X.509 Proxy Certificates for Dynamic Delegation

1
X.509 Proxy Certificates for Dynamic Delegation

• Ian Foster, Jarek Gawor, Carl Kesselman, Sam
  Meder, Olle Mulmo, Laura Perlman, Frank
  Siebenlist, Steven Tuecke,Von Welch
• (Presenter vwelch_at_ncsa.uiuc.edu)

2
Outline

• Problem Statement, Motivations, Approach
• Proxy Certificate Solution
• What are they?
• What can they do?
• Status Standardization, Implementation,
  Deployment

3
Use Case
Domain C
Data Store
Domain B
Doman A
Job Broker
Job
Domain D
4
Motivation

• Dynamic Delegation
• Run-time decision on who and what
• Support late binding of jobs to resources
• Dynamic Entities
• Entities (e.g. Jobs) created at same time
• Single Sign On
• Avoid repeated manual authentication
• Easy (user-driven) cross-domain use

5
Approach

• Start with PKI
• Aids cross-domain trust issues since trust
  relationships can be set up by individual
• Build off of existing standards
• Needs to be easily understood by security folks
  at many sites
• Ease of implementation
• Use with existing PKI libraries as much as
  possible
• Start with identity-based authz systems

6
Our solution Proxy Certificates

• Allow users to delegate on the fly by granting
  other entities the right to use their name
• Prototypes in 98
• Standardized in IETF/PKIX 2004
• Fully implemented, deployed and widely used

7
Proxy Certificates

• Same format as X.509 Public Key Identify
  Certificate, but signed by user (or another proxy
  certificate)
• Name scoped to issuers name
• Support restricted delegation from issuer to
  bearer
• Includes critical extension to identify as Proxy
  and express delegation

8
Certificate attribute X.509 Public key certificate X.509 Proxy Certificates
Issuer/ Signer A certification authority A public key certificate or another Proxy Certificate
Name Any as allowed by issuers policy Unique, scoped to namespace defined by issuers name
Delegation from Issuer None Allows for arbitrary delegation policies
Key pairs Uses unique key pair Uses unique key pair
9
ProxyCertInfo Extension

• Critical X.509 Extension
• Identifies a certificate as a Proxy Cert
• Allows issuer to express delegation intentions

10
ProxyCertInfo Delegation Policy

• Does not specify any method of expression
• No language will be right for everyone all the
  time
• Instead OID to identify language and
  language-specific field
• Any language can be used as long as understood by
  relying party
• Two methods defined All and none

11
Single Sign On

• User creates key pair locally
• Signs new public key with identity private key
• Gives short life span
• E.g. 8 hours
• Probably all rights
• Allows for weak (filesystem) protection of
  private key and easy use

12
Delegation
13
Performance and Security Issues

• Proxy generate requires key pair generation
• Those accepting delegation must take care to
  prevent DoS
• Validate delegation request before generating key
  pair

14
Authorization Methods

• All rights/impersonation
• Works great if you dont mind ignoring least
  privilege
• Delegation with restrictions
• Issue How does authentication mechanisms know
  restrictions will be enforced?
• Identity from Proxy Certificate plus addition
  assertions to grant rights

15
Standardization Status

• Proxy certificates have passed PKIX and IETF last
  calls
• Awaiting editorial process to become RFC
• Latest version is draft-ietf-pkix-proxy-10
• http//www.ietf.org/internet-drafts/draft-ietf-pki
  x-proxy-10.txt
• Defines specifics of Proxy certificate creation
  and path validation

16
Implementation

• Fully implemented in Globus Toolkits Grid
  Security Infrastructure (GSI)
• www.globus.org/security/
• Build on OpenSSL
• Changes are additions to handle Proxy Cert path
  validation as error handlers to normal path
  validation
• Similar Java implementation
• GSSAPI-based library
• Also integrated with SSH, FTP, CVS

17
Deployment

• Many CAs issuing certificates for use with Proxy
  certificates for production Grids around the
  world
• Master CA list at http//www.gridpma.org/
• Two dozen plus CAs, including DOE, NSF, NASA
• Old Globus CA with 5k certs

18
Future Work

• One-time passwords/Two-factor authentication
• Lot of recent attacks using keyboard sniffing
• Service that hands out proxies authenticating
  with OTP
• Poor mans hardware tokens
• Reasonable Restrictions
• Where from? Intended use?
• IP addresses too fragile (NAT, mobility,
  multi-homed)
• Allow for late binding to resources
• Revocation
• Even with short lifetime, interest in revocation

19
Summary

• Proxy Certificates are extension to X.509
  identify certificates to allow for real-time
  delegation and naming
• Implemented with minimal changes to existing PKI
  libraries
• In production use in Grids world-wide
• Implementation available as part of Globus
  Toolkit (www.globus.org)

20
Acknowledgements

• DOE
• SciDAC Security for Group Collaboration
• Many colleagues in Global Grid Forum and IETF for
  ideas and discussions
• Questions?