1032020 www euegee org Gap Analysis JRA 3

  • Slides: 17
Download presentation
10/3/2020 www. eu-egee. org Gap Analysis JRA 3 EGEE is a project funded by

10/3/2020 www. eu-egee. org Gap Analysis JRA 3 EGEE is a project funded by the European Union under contract IST-2003 -508833

Architecture (non-complete) Trust anchors Revocation Access control Site policy Cred store AA Proxy cert

Architecture (non-complete) Trust anchors Revocation Access control Site policy Cred store AA Proxy cert VO policy process space Trust anchors “sudo” Revocation service Access control delegation Site policy Audit Intrusion <event>, <date> - 2

What we have (UNIX native) Trust anchors Revocation My. Proxy Cred store Access control

What we have (UNIX native) Trust anchors Revocation My. Proxy Cred store Access control AA Proxy cert Site policy Audit ? ? ? VOMS VO policy process GRAM + space LCMAPS “sudo” Trust anchors EDG CRL Revoscripts cation g. Soap service Access GACL control HTTPG delegation Site LCAS policy Audit (*) Almost there Intrusion snort(*) <event>, <date> - 3

What we have (hosted) Trust anchors Revocation My. Proxy (client) CAS Cred store VO

What we have (hosted) Trust anchors Revocation My. Proxy (client) CAS Cred store VO policy Access control Proxy cert Site policy Axis “sudo” service various delegation Audit ? ? ? AA process space GRAM Trust anchors Revocation GT, EDG Java SAML(*) Access XACML(*) control EDG Site Auth. Z(*) policy Audit (*) Almost there Intrusion <event>, <date> - 4

What we want (non-complete) Trust anchors Revocation Access control Trust anchors Cred store VOMS

What we want (non-complete) Trust anchors Revocation Access control Trust anchors Cred store VOMS VO policy Proxy cert Policy based auth. Z service Site policy Revocation Access control Site policy delegation Audit Provisioning ? ? ? Intrusion <event>, <date> - 5

Configuration issues • Many different policy configuration languages… § EDG Java Auth. Z, LCAS,

Configuration issues • Many different policy configuration languages… § EDG Java Auth. Z, LCAS, GACL, XACML … § No single solution adequate for all scenarios (coarse-grained, fine- grained, combination) • We need to combine them! § XACML is best suited to handle policy arbitration, but you don’t want to code in it (ugly) § Sun has a full (and free) java implementation, performance issues? • Whatever we use, make sure they all can be mapped into a common form (XACML? ) § Allows for rule combinations from different authorities § Local site policy always overrules <event>, <date> - 6

Provisioning (2 -year effort) • Many CA certs to keep track of, new ones

Provisioning (2 -year effort) • Many CA certs to keep track of, new ones are added • CRLs get outdated • Much of this stuff is only understood by experts • Provision user with this type of configuration at login § Similar ideas elsewhere, should be able to collaborate on this <event>, <date> - 7

Transport • SOAP over HTTP (message level security) § Flexible (integrity vs. encryption) UR

Transport • SOAP over HTTP (message level security) § Flexible (integrity vs. encryption) UR E O C § Standard (WS-Security spec) E N R A A M S? § Enables routing and endpoint trust T R ET A O H F G § Issue: performance penalty in Java (slowdown due. Wto. ERxmlsec. jar) R P TA § Issue: replay attacks (dealt with in e. g. GT 4) • SOAP over HTTPS (transport level security) § We know how to do it § Accepted by WS-I § Issue: TLS needs mods due to proxy certs E R A S D E O SIV M A S V TL IN § Issue: no endpoint trust (trust server, not service) <event>, <date> - 8

Delegation • Separate delegation WSDL port. Type § Orthogonality and zero cost for non-delegation

Delegation • Separate delegation WSDL port. Type § Orthogonality and zero cost for non-delegation services § Easy transition path from any chosen transport solution § Issue: Non-existing but prototype can quickly be conjured § Issue: Additional complexity in applications and clients for environments w/out operation provider solutions • Delegation in HTTPS headers § G-HTTPS (GSI) § SPNEGO over WWW-Authenticate (GSSAPI) <event>, <date> - 9

Delegation (cont. ) • Delegation coupled with authentication (GSI) § We know how to

Delegation (cont. ) • Delegation coupled with authentication (GSI) § We know how to do it, solutions exist § #1. SOAP over HTTPG § #2 GSI-Secure. Conversation (SOAP over HTTP) <event>, <date> - 10

Our recommendation • Transport #1: SOAP over HTTP and message-level security § Pending performance

Our recommendation • Transport #1: SOAP over HTTP and message-level security § Pending performance requirements of course… • Transport #2: SOAP over HTTPG § TLS impl needs to be patched anyhow, doesn’t matter if protocol is bent as well • Delegation #1: Delegation port. Type • Delegation #2: GSI-based delegation § 2. a: GSI-Secure. Conversation (if T. #1) § 2. b: SOAP over HTTPG (if T. #2) <event>, <date> - 11

But that won’t work with my browser… • It shouldn’t! • Use portal and

But that won’t work with my browser… • It shouldn’t! • Use portal and standard TLS server certificates for end-user interaction <event>, <date> - 12

Software platform: Most leverage in the java world • Many free third party products

Software platform: Most leverage in the java world • Many free third party products § SAML, XACML, XMLSec, Axis, GT • The gaps we need to fill are “our own” § GACL, VOMS, LCAS, … • Assuming Axis, we need to integrate with it § Work already underway with Auth. Z framework in GT from KTH § EDG Java Auth. Z as backup • Portability requirement way easier to fulfill § new java. io. File(“/etc/grid-security”). get. Absolute. File() = C: etcgrid-security • Performance may be an issue <event>, <date> - 13

In the C world… • g. SOAP § Better performance § No WS-Security §

In the C world… • g. SOAP § Better performance § No WS-Security § GSI plugin (CERN or Italy) needed for HTTPG • Axis C++ § Buggy still § Would avoid it at this point • Stability issues § A crash means a core dump <event>, <date> - 14

ONE MUST REMEMBER • In the end, we should settle on PROTOCOLS and SYNTAX,

ONE MUST REMEMBER • In the end, we should settle on PROTOCOLS and SYNTAX, not on toolkits • But, above everything else, it is the available toolkits that controls our choice <event>, <date> - 15

Other requirements • Encrypted storage § Higher-level service, on top of existing storage infrastructure

Other requirements • Encrypted storage § Higher-level service, on top of existing storage infrastructure § Secure and redundant storage of encryption keys (M-of-N) • Anonymity § Hard <event>, <date> - 16

Playing the Blame Game Who to blame? A, B, V ? quota Allocations Committee

Playing the Blame Game Who to blame? A, B, V ? quota Allocations Committee Resource ! “Members of V may consume my quota” VO member User B User A VO V <event>, <date> - 17