1 / 20

Policy Specification and Restricted Delegation in Globus Proxies

Policy Specification and Restricted Delegation in Globus Proxies. Babu Sundaram, University of Houston Christopher Nebergall, Western Illinois University Steven Tuecke, Argonne National Laboratory. Background. Security Issues in 'Grids‘

jonny
Télécharger la présentation

Policy Specification and Restricted Delegation in Globus Proxies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy Specification and Restricted Delegation in Globus Proxies Babu Sundaram, University of Houston Christopher Nebergall, Western Illinois University Steven Tuecke, Argonne National Laboratory

  2. Background • Security Issues in 'Grids‘ • Users need a SINGLE SIGN-ON mechanism to gain access to the user’s 'grid resources' • User credentials should never be passed insecurely across the network • Sites often have highly heterogeneous local policies • How do we meet these goals?

  3. Background • Proxy – A short lived credential that acts as a stand-in for the user • Can be used without user intervention • Created when the user signs on • Eliminates the need to have the user stay on-line • Why are proxies delegated? • To authenticate the user and acquire resources at a remote site without requiring the user’s intervention • Delegated proxies can be further delegated to other sites indefinitely • There is a serious drawback …

  4. Motivation • Proxy credentials can be stolen !!! • ANYONE who steals your proxy credential can use it to impersonate YOU • ANY of your Grid resources can be acquired using the stolen credential until it expires • Proxy credentials lack the ability to carry fine grained security policies and restrictions and thus can easily be abused …

  5. Motivating Example • Theft of Delegated Credentials Machine A • Delegation of Full Proxy CredentialsName: Jane Doe • Full Proxy Credentials Name: Jane Doe If full proxy credentials are stolen, they can be used to impersonate their owner and allow access to any site for which the owner has access. Machine B

  6. The Problem… • The consequences of proxy credentials being compromised are drastic … • With the existing setup, proxy credentials cannot carry security policies dictating their use • The use of proxy credentials is not restricted to particular sites or resources We prototyped a solution for this problem for the GLOBUS TOOLKIT

  7. Approach • Classified Advertisements (Classads) • A language for expressing and evaluating attributes • A product of Condor technology from the University of Wisconsin • Introduction • Attributes are named expressions • A classad is a set of attributes • Two classads can be evaluated for a match • A simple, flexible and efficient mechanism • Potentially, classads can be used to specify policies

  8. Approach Cont. • Proxy credentials can be modified to carry security policies as X.509 certificate extensions • The extensions can be dropped into the proxy certificate by the user during the sign-on process • The extensions can be evaluated on the server side to check the validity of the proxy credential

  9. Restricted Proxy Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 2251 (0x8cb) Signature Algorithm: md5WithRSAEncryption Issuer: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Christopher Nebergall Validity Not Before: Oct 20 19:34:43 2000 GMT Not After : Oct 29 07:39:43 2000 GMT Subject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Christopher Nebergall, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): …Value Skipped Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.3536.1.1.1.1: [StartTime = '9:00:00' ; EndTime = '17:00:00' ; ctime = CurrentTime ( ) ; requirements = ( ctime > = StartTime ) && ( ctime < = EndTime ) ]. Signature Algorithm: md5WithRSAEncryption …Value Skipped The extensions of the certificate contain a classad which defines that this proxy certificate can only be used from 10:00 A.M. to 5:00 P.M. but the proxy is still valid for several days.

  10. Restricted Proxy Example • Theft of Delegated Credentials Machine A • Delegation of • Restricted Proxy Credentials • Name: Jane Doe • Restriction=Sites{Machine A} Classad match failed Access Denied! • Full Proxy Credentials Name: Jane Doe Restricted proxy credentials contain restrictions which prevent them from being used at unintended sites. Machine B

  11. What can be specified as policies? • From the user perspective … • Detailed time restrictions specifying when the proxy credential can be used • Restrictions specifying the sites where the proxy credential can be used and a list of sites from which the proxy can be delegated • Resources which can be accessed using the proxy credential • Simply, fine-grained usage specification in the proxy credentials to gain more protection if the proxy is compromised

  12. What can be specified as policies? • From the perspective of the remote site … • The time in which a specific user is allowed to login • The sites from which credentials can be accepted • The resources and the executables that the user is allowed to access

  13. Other Restrictions • Intermediate Sites - A list of sites that a proxy can be trusted to be delegated through. • Globus Version - Restrictions based on the version of the software being run on the server. • Limited- If this flag is set the proxy can be used for authentication but not delegation • Executables- This is a list of executables that can be executed using a particular proxy

  14. Site Policy Specification • Sites often have highly heterogeneous local policies • Using this mechanism, the site admins can specify time and resource restrictions for anyone accessing their site • These restrictions are placed in the Gridmap file • A dynamic server-side classad is created to match against when a client makes a request

  15. Site Policy Specification Gatekeeper Grid Map File [ Subject = {"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Christopher Nebergall"}; login = "CNebergall"; UserTimeList = {[valid = false, start = '08:00:00';end = '18:00:00'], [valid = true, start = '08:00:00';end = '18:00:00'], [valid = true, start = '10:00:00';end = '20:00:00'], [valid = false, start = '08:00:00';end = '18:00:00'], [valid = true, start = '08:00:00';end = '18:00:00'], [valid = true, start = '08:00:00';end = '18:00:00'], [valid = false, start = '08:00:00';end = '18:00:00']}; AccountValid = true; ctime = CurrentTime(); DayOfWeek = GetDayOfWeek(ctime); TimeRequirements = UsertTimeList[DayOfWeek].valid && ctime >= UserTimeList[DayOfWeek].start && ctime <= UserTimeList[DayOfWeek].end; Requirements = AccountValid && TimeRequirements && Other.dynamic.Subject == self.Subject; ] [ Subject = {"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Babu Sundaram"}; login = ”Bsundaram"; AccountValid = true; OperateFrom = (“moleman.mcs.anl.gov”, “Oboe.mcs.anl.gov”); AccountValid && Other.dynamic.Subject == self.Subject && Member(OperateFrom, other.dynamic.HostSite) ] The Site Policies can be specified in Grid Map file

  16. Comparison P S a a b c Advanced Proxy Chaining • Further restrictions can be added every time the proxy credential is delegated • Once restrictions have been added they cannot be removed P - Proxy Chain with restrictions a, b, and c S - Server Restrictions with restriction a Server (S) Client Pa,b,c The server’s restrictions are compared against every restriction in the proxy chain.

  17. Significance and Applications • Added facilities for the user and site to specify policies for fine-grained control • Protection against compromised proxies • Proxies carry policies and hence promote more than simple authentication and authorization. Policies dictate their usage. • This work can easily be extended to support other similar mechanisms

  18. Simple Example CLIENT CLASSAD [ userName=“babu” targetSite=“clarinet.mcs.anl.gov” acceptFrom=“bayou.uh.edu” Requirements=true ] SERVER CLASSAD [ Requirements = ismember(other.targetSite, myhost) && ismember(other.acceptFrom,clienthost) ] During request for authentication, a match between the two classads is evaluated to see if the server is on the target site list and if the client is on the accept from list Successful match => Authentication of client at server side (which will happen only if this proxy is presented by ‘babu’ from ‘bayou’ to ‘clarinet’ ) Authorization would be based on a similar match between client and GRAM / Job Manager Classads

  19. Acknowledgements • Douglas Engert (ANL) • Darcy Quesnel, Jarek Gawor, Stuart Martin, Gregor von Laszewski ( MCS, ANL) • Rajesh Raman, U of Wisconsin • Dr. Barbara M. Chapman, U of Houston

  20. For more information ... • For further information • Contact Globus Research booth # R186 • Authors’ contact e-mail: • Babu Sundaram • babusun@bayou.uh.edu • Christopher Nebergall • ct-nebergall@wiu.edu • Steven Tuecke • tuecke@mcs.anl.gov

More Related