the administrators wish

34
Dorian Grid User Accounts

• Grid User Account
• IdP Local User Id
• Used to uniquely Identifier a user within the
  context of an IdP
• First Name
• Last Name
• Email
• User Role Role within Dorian (admin?)
• User Status Account Status, Active, Pending,
  Suspended
• Grid Credentials
• Private Key Used is signing proxy certificates
• Long term Certificate
• Grid Identity
• Dorian CA Metadata, Trusted IdP Id, Local User Id

/OOSU/OUBMI/OUcaGrid/OUDorian/OUlocalhost/OU
IdP 1/CNjdoe
Dorian CA Metadata
IdP Id
Local User Id
35
Dorian Managing Trusted Identity Providers

• Trusted Identity Provider An IdP which Dorian
  is configured to trust and manage grid user
  accounts
• Id - Dorian assigned Identifier for the IdP
• Name Human Readable Name for easy
  identification
• Status Active / Suspended
• User Policy Executed when users authenticate,
  dictates a policy to apply to a users account
• Allowed Authentication Methods
• IdP Certificate - Certificate whose corresponding
  private key will be used in signing SAML
  assertions

36
Dorian Identity Provider

• Dorian Identity Provider (Dorian IdP)- Enables
  developers, smaller groups, research labs,
  unaffiliated users, and other groups without an
  IdP to use Dorian as their IdP, such that they
  may leverage Dorian for creating grid credentials
• Registration- Provides a registration mechanism
  through the grid service interface
• Authentication- Username/Password Authentication
  over grid service interface, successful
  authentication returns a SAML assertion which can
  later be consume by Dorian in exchange for a grid
  proxy
• Account Management Provides administrative
  operations for managing Dorian IdP accounts

37
Dorian Identity Provider Registration /
Authentication

• Potential Users obtain and account on the Dorian
  IdP by registering
• Grid Service Interface provides a mechanism for
  registering with the Dorian IdP account
• Uses internally standardized AuthenticationServi
  ce interface
• Dorian GUI provides graphical interface for
  registering with the Dorian IdP
• Account creation depends on how the Dorian IdP is
  configured
• Auto Creation
• Manual Creation
• Once Approved, registered users can authenticate
  (username, password) to the Dorian IdP to obtain
  a SAML Assertion which can then be used to create
  a proxy

38
Dorian Identity Provider User Management

• Dorian IdP User Management
• Manage User Account Information
• Manage Account Status
• Active, Suspended, Pending.
• Grant IdP Admin Rights
• Account Management done through grid service
  interface, only users with admin rights may
  manage accounts
• Full Account Management Support through the
  Dorian GUI

39
Dorian Integration with GTS

• Dorian provides the optional capability to
  integrate with a Grid Trust Service (GTS)
• When a Dorian managed user account is disabled,
  Dorian publishes an updated CRL to the GTS
  indicating that users corresponding certificate
  is invalid
• When a trusted Identity Provider is disabled, all
  corresponding User accounts are disabled
• Dorian service identity must be given
  administrative privileges to appropriate GTS
  Trusted Authority (Dorians CA)

40
caGrid 1.0 Security Team

• Team
• Shannon Hastings
• Tahsin Kurc
• Vinay Kumar
• Stephen Langella (Security Lead)
• Scott Oster
• Joel Saltz
• Frank Siebenlist