Interoperable Grid PKIs among Untrusted Domains: An Architectural Proposal

1
Interoperable Grid PKIs among Untrusted Domains
An Architectural Proposal

• Valentina Casola
• Nicola Mazzocca
• Jesus Luna
• Oscar Manso
• Manel Medina
• Massimiliano Rak

2
Agenda

• Motivation
• State of the Art
• The challenges
• POIS Policy Based Interoperability System
• Use-cases
• Conclusions and future work

3
Motivation Grid Services and VOs
Explicit TRUST
How to TRUST?
VO over one Grid-PKI
VO spanning over multiple Grid-PKIs
4
State of the Art Policy Management Authorities
(PMA)

• Enable explicit trust-relationships among
  Grid-PKIs.
• Members must accomplish an Authentication
  Profile.
• Authentication Profile is a subset of provisions
  from the Certificate Policy (CP).
• Currently established EUGridPMA, TAGPMA,
  APGridPMA, IGTF.

5
Current issues related with PMAs

• Accreditation Process is mostly manual.
• List of accredited CAs manually updated by
  relying parties.
• Two CAs from the same PMA that fulfill the
  Authentication Profile in different ways, should
  have the same trust level?
• AuthN Profile Minimum User Key Length 1024
• CA1s CP Minimum User Key Length 1024
• CA2s CP Minimum User Key Length 2048
• Our proposal
• Extended Path Validation Basic Path Validation
• Policy Mapping

6
Two main challenges

• Evaluation of the issuing CAs security level
• Quantitatively measure the CAs Security Level.
• Automatically perform PMA Accreditation Process.
• Online validation of the certificates status
• Grid Validation Infrastructure.

7
CP Evaluation Methodology

• We investigated for a formal approach to obtain
  the Security Level associated with a Certificate
  Policy, and decided to adopt the Reference
  Evaluation Methodology (REM) developed by
  University of Naples.
• The main components of REM are
• Formalized Policy (not ambiguous way to express
  policies to evaluate).
• Evaluation technique (to obtain associated
  security level).
• Reference Levels (optional security label).

8
REM in a glimpse Steps for CP evaluation

• STRUCTURING Choose an appropriate template that
  includes elements to evaluate. In our case the
  provisions and ordered list of its possible
  values from OGFs CP Template. Then create an
  instance by parsing any CAs Certificate Policy
  into this template (manual process). Example
• Minimum User Key Length provision
• with 6 possible ordered values
• 64

9
REM in a glimpse Steps for CP evaluation

• FORMALIZATION To evaluate non-homogenous
  provisions, we normalize them into Local Security
  Levels (LSL) and define a policy metric space.
  Example
• After normalization and clusterization into 4
  LSLs
• 64 - L1
• (128 256) - L2
• (512 1024) - L3
• 2048 - L4
• When parsing a CP with Minimum users private
  key length 1024 bits, this will map to L3
  which can be represented by the vector (1,1,1,0)

10
REM in a glimpse Steps for CP evaluation

• EVALUATION Compute the Global Security Level
  (GSL) by measuring the Euclidean distance among
  two normalized policies.

11
Results CAs from EUGridPMA were evaluated

• According to the evaluation, all EUGridPMAs CAs
  fulfill the minimum requirements.
• These minimum requirements are not fulfilled on
  the same level.

• REM gives an aggregated value, but a more
  fine-grained evaluation can be performed.

12
Results Evaluation of top-level CP sections

• Top level security provisions have been
  evaluated too.
• Evaluation can be performed up to the provision
  level

13
Results Comparison of individual CP provisions.

• We used a Kiviat diagram to graphically
  represent and compare all provisions with their
  respective LSL.

14
Grid Validation Infrastructure

• Developed at UPC (Barcelona).
• Multi-CA OCSP Responder (i.e. CertiVeR).
• Open Grid Ocsp (OGRO) client
• Prototype as a proof of concept and community
  testing.
• OGRO developed as a Grid-OCSP Client for the
  Globus Toolkit 4.
• Easily configurable through the Grid Validation
  Policy GVP-.
• Currently being incubated into the GT

15
GVP Example
16
Proposed architectural model for an
Interoperability System

• Enable Extended Path Validation in untrusted Grid
  domains.
• Our approach is to build a dynamic federation of
  CAs by evaluating their Certificate Policies.
• In order to define the Authentication Profile and
  further audit the CA, we refer to a Trusted Third
  Party the PMA.

17
POIS Policy and OCSP based Interoperability
System
Perform Extended Path Validation
18
Use case 1 End Entity with POIS
19
Use case 2 Grid Service with POIS
20
Conclusions

• We proposed a comprehensive Grid validation
  infrastructure, based on
• A CP evaluation technique for Grid-PKIs based on
  the Reference Evaluation Methodology.
• A Grid-OCSP infrastructure.
• Contributions
• Methodology to evaluate CPs from Grid
  Certification Authorities.
• For Relying Parties Enhanced validation through
  Automatic comparison of CAs security level.
• For Grid-PMAs automatic accreditation process,
  and even CA assessment.

21
On-going and future work

• Joint researches
• US Dept. of Energy Validity Workgroup.
• Open Grid Forums CA Operations workgroup Levels
  of Assurance initiative and Credential Validation
  System.
• CoreGRID Dynamic evaluation of security policies
  for Grid Storage Services.
• Open issues
• GSL for hierarchical PKI.
• Mutual Extended Path Validation.
• Extend Certificate Policy to more general
  Validation Policy.
• Develop protocol connectors for POIS (i.e.
  XML-based).

22
Thank you!
Questions?
jluna_at_ics.forth.gr jluna_at_ac.upc.edu
23
OGRO needs you!!!!
http//dev.globus.org/wiki/Incubator/OGRO