Policy Enforcement Framework for Web

Services and Grid Operational Security

Advanced Internet Research Group Update

Yuri Demchenko <demch@science.uva.nl>

AIRG, University of Amsterdam

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_2

Outline

Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_3

Goals

Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials

compromise

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_4

AIRG projects

Gigaport NG - NL Further development of the Generic AAA architecture for policy/token based

networking

Collaboratory.nl (CNL) Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA

EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_5

Generic AAA Architecture by AIRG (UvA)

Policy based Authorization decision Req {AuthNtoken, Attr/Roles,

PolicyTypeId, ConditionExt} RBE (Req + Policy) =>

=> Decision {ResponseAAA, ActionExt}

ActionExt = {ReqAAAExt, ASMcontrol}

ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}

Generic AAA

PolicyPolicyPolicy

Request/ResponseRequest/ResponseRequest/Response

ASMASMASM

•Translate logDecision => Action•Translate State => LogCondition

•Defined by Resource owner

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_6

Generic AAA implementations

Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building

Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources

Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition

Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services

– Attempting to use WSRF and trying to avoid OGSI and ProxyCert

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_7

Distributed Security Architecture for Collaborative environment

Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using

GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF

Policy binding to WSDL and AuthZ portType definition

VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_8

Security built around Job description

Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm

Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI

OrderDescr

JobDescr•---------------•Job#•Job Attributes•Job Priority•---------------•User list•User roles/attr•Admin RBAC

Scheduler/JobMngr

AccessCtr(AuthN/Z)•UserDB•Policy

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_9

XACML implementation library for CNL

Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java

Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination

functionality Version 0.1 is available for policy construction and translating to AAA-policy format

Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_10

Main components and dataflow in RBAC/PMI

PEP (Policy Enforcement Point)/AEF (authorisation enforcement function)

PDP (Policy Decision Point)/ADF (authorisation decision function)

PIP (Policy Information Point)/AA (Attribute Authority)

PA – Policy Authority

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_11

GAAA API flow diagram (implements RBAC)

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_12

GAAAPI implementation – XACML Request message format (1)

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_13

GAAAPI implementation – XACML Request message format (2)

<?xml version="1.0" encoding="UTF-8"?><AAA:AAARequest xmlns:AAA="http://www.AAA.org/ns/AAA_BoD"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd" version="0.1" type="CNLdemo1"><Subject>

<SubjectID>WHO740@users.collaboratory.nl</SubjectID><Role>Analyst</Role><JobID>JobID-XPS1-212</JobID><Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>

</Subject><Resource><ResourceID>

http://resources.collaboratory.nl/Phillips_XPS1</ResourceID>

</Resource><Action><ActionID>ControlInstrument</AttributeID></Action>

</AAA:AAARequest>

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_14

GAAAPI implementation – XACML Response message format (1)

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_15

GAAAPI implementation – XACML Response message format (2)

<?xml version="1.0" encoding="UTF-8"?>

<AAA:AAAResponse xmlns:xsi="http://www.w3.org/2001/X_LSchema-instance" xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0">

<Result ResourceId="String">

<Decision>Permit</Decision>

<Status>

<StatusCode Value="OK"/>

<StatusMessage>Request succes7ful</StatusMessage>

</Status>

</Result>

</AAA:AAAResponse>

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_16

Binding policy to WSDL service description

WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" <wsp:UsingPolicy wsdl:Required="true"/>

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_17

Binding policy to WSDL - Example

<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust" xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl">     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message>

<<< snip >>>>

    <wsp:UsingPolicy wsdl:Required="true"/> </definitions>

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_18

Security related activities in EGEE - FYI

EGEE – Enabling Grids for E-sciencE JRA3 – Security MWSG – Middleware Security Group JSPG – Joint with LCG and OSG Security Policy Group

OSG Incident Handling Activity

Recent Security related deliverables Grid User/Site Security Requirements – MJRA3.1

(https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (

https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format – MJRA3.4

Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_19

Grid Security Incident (GSInc) definition

GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model – MJRA3.4 Should be based on Grid processes/workflow analysis - TODO

GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it

Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated

response Incident statistics provides feedback for the Security Policy improvement

Note. Grid Security model is based on delegation of security credentials to a service

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_20

Security credentials related GSInc and audit events

Security credentials compromise (e.g., private key, proxy credentials, etc.)  patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s)

PDP/PEP logging/audit

Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to

credentials format X.509 credentials are not capable of this Does SAML have required functionality

Note: Audit/log events together with related data can be also referred to as an Evidence

TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_21

Discussion: security credentials compromise detection

How to define at the early stage that a private key or other security credentials have been compromised?

Will it require credentials storing (not caching) and adding history/evidence chain to credentials format?

X.509 credentials are not capable of this Does SAML have required functionality