Using the MyProxy Online Credential Repository

Similar documents
GSI Credential Management with MyProxy

An Online Credential Repository for the Grid: MyProxy

TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Globus Toolkit: Authentication and Credential Translation

GT 6.0 GSI C Security: Key Concepts

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

How To Understand And Understand The Security Of A Key Infrastructure

Using Globus Toolkit

Abstract. 1. Introduction. Ohio State University Columbus, OH

IGI Portal architecture and interaction with a CA- online

7 Key Management and PKIs

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Use of EASE Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at:

Public Key Infrastructure for a Higher Education Environment

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

CS 356 Lecture 28 Internet Authentication. Spring 2013

Entrust Managed Services PKI

2 Transport-level and Message-level Security

Architecture of Enterprise Applications III Single Sign-On

Certification Practice Statement

DJIGZO ENCRYPTION. Djigzo white paper

OAuth: Where are we going?

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

CIPHERMAIL ENCRYPTION. CipherMail white paper

Certificate Management

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Single Sign-On Framework in Tizen Contributors: Alexander Kanavin, Jussi Laako, Jaska Uimonen

Installation and Configuration Guide

Angel Dichev RIG, SAP Labs

An Introduction to Entrust PKI. Last updated: September 14, 2004

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Djigzo encryption. Djigzo white paper

GT 6.0 GRAM5 Key Concepts

Complying with PCI Data Security

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Configuring Digital Certificates

Ericsson Group Certificate Value Statement

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

SAP Single Sign-On 2.0 Overview Presentation

XSEDE Service Provider Software and Services Baseline. September 24, 2015 Version 1.2

How to Prepare Your Salesforce Service for Certificate Changes

HMRC Secure Electronic Transfer (SET)

/ Preparing to Manage a VMware Environment Page 1

Sync Security and Privacy Brief

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Fairsail REST API: Guide for Developers

Axway Validation Authority Suite

Two SSO Architectures with a Single Set of Credentials

How To Use The Gss-Api And Sspi For A Security Reason On A Microsoft Microsoft Server (Or A Microsplatte)

Applying Cryptography as a Service to Mobile Applications

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Grid Security : Authentication and Authorization

cipher: the algorithm or function used for encryption and decryption

ipad in Business Security

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

VMware Horizon Workspace Security Features WHITE PAPER

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

HOBCOM and HOBLink J-Term

IBM Security Access Manager for Enterprise Single Sign-On Version User Guide IBM SC

VMware vrealize Operations for Horizon Security

Criteria for web application security check. Version

Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy

Using the TPM: Data Protection and Storage

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

MySQL Security: Best Practices

Receiving Secure from Citi For External Customers and Business Partners

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

OPC UA vs OPC Classic

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Likewise Security Benefits

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Enabling SSL and Client Certificates on the SAP J2EE Engine

Transcription:

Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu

What is MyProxy? Independent Globus Toolkit add-on since 2000 To be included in Globus Toolkit 4.0 A service for securing private keys Keys stored encrypted with user-chosen password Keys never leave the MyProxy server A service for retrieving proxy credentials A commonly-used service for grid portal security Integrated with OGCE, GridSphere, and GridPort GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 2

PKI Overview Public Key Cryptography Sign with private key, verify signature with public key Encrypt with public key, decrypt with private key Key Distribution signs Issuer: CA Subject: CA Who does a public key belong to? Certification Authority (CA) verifies user s identity and signs certificate Certificate is a document that binds the user s identity to a public key Issuer: CA Subject: Jim Authentication Signature [ h ( random, ) ] GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 3

Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs signs signs CA User Proxy A Proxy B GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 4

Proxy Delegation Delegator Delegatee 2 Proxy certificate request 1 Generate new key pair 3 Sign new proxy certificate Proxy 4 Proxy Proxy GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 5

MyProxy System Architecture MyProxy client Store proxy Retrieve proxy MyProxy server Proxy delegation over private TLS channel Credential repository GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 6

MyProxy: Credential Mobility tg-login.ncsa.teragrid.org Obtain certificate Store proxy ca.ncsa.uiuc.edu tg-login.caltech.teragrid.org myproxy.teragrid.org tg-login.sdsc.teragrid.org Retrieve proxy tg-login.uc.teragrid.org GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 7

MyProxy and Grid Portals MyProxy server Login Portal Fetch proxy Access data GridFTP server GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 8

MyProxy: User Registration Request account Set username/password Registration portal Obtain user certificate Certificate authority Load user s credentials Login with username/password Grid portal Retrieve proxy MyProxy server PURSE: Portal-based User Registration Service ESG GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 9

MyProxy Security Keys encrypted with user-chosen passwords Server enforces password quality Passwords are not stored Dedicated server less vulnerable than desktop and general-purpose systems Professionally managed, monitored, locked down Users retrieve short-lived credentials Generating new proxy keys for every session All server operations logged to syslog Caveat: Private key database is an attack target Compare with status quo GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 10

Hardware-Secured MyProxy Protect keys in tamper-resistant cryptographic hardware Retrieve proxy MyProxy Server Proxy request Proxy certificate IBM 4758 M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 11

GlobusWORLD 2003 Flashback GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 12

Credential Renewal Long-lived jobs or services need credentials Task lifetime is difficult to predict Don t want to delegate long-lived credentials Fear of compromise Instead, renew credentials as needed during the job s lifetime Renewal service provides a single point of monitoring and control Renewal policy can be modified at any time Disable renewals if compromise is detected or suspected Disable renewals when jobs complete GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 13

MyProxy: Credential Renewal Submit job Condor-G Submit job Refresh proxy Globus gatekeeper Fetch proxy MyProxy server GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 14

MyProxy Installation (Unix) Included in GT 4.0 As an add-on component to GT 3.x $ gpt-build myproxy*.tar.gz <flavor> Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env.sh Client installation/configuration complete! GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 15

MyProxy CoG Clients Commodity Grid (CoG) Kits Provide portable (Java and Python) MyProxy client tools & APIs Windows support For more information: http://www.cogkit.org/ GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 16

MyProxy Commands myproxy-init: store proxy myproxy-get-delegation: retrieve proxy myproxy-info: query stored credentials myproxy-destroy: remove credential myproxy-change-pass-phrase: change password encrypting private key GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 17

MyProxy Server Administration Install server certificate and CA certificate(s) Configure /etc/myproxy-server.config policy Template provided with examples Optionally: Configure password quality enforcement Install cron script to delete expired credentials Install boot script and start server Example boot script provided Use myproxy-admin commands to manage server Reset passwords, query repository, lock credentials GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 18

MyProxy Server Policies Who can store credentials? Restrict to specific users or CAs Restrict to administrator only Who can retrieve credentials? Allow anyone with correct password Allow only trusted services / portals Maximum lifetime of retrieved credentials server-wide and per-credential GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 19

MyProxy and SASL MyProxy supports additional authentication mechanisms via SASL (RFC 2222) One Time Passwords (SASL PLAIN with PAM) Protect against stolen passwords Hardware token generates OTP Authenticate with OTP plus MyProxy password Tested with CryptoCard tokens Kerberos (SASL GSSAPI) Authenticate with Kerberos ticket plus MyProxy password GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 20

Related Work GT4 Delegation Service Protocol based on WS-Trust and WSRF SACRED (RFC 3767) Credential Repository http://sacred.sf.net/ Kerberized Online CA (KX.509/KCA) Kerberos -> PKI PKINIT for Heimdal Kerberos PKI -> Kerberos GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 21

GridLogon Work in progress Inspired by Peter Gutmann s PKIBoot Plug-and-Play PKI: A PKI your Mother can Use Password-based authentication to initialize user s security environment Install identity/attribute/authorization credentials Install CA certificates and CRLs Install additional security configurations GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 22

MyProxy Community myproxy-users@ncsa.uiuc.edu mailing list Bug tracking: http://bugzilla.ncsa.uiuc.edu/ Anonymous CVS access :pserver:anonymous@cvs.ncsa.uiuc.edu:/cvs/myproxy Contributions welcome! Feature requests, bug reports, patches, etc. GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 23

Thank you! Questions/Comments? Contact: jbasney@ncsa.uiuc.edu GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information