Transcript HTTP и CGI - UAZone.org

Policy Enforcement Framework for Web
Services and Grid Operational Security
Advanced Internet Research Group Update
Yuri Demchenko <[email protected]>
AIRG, University of Amsterdam
Outline




Goals
AIRG projects and Generic AAA Architecture development
Implementation in CNL project Access Control infrastructure
Grid Operational Security and Grid Security Incident definition
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_2
Goals
 Update TF-EMC2 on AIRG research and developments
 Discuss possible approaches for early detection of the security credentials
compromise
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_3
AIRG projects
 Gigaport NG - NL

Further development of the Generic AAA architecture for policy/token based
networking
 Collaboratory.nl (CNL)
Security Architecture for Open Collaborative Environment and RBAC
 Considered as a use case for EGEE and OGSA

 EGEE and other Grid related projects - EU
Grid operational security and WS/Grid security threats analysis
 Policy enforcement framework and Authorisation portType
 WS-Security and OGSA Security

TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_4
Generic AAA Architecture by AIRG (UvA)
Policy based Authorization decision
Request/Response
Request/Response
Request/Response
Generic AAA
Policy
Policy
Policy
•Defined by
Resource owner
ASM
ASM
ASM
 Req {AuthNtoken, Attr/Roles,
PolicyTypeId, ConditionExt}
 RBE (Req + Policy) =>
=> Decision {ResponseAAA,
ActionExt}
 ActionExt = {ReqAAAExt,
ASMcontrol}
 ResponseAAA =
{AckAAA/RejectAAA, ReqAttr,
ReqAuthN, BindAAA (Resource,
Id/Attr)}
•Translate logDecision => Action
•Translate State => LogCondition
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_5
Generic AAA implementations
 Bandwidth-on-demand (BoD) for optical network

Using driving policy approach for multidomain optical path building
 Access control and privilege management for Collaborative environment

Policy/role based access control to experimental equipment and resources
 Authorisation Web Service and Authorisation portType for Grid applications

Policy binding to Web/Grid service definition
 Technology background
AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format
 XML Web Services

– Attempting to use WSRF and trying to avoid OGSI and ProxyCert
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_6
Distributed Security Architecture for Collaborative
environment
 Based on the Job-centric security model
 Extended RBAC functionality including RBAC administration terminal (using
GAAA Toolkits)
 XACML based policy exchange and integration
 Uses WS-Security Framework and OGSA/WSRF

Policy binding to WSDL and AuthZ portType definition
 VO functionality - policy based user and resource management
 Proxy-Certificate (Grid approach) vs SAML security credentials management
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_7
Security built around Job description
Order
Descr
JobDescr
•--------------•Job#
•Job Attributes
•Job Priority
•--------------•User list
•User roles/attr
•Admin RBAC
Scheduler/
JobMngr
AccessCtr
(AuthN/Z)
•UserDB
•Policy
Job Description as a semantic object defining Job attributes and User attributes
 Requires document based or semantic oriented Security paradigm
Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via
PKI
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_8
XACML implementation library for CNL
 Contains specific modules for AAA services
PEP, PDP, PAP and XACML messaging
 Implemented in Java

 Policy editor in XACML
XACML provides standard solution for RBAC with powerful policy combination
functionality
 Version 0.1 is available for policy construction and translating to AAA-policy format

 Set of typical policy profiles in XACML (with correspondent profiles in AAA)
are under development
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_9
Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement
Point)/
AEF (authorisation
enforcement function)
PDP (Policy Decision
Point)/ADF
(authorisation decision
function)
PIP (Policy Information
Point)/AA (Attribute
Authority)
PA – Policy Authority
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_10
GAAA API flow diagram (implements RBAC)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_11
GAAAPI implementation –
XACML Request message format (1)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_12
GAAAPI implementation –
XACML Request message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAARequest xmlns:AAA="http://www.AAA.org/ns/AAA_BoD"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD
http://146.50.22.64/CNLdemo1.xsd" version="0.1" type="CNLdemo1">
<Subject>
<SubjectID>[email protected]</SubjectID>
<Role>Analyst</Role>
<JobID>JobID-XPS1-212</JobID>
<Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>
</Subject>
<Resource><ResourceID>
http://resources.collaboratory.nl/Phillips_XPS1
</ResourceID>
</Resource>
<Action>
<ActionID>ControlInstrument</AttributeID>
</Action>
</AAA:AAARequest>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_13
GAAAPI implementation –
XACML Response message format (1)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_14
GAAAPI implementation –
XACML Response message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAAResponse xmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"
xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0">
<Result ResourceId="String">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="OK"/>
<StatusMessage>Request succes7ful</StatusMessage>
</Status>
</Result>
</AAA:AAAResponse>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_15
Binding policy to WSDL service description
WS-PolicyAttachment defines two mechanisms that together allow to bind
policy to the WSDL components (portType, Operation, Message)
 wsp:PolicyRefs="URI | QName"
 <wsp:UsingPolicy wsdl:Required="true"/>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_16
Binding policy to WSDL - Example
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd"
targetNamespace="http://cnl.telin.nl/cnl">
<message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">
<part name="JobID" type="xs:string"/>
<part name="coordinateX" type="xs:string"/>
<part name="coordinateY" type="xs:string"/>
<part name="zoom" type="xs:int"/>
</message>
<<< snip >>>>
<wsp:UsingPolicy wsdl:Required="true"/>
</definitions>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_17
Security related activities in EGEE - FYI
EGEE – Enabling Grids for E-sciencE
 JRA3 – Security
 MWSG – Middleware Security Group
 JSPG – Joint with LCG and OSG Security Policy Group

OSG Incident Handling Activity
Recent Security related deliverables
 Grid User/Site Security Requirements – MJRA3.1
(https://edms.cern.ch/document/485295/1)
 Global Security Architecture (GSA) rev. 1 - DJRA3.1
(https://edms.cern.ch/document/487004/1.1)
 Grid Security Incident definition and exchange format – MJRA3.4
Ongoing development, current version - https://edms.cern.ch/document/501422/1
 As a part of joint OSG/LCG/EGEE Operational Security activity

TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_18
Grid Security Incident (GSInc) definition
GSInc definition
 Depends on the scope and range of the Security Policy, ULA, or SLA - TODO
 Should be based on threats analysis and vulnerabilities model – MJRA3.4
 Should be based on Grid processes/workflow analysis - TODO
GSInc definition is a base for GSInc description format
 What information should be collected and how to exchange and handle it

Requirements to Events logging and Intrusion/compromise detection
 Common format is a basis for community wide statistics and coordinated
response
 Incident statistics provides feedback for the Security Policy improvement
Note. Grid Security model is based on delegation of security credentials to a
service
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_19
Security credentials related GSInc and audit events
Security credentials compromise (e.g., private key, proxy credentials, etc.)





patterns of credential usage
broken chain of PKC/keys/credentials
copy is discovered in not a proper place
originated not from the default location
sequent fault attempt to request action(s)

PDP/PEP logging/audit
Remaining problems and topics for discussion
 How to define at the early stage that a private key has been compromised?
 May require credentials storing (not caching) and adding history/evidence chain to
credentials format


X.509 credentials are not capable of this
Does SAML have required functionality
Note: Audit/log events together with related data can be also referred to as an Evidence
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_20
Discussion: security credentials compromise detection
 How to define at the early stage that a private key or other security credentials
have been compromised?
 Will it require credentials storing (not caching) and adding history/evidence
chain to credentials format?
X.509 credentials are not capable of this
 Does SAML have required functionality

TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_21