Credential Mapping in Grids Esteban Talavera Gonzlez Center for - - PowerPoint PPT Presentation

Overview Background Our solution Conclusions

Credential Mapping in Grids

Esteban Talavera González

Center for Parallel Computers (PDC) Royal Institute of Technology (KTH)

Stockholm – March 16, 2007

Esteban Talavera González Credential Mapping in Grids 1

Overview Background Our solution Conclusions

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 2

Overview Background Our solution Conclusions

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 2

Overview Background Our solution Conclusions

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 2

Overview Background Our solution Conclusions

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 2

Overview Background Our solution Conclusions

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 3

Overview Background Our solution Conclusions

Security Credentials

Authentication vs. Authorization

A piece of information used to prove the identity of a subject (i.e. Authentication) There are many different ones, from passwords to certificates Must be trusted by the party the entity is authenticating to Once the subject is authenticated, he will or will not be authorized to perform a desired action depending on his identity and the security policy

Esteban Talavera González Credential Mapping in Grids 4

Overview Background Our solution Conclusions

Grid security

In Grids clients and resources from different security domains interact with each other Each domain is governed by its own administration and security policy Service requests may cross domains where different security models are used Authentication is needed before using a resource, located locally or remotely It is difficult to know which resources will be requested beforehand, and therefore which credentials will be needed, too

Esteban Talavera González Credential Mapping in Grids 5

Overview Background Our solution Conclusions

Problem Statement

The client’s credential could be invalid at the resource’s domain in terms of:

Format: Different security mechanisms used in each side, recipient cannot understand the credential Trust: Pre-established trust relationship between credential issuer and recipient is needed to validate it

If authentication is not successful, the client’s application could be aborted or stopped before finishing its job Goal: Translating security credentials from a format comprehensible in the requester domain into an understandable format in the relying domain. The resulting credential needs also to be trusted by the recipient

Esteban Talavera González Credential Mapping in Grids 6

Overview Background Our solution Conclusions Authentication mechanisms Web services

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 7

Overview Background Our solution Conclusions Authentication mechanisms Web services

Authentication Mechanisms

The security credentials that will be taken into account for mapping are: Kerberos tickets: Widely used for authentication and authorization of users in intra-domain networks X.509 certificates: Well known credential, mostly used for inter-domain authentication (e.g. on the Internet) SAML assertions: Emerging standard providing XML-based credentials

Esteban Talavera González Credential Mapping in Grids 8

Overview Background Our solution Conclusions Authentication mechanisms Web services

Kerberos

Based on symmetric cryptography (shared keys): The same key is used for encryption and decryption Clients, identified by Principal and Realm name (e.g. esteban@KTH.SE), want to access to Services provided by one or more Application Servers (hosts) These operations are supervised by the Authentication Server (AS) and one Ticket Granting Server (TGS) Secret keys are shared between the AS and the TGS, the AS and the clients, and between the TGS and every server in the realm (master keys)

Esteban Talavera González Credential Mapping in Grids 9

Overview Background Our solution Conclusions Authentication mechanisms Web services

Kerberos operation

• TGS

1

(user+passwd) Login

User Client Application (serv) Server

KDC

AS

KEYtgs−serv KEYas−tgs KEYtgs−serv KEYas−tgs

1) The user authenticates locally with the user name and password

Esteban Talavera González Credential Mapping in Grids 10

Overview Background Our solution Conclusions Authentication mechanisms Web services

Kerberos operation

• TGS

KEYas−tgs

+ TGT: [KEYclient−tgs] [KEYclient−tgs, clientID,...]

passwd

1

(user+passwd) Login

User Client Application (serv) Server

KDC

AS

2

Request TGT KEYtgs−serv KEYas−tgs KEYtgs−serv KEYas−tgs

2) The client requests a Ticket Granting Ticket (TGT), presenting the password as credential to the Authentication Server (AS)

Esteban Talavera González Credential Mapping in Grids 11

Overview Background Our solution Conclusions Authentication mechanisms Web services

Kerberos operation

• TGS

KEYas−tgs

+ TGT: [KEYclient−tgs] [KEYclient−tgs, clientID,...]

passwd KEYtgs−serv

[KEYclient−serv]

KEYclient−tgs

+ ST: [KEYclient−serv, clientID,...]

1

(user+passwd) Login

User Client Application (serv) Server

KDC

AS

TGT

3 2

Request TGT KEYtgs−serv KEYas−tgs KEYtgs−serv KEYas−tgs

3) The client requests a Service Ticket (ST), presenting the TGT as credential to the Ticket Granting Server (TGS)

Esteban Talavera González Credential Mapping in Grids 12

Overview Background Our solution Conclusions Authentication mechanisms Web services

Kerberos operation

• TGS

KEYas−tgs

+ TGT: [KEYclient−tgs] [KEYclient−tgs, clientID,...]

passwd KEYtgs−serv

[KEYclient−serv]

KEYclient−tgs

+ ST: [KEYclient−serv, clientID,...]

1

(user+passwd) Login

User Client

4

ST Service Response

Application (serv) Server

KDC

AS

TGT

3 2

Request TGT KEYtgs−serv KEYas−tgs KEYtgs−serv KEYas−tgs

4) The client requests the service, giving the received ST as credential for authentication

Esteban Talavera González Credential Mapping in Grids 13

Overview Background Our solution Conclusions Authentication mechanisms Web services

X.509 Certificate

Based on asymmetric cryptography. There is a key pair: The private key that only the owner has and the public key known by everybody. The data encrypted by one key can be decrypted with the other one The user generates a key pair and creates a Certificate Request (CR) with his identity and the public key A trusted Certification Authority (CA) adds some info, like its identity and the validity period, and signs it (i.e. encrypts with its private key) to create the certificate When the holder presents the certificate, the recipient must trust the CA and have its public key to verify the signature

Esteban Talavera González Credential Mapping in Grids 14

Overview Background Our solution Conclusions Authentication mechanisms Web services

SAML

The requester may request a SAML assertion to a SAML authority (Similar role as the CA in certificates) The assertion contains the validity period and the NameIdentifier of the Subject (e.g. “Esteban Talavera”) The assertion might also contain the subject’s public key, to allow him proving to the recipient that he is the real holder of the assertion We will be focused on Authentication assertions, which specifies the above data and info about how the subject was authenticated (the method used and the auth. time) The assertion is signed by the SAML Authority, which the recipient must trust to validate the content

Esteban Talavera González Credential Mapping in Grids 15

Overview Background Our solution Conclusions Authentication mechanisms Web services

Web services & SOAP

A system that supports machine-to-machine interaction

• ver a network

Other systems interact with the Web service using SOAP messages (XML-based) A SOAP message has zero or more Headers, and a Body A set of specifications, the WS-* family, covers different aspects of Web services, including security

Esteban Talavera González Credential Mapping in Grids 16

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Security

Defines a way of adding signature and identity information to SOAP messages A Security header may contain the sender’s credential and signature info The body carries application information WS-Trust and WS-Federation are two extensions of this standard

SOAP Envelope SOAP Header SOAP Body

SAML Assertion) X.509 Certificate, (Kerberos ticket,

Credential Signature Security Header

Esteban Talavera González Credential Mapping in Grids 17

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Trust

Specifies a request/response protocol for exchanging, issuing, renewing, and validating security credentials between a client and a trusted authority called Security Token Service (STS) It makes use of the mechanisms provided by WS-Security: Credential attachment and message signature

Esteban Talavera González Credential Mapping in Grids 18

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Trust operation

1) The requestor obtains its credential from an authority

TRUST Requestor Resource STS TRUST Provider

(e.g. TGS, CA, SAML Auth...)

Credential Credential Gets

1

Esteban Talavera González Credential Mapping in Grids 19

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Trust operation

2) The received credential is not valid in the resource. The client sends a RequestSecurityToken (RST) message, specifying the action requested and needed information

For example, it could include a Kerberos ticket and a public key, requesting to the STS the issuance of an equivalent X.509 cert. containing that key

TRUST Requestor Resource STS TRUST Provider

(e.g. TGS, CA, SAML Auth...)

Credential Credential Gets

2 1

attaching it issuance

• Cred. not valid

RST

Esteban Talavera González Credential Mapping in Grids 20

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Trust operation

3) The STS verifies the info and performs the requested action, if allowed. The results are sent to the client in a SOAP message including a RSTResponse (RSTR) element.

In our example, it would contain a X.509 cert. with the client’s identity included in the sent ticket

TRUST Requestor Resource STS TRUST Provider

(e.g. TGS, CA, SAML Auth...)

Credential RSTR with equivalent

3

Credential Gets

2 1

attaching it issuance

• Cred. not valid

RST valid credential

Esteban Talavera González Credential Mapping in Grids 21

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Trust operation

4) The client uses the received credential, which is valid for the resource, to request the service

TRUST Requestor Resource STS TRUST Provider

(e.g. TGS, CA, SAML Auth...)

Credential RSTR credential using the new requested Service with equivalent

3 4

Credential Gets

2 1

attaching it issuance

• Cred. not valid

RST valid credential

Esteban Talavera González Credential Mapping in Grids 22

Overview Background Our solution Conclusions Authentication mechanisms Web services

WS-Federation

The identifier of the same subject could be different in different domains (e.g., “Esteban”, “etalavera”. . . ) The recipient should know the identity of the user when validating the credential WS-Federation defines mechanisms to enable identity federation across different realms Several aliases may be associated with the same identity within the federation. The Pseudonym Service stores this information When translating a credential, the STS may ask that service for the sender’s alias in the resource’s domain

Esteban Talavera González Credential Mapping in Grids 23

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 24

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

General scenario

We are focusing on the WS-Trust model, developing a STS Name-space mapping will not be taken into account Previously established trust relationship between credential issuer and STS and between STS and final resource is needed

TRUST Requestor Resource STS TRUST Provider

(e.g. TGS, CA, SAML Auth...)

Credential RSTR credential using the new requested Service with equivalent

3 4

Credential Gets

2 1

attaching it issuance

• Cred. not valid

RST valid credential Esteban Talavera González Credential Mapping in Grids 25

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Previous Work

When this thesis started, a STS able to translate Kerberos tickets into X.509 certificates was already implemented That system was tested in a real Grid environment My contribution has been adding new functionalities to that “basic” system. Two new conversions were implemented:

Kerberos ticket = ⇒ SAML Assertion X.509 certificate = ⇒ Kerberos ticket

Esteban Talavera González Credential Mapping in Grids 26

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

The client has access to a Kerberos domain The STS is a Kerberos service The client needs a X.509 certificate or SAML assertion to authenticate to another entity As the client only has a Kerberos ticket, not valid for the

• ther end, he requests to the STS a credential conversion

Esteban Talavera González Credential Mapping in Grids 27

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

1) The user inserts his username and password, and a TGT in the local Kerberos domain is

• requested. The received

credential is stored locally

• TGS

Client’s Local Cache TGT Request TGT

STS

KDC

AS Client

1

Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1 Esteban Talavera González Credential Mapping in Grids 28

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

2) The TGT is used to request a ST valid for the

• STS. Now the client has

a credential and the session key to prove that he is the holder (this key is also inside the ticket)

• TGS

Client’s Local Cache TGT TGT Request TGT

STS

KDC

AS Client ST + Session Key

2 1

Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1 Esteban Talavera González Credential Mapping in Grids 29

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

3) A key pair is generated and stored locally. The public part will be sent in the request message

• TGS

Client’s Local Cache TGT TGT Request TGT

STS Key Pair Generate Public Key

KDC

AS Client ST + Session Key

3 2 1

Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1 Esteban Talavera González Credential Mapping in Grids 30

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

4) The client constructs the RST message. It contains the ST to be converted and the public

• key. The message is

signed with the Kerberos session key

• TGS

Client’s Local Cache TGT TGT Request TGT

STS Key Pair Generate Public Key

KDC

AS Client ST + Session Key

4 3 2 1

Session Key using the Messages signed wst:RST ST+PubKey Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1 Esteban Talavera González Credential Mapping in Grids 31

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

Kerberos = ⇒ X.509/SAML conversion

5) The STS validates the ticket and the signature, and generates a short term credential of the requested format. It will include the identity specified in the ticket and the public key. The credential is singed by the STS and sent back in a RSTR message

• TGS

Client’s Local Cache TGT TGT Request TGT

STS Key Pair Generate Public Key

KDC

AS Client ST + Session Key ST+PubKey(SAML/X.509)

5 4 3 2 1

Session Key using the Messages signed wst:RST wst:RSTR Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1 Esteban Talavera González Credential Mapping in Grids 32

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

X.509 = ⇒ Kerberos conversion

The client has a X.509 certificate, signed by a CA trusted by the STS He needs to access to a remote Kerberized service The STS shares a key with the TGS of the service’s realm The STS is able to create a Kerberos TGT for the client, which is encrypted with that shared key With the TGT, the client may access to the remote Kerberos domain

Esteban Talavera González Credential Mapping in Grids 33

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

X.509 = ⇒ Kerberos conversion

Application (serv) Server TGS STS Client

REMOTE REALM Messages signed using

1

X.509 Cert wst:RST the sender’s private key + Remote Realm Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1

1) The client generates a RST message, specifying the realm

• f the service he wants to access to. The certificate is
• attached. The message is singed with the corresponding

private key

Esteban Talavera González Credential Mapping in Grids 34

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

X.509 = ⇒ Kerberos conversion

Application (serv) Server TGS STS Client

2

REMOTE REALM Messages signed using

1

+ Remote Realm X.509 Cert wst:RST wst:RSTR TGT(Remote Realm) + [Session Key] Encrypted with the client’s public key the sender’s private key Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1

2) The STS verifies the certificate, and generates a TGT with the same identity, which is encrypted with the key shared with the remote TGS. The key inside the ticket is attached for communicating with the TGS, encrypted with the client’s public key. The message is singed with the STS’ private key

Esteban Talavera González Credential Mapping in Grids 35

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

X.509 = ⇒ Kerberos conversion

Application (serv) Server TGS STS Client

2

TGT REMOTE REALM

3

Messages signed using

1

+ Remote Realm X.509 Cert wst:RST wst:RSTR TGT(Remote Realm) + [Session Key] Encrypted with the client’s public key the sender’s private key + KEYclient−serv ST Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1

3) The client decrypts the session key with his private key, and uses the TGT to request to the remote TGS a ST valid for the desired service

Esteban Talavera González Credential Mapping in Grids 36

Overview Background Our solution Conclusions Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

X.509 = ⇒ Kerberos conversion

Application (serv) Server TGS STS Client

2

TGT REMOTE REALM

4 3

Messages signed using

1

+ Remote Realm X.509 Cert wst:RST wst:RSTR TGT(Remote Realm) + [Session Key] Encrypted with the client’s public key the sender’s private key + KEYclient−serv ST Service Response ST Shared Key 2 Shared Key 2 Shared Key 1 Shared Key 1

4) The ST is used to request the service

Esteban Talavera González Credential Mapping in Grids 37

Overview Background Our solution Conclusions Contributions Future Work

Outline

1

Overview

2

Background Authentication mechanisms Web services

3

Our solution Previous Work Kerberos = ⇒ X.509/SAML conversion X.509 = ⇒ Kerberos conversion

4

Conclusions Contributions Future Work

Esteban Talavera González Credential Mapping in Grids 38

Overview Background Our solution Conclusions Contributions Future Work

Summary of Contributions

A study of the specifications and technologies related to credential translation has been carried out The credential conversion was focused on three widely used technologies: Kerberos, X.509, and SAML A STS including some conversions between the credentials of the above mechanisms was implemented and tested

Esteban Talavera González Credential Mapping in Grids 39

Overview Background Our solution Conclusions Contributions Future Work

Future Work

Design and implementation of the rest of the conversions between the three kinds of credentials:

SAML assertion → Kerberos ticket SAML assertion ↔ X.509 certificate

Study of the addition of Name-space mapping when converting the credential, using the mechanisms defined in the WS-Federation specification Define a way of establishing dynamic trust relationships between STS/Client and STS/Resource

Esteban Talavera González Credential Mapping in Grids 40

Overview Background Our solution Conclusions Contributions Future Work

The End

Questions?

Esteban Talavera González Credential Mapping in Grids 41