Transcript Document
MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney Senior Research Scientist NCSA [email protected] What is MyProxy? A service for managing X.509 PKI credentials An Online Credential Repository Issues short-lived X.509 End Entity Certificates Supporting multiple authentication methods Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server An Online Certificate Authority A credential repository and certificate authority Passphrase, Certificate, PAM, SASL, Kerberos Open Source Software WCGA 2006 Included in Globus Toolkit, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBNL, and others http://myproxy.ncsa.uiuc.edu/ 2 MyProxy Logon Authenticate to retrieve PKI credentials End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) MyProxy maintains the user’s PKI context WCGA 2006 Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login http://myproxy.ncsa.uiuc.edu/ 3 MyProxy Authentication Key Passphrase X.509 Certificate Used for credential renewal Pluggable Authentication Modules (PAM) Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) WCGA 2006 Kerberos ticket (SASL GSSAPI) http://myproxy.ncsa.uiuc.edu/ 4 MyProxy Online Certificate Authority Issues short-lived X.509 End Entity Certificates Ties in to site authentication and accounting Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients Using PAM and/or Kerberos authentication Map username to certificate subject via “gridmap” file or LDAP query Avoid need for long-lived user keys Server can function as both CA and repository WCGA 2006 Issues certificate if no credentials for user are stored http://myproxy.ncsa.uiuc.edu/ 5 MyProxy Online Credential Repository Stores X.509 End Entity and Proxy credentials Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy delegation Users can store multiple credentials from different CAs Access to credentials controlled by user and administrator policies Set authentication requirements Control whether credentials can be retrieved directly or if only proxy delegation is allowed Restrict lifetime of retrieved proxy credentials Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 6 Talk Outline MyProxy Introduction PKI Introduction and MyProxy CA Proxy Certificates and MyProxy Repository MyProxy Scenarios Administratively Loaded Credentials Registration Portals Web Portal Authentication and Delegation Password-based Delegation Credential Renewal Web Single Sign-On (SSO) Demos Conclusion WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 7 PKI Overview Public Key Cryptography Subject: CA Encrypt with public key, decrypt with private key Key Distribution Issuer: CA Sign with private key, verify signature with public key Who does a public key belong to? Certification Authority (CA) verifies user’s identity and signs certificate Certificate is a document that binds the user’s identity to a public key signs Issuer: CA Subject: Jim Authentication WCGA 2006 Signature [ h ( random, … ) ] http://myproxy.ncsa.uiuc.edu/ 8 PKI Authentication Standard SSL/TLS Protocol Client (summarized) Server randomc certificates + randoms certificatec + { secret }pubkeys + signaturec[ h( randomc, randoms, … ) ] { h( secret ) }secret WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 9 PKI Enrollment CA Applicant 1 Generate new key pair 2 Certificate request CA 4 User CA 3 Sign new end entity certificate User User WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 10 MyProxy CA with PAM DN lookup Grid Service LDAP Server X.509 password Client keypair TLS handshake certificate password certificate request gridmap MyProxy Server CA key P A M password RADIUS Server TGT Kerberos KDC WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 11 MyProxy CA with Kerberos DN lookup Grid Service LDAP Server X.509 S Client A keypair S L TLS handshake SASL/GSSAPI/Kerberos certificate certificaterequest S A S L gridmap MyProxy Server CA key ticket Kerberos KDC WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 12 PAM/SASL Issues PAM Conversation PAM modules can require multiple rounds of user interaction No standard protocol SASL/PLAIN doesn’t support multiple rounds Need something like SSH keyboard-interactive protocol SASL client-side setup WCGA 2006 Requires SASL library and configuration of SASL mechanisms Alternative: native Kerberos protocol support http://myproxy.ncsa.uiuc.edu/ 13 Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session CA Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys signs User signs Proxy A signs Proxy B WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 14 Proxy Delegation Delegator Delegatee 2 Proxy certificate request 3 Sign new proxy certificate 1 Generate new key pair 4 Proxy Proxy Proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 15 MyProxy Put Client certificate private key TLS handshake username proxy certificate password certificate request policy chain MyProxy Server keypair cert chain private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 16 MyProxy Get Client cert chain TLS handshake username proxy certificate password certificate request chain MyProxy Server private key cert chain X.509 WCGA 2006 private key Grid Service http://myproxy.ncsa.uiuc.edu/ 17 MyProxy Store Client certificate private key TLS handshake username certificate private policy key MyProxy Server certificate private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 18 MyProxy Retrieve Client cert chain TLS handshake certificate username chain password private key MyProxy Server private key cert chain X.509 WCGA 2006 private key Grid Service http://myproxy.ncsa.uiuc.edu/ 19 Administratively Loaded Creds Certificate Authority Client cert chain TLS handshake username proxy certificate password certificate request chain MyProxy Server certificate private key private key certificate X.509 WCGA 2006 private key Grid Service http://myproxy.ncsa.uiuc.edu/ 20 User Registration Portal Certificate Authority Browser TLS handshake username password Registration Portal certificate User DB Client cert chain TLS handshake username proxy certificate password certificate request chain MyProxy Server certificate private key username private key certificate X.509 WCGA 2006 private key Grid Service http://myproxy.ncsa.uiuc.edu/ 21 Gateway Portal Browser TLS handshake password username Portal User DB cert key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 22 Trusted Portal MyProxy Browser TLS handshake password username Portal X.509 cert request username cert cert cert User DB key key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 23 Password-based Portal Auth X.509 cert request username Browser TLS handshake password username Portal MyProxy password cert cert cert key key X.509 Grid Service WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 24 Password-based Delegation Delegator certificate Delegatee username passwordrandom private key certificate certificate certificate private key certificate username certificate certificate request password TLS handshake random MyProxy certificate certificate certificate username certificate certificate request passwordrandom certificate TLS handshake private key WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 25 Password-based Renewal job Condor-G proxy password proxy job GRAM Gatekeeper proxy proxy Client proxy Job proxy password proxy password MyProxy proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 26 Certificate-based Renewal Workload Management Service proxy Renewal Service job cert Client key Condor-G proxy proxy proxy policy job GRAM Gatekeeper proxy Job proxy X.509 proxy MyProxy proxy WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 27 MyProxy and Web SSO PURSE password password cookie Browser password cert Pubcookie Login Server password MyProxy cookie cookie cookie Portal A X.509 cert password Grid Service X.509 cookie Portal B WCGA 2006 cert http://myproxy.ncsa.uiuc.edu/ 28 SSO for Browser and Application Browser Authenticate cookie Portal cert cookie JWS cookie cert Application X.509 WCGA 2006 X.509 MyProxy Server Grid Service http://myproxy.ncsa.uiuc.edu/ 29 SSO for Browser and Application Browser Authenticate passwordrandom Portal cert JWS cert passwordrandom passwordrandom Application cert X.509 WCGA 2006 passwordrandom MyProxy Server Grid Service http://myproxy.ncsa.uiuc.edu/ 30 Demonstrations WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 31 Conclusion MyProxy: A Multi-Purpose Grid Authentication Service Used in many delegation and single sign-on scenarios MyProxy provides practical authentication solutions Minimize changes to existing software and protocols Leverage community standards PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth Active MyProxy open source community WCGA 2006 Deploy new developments via MyProxy Benefit from the work of others http://myproxy.ncsa.uiuc.edu/ 32 Thank you! Obrigado! WCGA 2006 http://myproxy.ncsa.uiuc.edu/ 33