gt 3 security features
DESCRIPTION
GT 3 Security Features. Sam Meder. Assumptions. Familiarity with PKI concepts Certificates (CA, EEC, Proxy) Delegation Some knowledge of Web Services Security Standards: WS-Security XML-Signature XML-Encryption Some knowledge of GSSAPI. GT Security Overview. - PowerPoint PPT PresentationTRANSCRIPT
Assumptions
Familiarity with PKI concepts Certificates (CA, EEC, Proxy) Delegation
Some knowledge of Web Services Security Standards: WS-Security XML-Signature XML-Encryption
Some knowledge of GSSAPI
GT Security Overview
GT 3.0 Authentication Mechanisms X509/SSL/GSSAPI based (GSI Secure
Conversation) X509/public key based (GSI Secure
Message) GT 3.0 Authorization Mechanisms
Gridmap Host Self None
WS Background
Most security work is done in JAX-RPC/Axis Handlers
Hosting Environment/Container
Outgoing Handler
Incoming Handler
Outgoing Handler
Incoming Handler
Pivot Handler
Service
Server Side ImplementationServer Hosting Environment
Client
WS-Security Handler
Sec Conv Msg Handler
JAAS
Security Policy Handler
Service
Authorization Handler
SecConv Service
Sec Msg Handler
Server Side ImplementationContinued
Handlers, Handlers, Handlers WS-Security Handler
Decrypts/verifies signature on incoming messages Populates the JAAS Peer Subject
Security Policy Handler Checks that the security meets the requirements
specified in the security deployment descriptor Authentication Policy Handler
Sets the invocation (JAAS) subject as specified by the run-as policy in the security deployment descriptor
Run As Handler
Server Side ImplementationContinued
Even more handlers Authorization Handler
Authorizes incoming messages – more later
Credential Refresh Handler Refreshes credential in invocation subject based on
delegated credential
Authentication Service Handler Redirects messages to Secure Conversation Service
Secure Message Handler (aka X509 Sign Handler)
Signs GSI Secure Message secured communications
Server Side ImplementationContinued
Only one more I promise Secure Conversation Message Handler (aka
GSS Handler) Signs and encrypts GSI Secure Conversation secured
communication
Other pieces: Context Manager
Keeps track of established contexts Destroy contexts on expiration
Server Side Programming
Declarative Model: Security properties (for incoming
communication) are specified in a deployment descriptor
Wrapper handler(s) reads descriptor and populate security parameters
Handlers act on security parameters Generally requires no explicit security calls
by service implementer
Client Hosting Environment
Client Service
Sec Conv Service Handler
SecConv Service
SecConv Message Handler
Sec Msg Handler
WS-Sec Client
Handler
Server Hosting Environment
Client Side Implementation
Client Side ImplementationContinued
Clients Side Handlers Secure Conversation Service Handler
Establishes new Secure Conversation context if needed
Secure Message Handler Secure Conversation Message Handler WS-Security (Client) Handler
Above three are equivalent/same as server side handlers
Client side Authorization Handled by the Secure Conversation Service and the
WS-Security Client Handler Host authorization by default
Client Side Programming
Clients need to set security properties explicitly – programmatic model Server/Service acting as client
Handlers pick up security properties and act accordingly
JAAS
Java Authentication & Authorization Service Currently (3.0) only used for managing/storing
credentials JAAS Subject object
Authorization checks Outgoing Connections
Different Subject Types: System Container Peer
Invocation Subject
GRIM(Grid Resource Identity Mapper)
Allows GT3 components to run without special privileges
Setuid to user with access to (host) credentials Reads credentials Creates GRIM Proxy from credentials and
configuration information
GRIM Proxy
Proxy contains a GRIM Policy GRIM Policy currently (3.0) consists of
List of authorized porttypes List of authorized DNs
GRIM Policy in 3.x will change to Always list GRAM porttype
Backwards compatibility No other porttypes will ever be listed
List of authorized DNs
GRIM Wish List Make GRIM produce independent proxy Proxy should contain non-critical extension Extension should contain SAML assertion
on allowed DNs Does not require special handling of proxy
in cases where you don’t care about the extension
Authorization – Cooking your own
Replace the Authorization Handler Check out the current one Write your own Build/Compile it Replace existing handler in server-
config.wsdd and make sure that handler is available in your CLASSPATH
public class AuthorizationHandler extends BasicHandler { ... public void invoke(MessageContext messageContext) throws AxisFault { Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT);
ServiceProperties props = DescriptorHandler.getService(messageContext);
ServiceAuthorization auth = null;
String tmp = (String)props.getProperty(Authorization.AUTHORIZATION); if (tmp == null) { auth = DefaultAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("none")) { auth = NoAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("self")) { auth = SelfAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("gridmap")) { auth = GridMapAuthorization.getInstance(); } else { Exception e = new AuthorizationException( i18n.getMessage("badAuthMethod", new Object[] {tmp})); throw AxisFault.makeFault(e); }
try { auth.authorize(subject, props, messageContext); } catch (AuthorizationException e) { throw AxisFault.makeFault(e); } }}
server-config.wsdd<?xml version="1.0" encoding="UTF-8"?><deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> … <globalConfiguration> …
<requestFlow>
… <handler
type="java:org.globus.ogsa.impl.security.authorization.AuthorizationHandler"/> …
</requestFlow>
…
</globalConfiguration>
…
</deployment>
GSI Secure Conversation
Based on GSSAPI, WS-Security, XML-Signature and XML-Encryption
Session based Support for delegation
Automatic refresh of delegated proxy on re-delegation
Uses our SSL based GSSAPI mechanism Protocol is driven by gss_init/accept_sec_context get_mic/verify_mic and wrap/unwrap
Secure Conversation PortType
<gwsdl:portType name="SecureContextEstablishmentPortType"><operation name="initTokenExchange">
<input message="tns:InitTokenExchangeInputMessage"/><output message="tns:InitTokenExchangeOutputMessage"/><fault name="MechanismTypeNotSupportedFault"
message="tns:MechanismTypeNotSupportedFault"/></operation>
<operation name="continueTokenExchange"><input message="tns:ContinueTokenExchangeInputMessage"/><output message="tns:ContinueTokenExchangeOutputMessage"/><fault name="InvalidContextIdFault"
message="tns:InvalidContextIdFault"/></operation>
</gwsdl:portType>
Secure Conversation Messages
<complexType name="ContextTokenType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType>
<complexType name="ContextTokenElementType"> <sequence> <element name="contextToken" type="auth-
types:ContextTokenType"/> </sequence> </complexType>
Secure Conversation MessagesContinued
<complexType name="ContextTokenOutType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType>
<complexType name="ContextTokenOutElementType"> <sequence> <element name="contextTokenOut" type="auth-
types:ContextTokenOutType"/> </sequence> </complexType>
Secure Conversation MessagesContinued
<complexType name="InitContextTokenType"> <complexContent> <extension base="auth-types:ContextTokenType"> <attribute name="mechanism-type" use="required" type="string"/> </extension> </complexContent> </complexType>
<complexType name="InitContextTokenElementType"> <sequence> <element name="initContextToken"
type="auth-types:InitContextTokenType"/> </sequence> </complexType>
Secure Conversation MessagesRecap
Context establishment messages contain: Base 64 encoded GSS token Context Identifier Continue Needed indicator Mechanism OID – initial message only
GSI Secure Conversation &XML-Encryption
<soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="EncryptedBody"/> </xenc:ReferenceList> </wsse:Security> </soapenv:Header> <soapenv:Body> <xenc:EncryptedData Id="EncryptedBody" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-enc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName> 00000000-7562-527e-00000000-0000322d926f</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> FwMAAQ………….kwn55YyoSCw92ILu </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body></soapenv:Envelope>
GSI Secure Conversation &XML-Signature
<soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-sign"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>CGnV0ogSVvsS+dpABEJI2+hs4o4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> AAAAAAAAAAEAAALI9CswCadOGScGWbGsrSkAD6PcyS0=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName> 00000000-5680-d374-00000000-00001223536a</ds:KeyName> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <shutdownResponse wsu:Id="digestSource" … /> </soapenv:Body></soapenv:Envelope>
Performance
Needs to be improved Currently about 10x slower than insecure Initialization is very slow
Apache XML security libraries add large overhead (3x/message processed)
JSR 105/106 are moving along Apache will adopt We don’t want to make major changes now
Concentrate on low cost high impact improvements Move some interactions to Secure Message
Fewer roundtrips
New Secure Conversation Features (3.x)
Support for anonymous authentication Support for specifying context lifetime Some performance improvements
GSI Secure Message
Supports integrity protection with X509 certificates Support for proxy certificates
Can be combined with GSI Secure Conversation
Not fully featured No replay attack prevention No encryption support
Missing features slated for 3.x
GSI Secure MessageExample
<soapenv:Envelope ...> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" …> <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:PKIPath" wsu:Id="token1073175857792" …> 3glkeh6.....wvZFY1waVEKaQ==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> v8iQBeaSs9/XZNEyWb00z/23nuE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IFQS5..........12mCw== </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#token1073175857792"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <pingResponse wsu:Id="digestSource" .../> </soapenv:Body></soapenv:Envelope>
Username/Password
Not clear which release this will show up in Potential mechanisms:
WS-Security Username/Password token Should be used in combination with anonymous Secure
Conversation
More advanced/secure Username/Password schemes - AuthA
The AuthA Protocol
Client has password Server has
secret = f(servername|username|password) f is a secure one way function
Client & Server created Session Key using a encrypted Diffie-Hellman exchange
Client & Server authenticate each other Security Proof Exists Details at
http://grouper.ieee.org/groups/1363/passwdPK/contributions/autha.pdf
Discussion
WS-Resource Impact One time passwords Smart Card support Kerberos Other authentication mechanisms? …