Using the My Proxy Online Credential Repository Jim

Using the My. Proxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa. uiuc. edu

What is My. Proxy? l Independent Globus Toolkit add-on since 2000 u l To be included in Globus Toolkit 4. 0 A service for securing private keys u Keys stored encrypted with user-chosen password u Keys never leave the My. Proxy server l A service for retrieving proxy credentials l A commonly-used service for grid portal security u Integrated with OGCE, Grid. Sphere, and Grid. Port Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 2

PKI Overview l Public Key Cryptography u u l Subject: CA Encrypt with public key, decrypt with private key Key Distribution u Issuer: CA Sign with private key, verify signature with public key signs Who does a public key belong to? Certification Authority (CA) verifies user’s identity and signs certificate Certificate is a document that binds the user’s identity to a public key Issuer: CA Subject: Jim Authentication u Signature [ h ( random, … ) ] Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 3

Proxy Credentials l RFC 3820: Proxy Certificate Profile l Associate a new private key and certificate with existing credentials l Short-lived, unencrypted credentials for multiple authentications in a session u l Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys CA signs User signs Proxy A signs Proxy B Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 4

Proxy Delegation Delegator Delegatee 2 Proxy certificate request 3 Sign new proxy certificate 1 Generate new key pair 4 Proxy Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 5

My. Proxy System Architecture Store proxy My. Proxy client Retrieve proxy My. Proxy server Proxy delegation over private TLS channel Credential repository Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 6

My. Proxy: Credential Mobility tg-login. ncsa. teragrid. org Obtain certificate ca. ncsa. uiuc. edu Store proxy myproxy. teragrid. org tg-login. caltech. teragrid. org tg-login. sdsc. teragrid. org Retrieve proxy tg-login. uc. teragrid. org Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 7

My. Proxy and Grid Portals My. Proxy server Login Fetch proxy Portal Access data Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ Grid. FTP server 8

My. Proxy: User Registration Request account Set username/password Registration portal Obtain user certificate Certificate authority Load user’s credentials Login with username/password Grid portal PURSE: Portal-based User Registration Service Globus. WORLD 2005 Retrieve proxy My. Proxy server ESG http: //myproxy. ncsa. uiuc. edu/ 9

My. Proxy Security l Keys encrypted with user-chosen passwords u u l Dedicated server less vulnerable than desktop and general-purpose systems u l l Professionally managed, monitored, locked down Users retrieve short-lived credentials u l Server enforces password quality Passwords are not stored Generating new proxy keys for every session All server operations logged to syslog Caveat: Private key database is an attack target u Compare with status quo Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 10

Hardware-Secured My. Proxy l Protect keys in tamper-resistant cryptographic hardware Retrieve proxy Proxy request My. Proxy Server IBM 4758 Proxy certificate M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs, " 4 th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004. Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 11

Globus. WORLD 2003 Flashback Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 12

Credential Renewal l Long-lived jobs or services need credentials u l Don’t want to delegate long-lived credentials u l Fear of compromise Instead, renew credentials as needed during the job’s lifetime u l Task lifetime is difficult to predict Renewal service provides a single point of monitoring and control Renewal policy can be modified at any time u u Disable renewals if compromise is detected or suspected Disable renewals when jobs complete Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 13

My. Proxy: Credential Renewal Submit job Condor-G Submit job Refresh proxy Fetch proxy Globus. WORLD 2005 Globus gatekeeper My. Proxy server http: //myproxy. ncsa. uiuc. edu/ 14

My. Proxy Installation (Unix) l Included in GT 4. 0 l As an add-on component to GT 3. x $ gpt-build myproxy*. tar. gz <flavor> l Set $MYPROXY_SERVER environment variable to myproxy-server hostname $ export MYPROXY_SERVER=myproxy. ncsa. uiuc. edu l Set Globus Toolkit environment $. $GLOBUS_LOCATION/etc/globus-user-env. sh l Client installation/configuration complete! Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 15

My. Proxy Co. G Clients l Commodity Grid (Co. G) Kits u u l Provide portable (Java and Python) My. Proxy client tools & APIs Windows support For more information: u http: //www. cogkit. org/ Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 16

My. Proxy Commands l myproxy-init: store proxy l myproxy-get-delegation: retrieve proxy l myproxy-info: query stored credentials l myproxy-destroy: remove credential l myproxy-change-pass-phrase: change password encrypting private key Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 17

My. Proxy Server Administration l Install server certificate and CA certificate(s) l Configure /etc/myproxy-server. config policy u l l Optionally: u Configure password quality enforcement u Install cron script to delete expired credentials Install boot script and start server u l Template provided with examples Example boot script provided Use myproxy-admin commands to manage server u Reset passwords, query repository, lock credentials Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 18

My. Proxy Server Policies l l Who can store credentials? u Restrict to specific users or CAs u Restrict to administrator only Who can retrieve credentials? u l Allow anyone with correct password server-wide u Allow only trusted services / portals and per-credential Maximum lifetime of retrieved credentials Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 19

My. Proxy and SASL l My. Proxy supports additional authentication mechanisms via SASL (RFC 2222) l One Time Passwords (SASL PLAIN with PAM) l u Protect against stolen passwords u Hardware token generates OTP u Authenticate with OTP plus My. Proxy password u Tested with Crypto. Card tokens Kerberos (SASL GSSAPI) u Authenticate with Kerberos ticket plus My. Proxy password Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 20

Related Work l GT 4 Delegation Service u l SACRED (RFC 3767) Credential Repository u l http: //sacred. sf. net/ Kerberized Online CA (KX. 509/KCA) u l Protocol based on WS-Trust and WSRF Kerberos -> PKINIT for Heimdal Kerberos u PKI -> Kerberos Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 21

Grid. Logon l Work in progress l Inspired by Peter Gutmann’s PKIBoot u l “Plug-and-Play PKI: A PKI your Mother can Use” Password-based authentication to initialize user’s security environment u Install identity/attribute/authorization credentials u Install CA certificates and CRLs u Install additional security configurations Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 22

My. Proxy Community l myproxy-users@ncsa. uiuc. edu mailing list l Bug tracking: http: //bugzilla. ncsa. uiuc. edu/ l Anonymous CVS access : pserver: anonymous@cvs. ncsa. uiuc. edu: /CVS/myproxy l Contributions welcome! u Feature requests, bug reports, patches, etc. Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 23

Thank you! Questions/Comments? Contact: jbasney@ncsa. uiuc. edu Globus. WORLD 2005 http: //myproxy. ncsa. uiuc. edu/ 24