MyProxy: A Multi-Purpose Grid Authentication Service Jim Basney - - PDF document

1

MyProxy: A Multi-Purpose Grid Authentication Service

Jim Basney

Senior Research Scientist NCSA jbasney@ncsa.uiuc.edu

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 2

What is MyProxy?

• A service for managing X.509 PKI credentials

A credential repository and certificate authority

• An Online Credential Repository

Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server

• An Online Certificate Authority

Issues short-lived X.509 End Entity Certificates

• Supporting multiple authentication methods

Passphrase, Certificate, PAM, SASL, Kerberos

• Open Source Software

Included in Globus Toolkit, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBNL, and others

2

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 3

MyProxy Logon

• Authenticate to retrieve PKI credentials

End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs)

• MyProxy maintains the user’s PKI context

Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement

(ex. passphrase quality checks)

CA certificates & CRLs updated automatically at login

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 4

MyProxy Authentication

• Key Passphrase
• X.509 Certificate

Used for credential renewal

• Pluggable Authentication Modules (PAM)

Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password

• Simple Authentication and Security Layer (SASL)

Kerberos ticket (SASL GSSAPI)

3

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 5

MyProxy Online Certificate Authority

Issues short-lived X.509 End Entity Certificates

Leverages MyProxy authentication mechanisms Compatible with existing MyProxy clients

Ties in to site authentication and accounting

Using PAM and/ or Kerberos authentication Map username to certificate subject via “gridmap”

file or LDAP query

Avoid need for long-lived user keys Server can function as both CA and repository

Issues certificate if no credentials for user are stored

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 6

MyProxy Online Credential Repository

• Stores X.509 End Entity and Proxy credentials

Private keys encrypted with user-chosen passphrases Credentials may be stored directly or via proxy delegation Users can store multiple credentials from different CAs

• Access to credentials controlled by user and administrator

policies

Set authentication requirements Control whether credentials can be retrieved directly or

if only proxy delegation is allowed

Restrict lifetime of retrieved proxy credentials

• Can be deployed for a single user, a site, a virtual
• rganization, a resource provider, a CA, etc.

4

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 7

Talk Outline

MyProxy Introduction PKI Introduction and MyProxy CA Proxy Certificates and MyProxy Repository MyProxy Scenarios

Administratively Loaded Credentials Registration Portals Web Portal Authentication and Delegation Password-based Delegation Credential Renewal Web Single Sign-On (SSO)

Demos Conclusion WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 8

PKI Overview

• Public Key Cryptography

Sign with private key,

verify signature with public key

Encrypt with public key,

decrypt with private key

• Key Distribution

Who does a public key belong to? Certification Authority (CA) verifies user’s

identity and signs certificate

Certificate is a document that binds the

user’s identity to a public key

• Authentication

Signature [ h ( random, … ) ]

Subject: CA

signs

Issuer: CA Subject: Jim Issuer: CA

5

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 9

certificatec + { secret }pubkeys + signaturec[ h( randomc, randoms, … ) ]

PKI Authentication

Client Server randomc certificates + randoms { h( secret ) }secret

Standard SSL/ TLS Protocol (summarized)

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 10

PKI Enrollment

CA

Sign new end entity certificate User Certificate request User 2 3 4 CA

Applicant

Generate new key pair CA 1 User

6

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 11 gridmap CA key keypair

MyProxy CA with PAM

Client MyProxy Server password P A M Kerberos KDC RADIUS Server LDAP Server password password TGT certificate request certificate TLS handshake Grid Service X.509 DN lookup WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 12 CA key gridmap keypair

MyProxy CA with Kerberos

Client MyProxy Server

S A S L

Kerberos KDC LDAP Server TLS handshake Grid Service X.509 DN lookup

S A S L

ticket SASL/GSSAPI/Kerberos certificate request certificate

7

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 13

PAM/ SASL Issues

PAM Conversation

PAM modules can require multiple rounds of user

interaction

No standard protocol

SASL/ PLAI N doesn’t support multiple rounds Need something like SSH keyboard-interactive protocol

SASL client-side setup

Requires SASL library and configuration of SASL

mechanisms

Alternative: native Kerberos protocol support

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 14

Proxy Credentials

• RFC 3820: Proxy Certificate Profile
• Associate a new private key and certificate

with existing credentials

• Short-lived, unencrypted credentials for

multiple authentications in a session

Restricted lifetime in certificate limits

vulnerability of unencrypted key

• Credential delegation (forwarding) without

transferring private keys

CA User

Proxy A

signs signs

Proxy B

signs

8

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 15

Proxy Delegation

Delegator Delegatee

Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy Proxy 1 2 3 4

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 16 keypair

MyProxy Put

Client MyProxy Server

certificate private key certificate request proxy certificate chain username password policy private key cert chain TLS handshake

9

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 17 private key

MyProxy Get

Client MyProxy Server

certificate request proxy certificate chain username password private key cert chain TLS handshake

Grid Service

X.509 cert chain WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 18

MyProxy Store

Client MyProxy Server

certificate private key certificate username policy private key certificate TLS handshake private key

10

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 19

MyProxy Retrieve

Client MyProxy Server

certificate chain username password private key cert chain TLS handshake

Grid Service

X.509 private key private key cert chain WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 20

Administratively Loaded Creds

Client MyProxy Server Grid Service Certificate Authority

certificate private key private key certificate private key TLS handshake certificate request proxy certificate chain username password X.509 cert chain

11

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 21

User Registration Portal

Client MyProxy Server Grid Service Certificate Authority

certificate private key certificate private key TLS handshake certificate request proxy certificate chain username password X.509 cert chain

Registration Portal

certificate private key TLS handshake username password User DB username

Browser

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 22

Gateway Portal

Browser Portal

User DB cert key

Grid Service

X.509 password username TLS handshake

12

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 23

Trusted Portal

Browser Portal

User DB cert key

Grid Service

X.509 password username TLS handshake

MyProxy

X.509 cert key cert cert request username WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 24

Password-based Portal Auth

Browser Portal

cert key

Grid Service

X.509 password username TLS handshake

MyProxy

X.509 cert key cert cert request password username

13

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 25

Password-based Delegation

MyProxy Delegatee Delegator

certificate private key passwordrandom username private key private key certificate certificate certificate certificate certificate username TLS handshake passwordrandom certificate certificate request certificate username passwordrandom TLS handshake certificate request certificate certificate certificate WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 26

Password-based Renewal

MyProxy Condor-G GRAM Gatekeeper Client

proxy job password password proxy job

Job

proxy password proxy proxy

proxy proxy proxy proxy

proxy proxy

proxy

14

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 27

Certificate-based Renewal

MyProxy Condor-G GRAM Gatekeeper Client

proxy job policy proxy job

Job

proxy X.509 proxy proxy

proxy

proxy

proxy

proxy proxy proxy

proxy

Workload Management Service Renewal Service

key cert

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 28

MyProxy and Web SSO

PURSE MyProxy Browser Portal A Portal B Pubcookie Login Server

password password cert cookie cookie password password cookie cookie cert cert password

Grid Service

cookie X.509 X.509

15

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 29

SSO for Browser and Application

Portal MyProxy Server Browser Application

Authenticate cookie cookie JWS cert cert

Grid Service

X.509 X.509 cookie WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 30

SSO for Browser and Application

Portal MyProxy Server Browser Application

Authenticate passwordrandom passwordrandom JWS cert cert

Grid Service

X.509 passwordrandom passwordrandom cert

16

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 31

Demonstrations

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 32

Conclusion

MyProxy: A Multi-Purpose Grid Authentication

Service

Used in many delegation and single sign-on

scenarios

MyProxy provides practical authentication solutions

Minimize changes to existing software and protocols Leverage community standards

PAM, SASL, Kerberos, LDAP, Pubcookie, Shibboleth

Active MyProxy open source community

Deploy new developments via MyProxy Benefit from the work of others

17

WCGA 2006 http: / / myproxy.ncsa.uiuc.edu/ 33

Thank you! Obrigado!