using the myproxy online credential repository
DESCRIPTION
Using the MyProxy Online Credential Repository. Jim Basney National Center for Supercomputing Applications University of Illinois [email protected]. What is MyProxy?. Independent Globus Toolkit add-on since 2000 To be included in Globus Toolkit 4.0 A service for securing private keys - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/1.jpg)
Using the MyProxy Online Credential Repository
Jim BasneyNational Center for Supercomputing Applications
University of [email protected]
![Page 2: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/2.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 2
What is MyProxy? Independent Globus Toolkit add-on since 2000
To be included in Globus Toolkit 4.0 A service for securing private keys
Keys stored encrypted with user-chosen password Keys never leave the MyProxy server
A service for retrieving proxy credentials A commonly-used service for grid portal security
Integrated with OGCE, GridSphere, and GridPort
![Page 3: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/3.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 3
PKI Overview Public Key Cryptography
Sign with private key, verify signature with public key
Encrypt with public key, decrypt with private key
Key Distribution Who does a public key belong to? Certification Authority (CA) verifies user’s
identity and signs certificate Certificate is a document that binds the
user’s identity to a public key Authentication
Signature [ h ( random, … ) ]
Subject: CA
signs
Issuer: CA
Subject: Jim
Issuer: CA
![Page 4: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/4.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 4
Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and
certificate with existing credentials Short-lived, unencrypted credentials for
multiple authentications in a session Restricted lifetime in certificate limits
vulnerability of unencrypted key Credential delegation (forwarding)
without transferring private keys
CA
User
ProxyA
signs
signs
ProxyB
signs
![Page 5: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/5.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 5
Proxy DelegationDelegator Delegatee
Generate new key pair
Sign new proxy certificate
Proxy
Proxy certificate request
ProxyProxy
12
3
4
![Page 6: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/6.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 6
MyProxy System Architecture
MyProxy server
Credentialrepository
Retrieve proxy
Store proxy
Proxy delegation over private TLS channel
MyProxy client
![Page 7: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/7.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 7
MyProxy: Credential Mobility
myproxy.teragrid.org
tg-login.uc.teragrid.org
tg-login.caltech.teragrid.org
tg-login.sdsc.teragrid.org
tg-login.ncsa.teragrid.org ca.ncsa.uiuc.eduObtain certificate
Store proxy
Retrieve proxy
![Page 8: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/8.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 8
MyProxy and Grid Portals
Portal
MyProxy server
GridFTP server
Login Fetch proxy
Access data
![Page 9: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/9.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 9
MyProxy: User Registration
MyProxy server
Registration portal
Certificate authority
Request accountObtain usercertificate
Load user’scredentials
RetrieveproxyGrid
portal
Login with username/password
Set username/password
ESGPURSE: Portal-based User Registration Service
![Page 10: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/10.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 10
MyProxy Security Keys encrypted with user-chosen passwords
Server enforces password quality Passwords are not stored
Dedicated server less vulnerable than desktop and general-purpose systems Professionally managed, monitored, locked down
Users retrieve short-lived credentials Generating new proxy keys for every session
All server operations logged to syslog Caveat: Private key database is an attack target
Compare with status quo
![Page 11: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/11.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 11
Hardware-Secured MyProxy
M. Lorch, J. Basney, and D. Kafura, "A Hardware-secured Credential Repository for Grid PKIs," 4th IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), April 2004.
IBM 4758MyProxy Server
Retrieve proxyProxy request
Proxy certificate
Protect keys in tamper-resistant cryptographic hardware
![Page 12: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/12.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 12
GlobusWORLD 2003 Flashback
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
![Page 13: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/13.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 13
Credential Renewal Long-lived jobs or services need credentials
Task lifetime is difficult to predict Don’t want to delegate long-lived credentials
Fear of compromise Instead, renew credentials as needed during the
job’s lifetime Renewal service provides a single point of monitoring
and control Renewal policy can be modified at any time
Disable renewals if compromise is detected or suspected
Disable renewals when jobs complete
![Page 14: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/14.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 14
MyProxy: Credential Renewal
MyProxy server
Condor-GSubmit job Globus
gatekeeperSubmit job
Fetch proxy
Refresh proxy
![Page 15: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/15.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 15
MyProxy Installation (Unix) Included in GT 4.0 As an add-on component to GT 3.x
$ gpt-build myproxy*.tar.gz <flavor> Set $MYPROXY_SERVER environment
variable to myproxy-server hostname$ export MYPROXY_SERVER=myproxy.ncsa.uiuc.edu
Set Globus Toolkit environment$ . $GLOBUS_LOCATION/etc/globus-user-env.sh
Client installation/configuration complete!
![Page 16: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/16.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 16
MyProxy CoG Clients
Commodity Grid (CoG) Kits Provide portable (Java and Python)
MyProxy client tools & APIs Windows support
For more information: http://www.cogkit.org/
![Page 17: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/17.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 17
MyProxy Commands myproxy-init: store proxy myproxy-get-delegation: retrieve proxy myproxy-info: query stored credentials myproxy-destroy: remove credential myproxy-change-pass-phrase:
change password encrypting private key
![Page 18: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/18.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 18
MyProxy Server Administration Install server certificate and CA certificate(s) Configure /etc/myproxy-server.config policy
Template provided with examples Optionally:
Configure password quality enforcement Install cron script to delete expired credentials
Install boot script and start server Example boot script provided
Use myproxy-admin commands to manage server Reset passwords, query repository, lock credentials
![Page 19: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/19.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 19
MyProxy Server Policies Who can store credentials?
Restrict to specific users or CAs Restrict to administrator only
Who can retrieve credentials? Allow anyone with correct password Allow only trusted services / portals
Maximum lifetime of retrieved credentials
server-wide and
per-credential
![Page 20: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/20.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 20
MyProxy and SASL MyProxy supports additional authentication
mechanisms via SASL (RFC 2222) One Time Passwords (SASL PLAIN with PAM)
Protect against stolen passwords Hardware token generates OTP Authenticate with OTP plus MyProxy password Tested with CryptoCard tokens
Kerberos (SASL GSSAPI) Authenticate with Kerberos ticket
plus MyProxy password
![Page 21: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/21.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 21
Related Work GT4 Delegation Service
Protocol based on WS-Trust and WSRF SACRED (RFC 3767) Credential Repository
http://sacred.sf.net/ Kerberized Online CA (KX.509/KCA)
Kerberos -> PKI PKINIT for Heimdal Kerberos
PKI -> Kerberos
![Page 22: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/22.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 22
GridLogon Work in progress Inspired by Peter Gutmann’s PKIBoot
“Plug-and-Play PKI: A PKI your Mother can Use”
Password-based authentication to initialize user’s security environment Install identity/attribute/authorization credentials Install CA certificates and CRLs Install additional security configurations
![Page 23: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/23.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 23
MyProxy Community [email protected] mailing list Bug tracking: http://bugzilla.ncsa.uiuc.edu/ Anonymous CVS access
:pserver:[email protected]:/CVS/myproxy Contributions welcome!
Feature requests, bug reports, patches, etc.
![Page 24: Using the MyProxy Online Credential Repository](https://reader036.vdocument.in/reader036/viewer/2022081604/56815d46550346895dcb4c2d/html5/thumbnails/24.jpg)
GlobusWORLD 2005 http://myproxy.ncsa.uiuc.edu/ 24
Thank you!
Questions/Comments?
Contact:[email protected]