International Grid Trust Federation

1
International Grid Trust Federation

• Michael Helm, ESnet/LBL
• On behalf of IGTF TAGPMA
• 4 April 2006

2
What Are Grid PKIs For?

• We exist to serve the grid community in terms of
  authentication
• X.509 certificates are an essential component of
  Grid security mechanisms
• Authentication supports diverse authorization
  methods (including ongoing research)
• X.509 Certification Authorities provide a focal
  point for policy management and key lifecycle
• IGTF and regional PMAs provide coordination and
  interoperability standards for Grid PKIs

3
Outline

• (More than what we have time for today)
• Essentials on Grid Security
• International Grid Trust Federation (IGTF)
• IGTF component PMAs
• Certificate profiles

4
Essentials on Grid Security

• Access to shared services
• cross-domain authentication, authorization,
  accounting, billing
• common generic protocols for collective services
• Support multi-user collaboration
• may contain individuals acting alone their home
  organization administration need not necessarily
  know about all activities
• organized in Virtual Organizations
• Enable easy single sign-on for the user
• the best security is hidden from the user as much
  as possible
• And leave the resource owner always in control

5
Virtual vs. Organic structure

• Virtual communities (virtual organizations) are
  many
• An individual will typically be part of many
  communities
• but will require single sign-on across all these
  communities

Graphic GGF OGSA Working Group
6
Stakeholders in Grid Security

• Current grid security is largely user centric
• different roles for the same person in the
  organic unit and in the VO
• There is no a priori trust relationship between
  members or member organizations
• Virtual Organization lifetime can vary from hours
  to decades
• VO not necessarily persistent (both long- and
  short-lived)
• people and resources are members of many VOs
• but a relationship is required
• as a basis for authorising access
• for traceability and liability, incident
  handling, and accounting

7
Separating Authentication and Authorization

• Single Authentication token (passport)
• issued by a party trusted by all (CA),
• recognised by many resource providers, users, and
  VOs
• satisfy traceability and persistency requirement
• in itself does not grant any access, but provides
  a unique binding between an identifier and the
  subject
• Per-VO Authorisations (visa)
• granted to a person/service via a virtual
  organization
• based on the passport name
• acknowledged by the resource owners
• providers can obtain lists of authorised users
  per VO,but can still ban individual users

8
International Grid Trust Federation

• IGTF is the trust glue for Grids.
• The Grid is a distributed computing paradigm and
  middleware that is supporting large scale,
  world-wide scientific research such as the LHC in
  physics.
• IGTF is composed of 3 regional PMAs, each
  supporting a separate zone in the world
  EUGridPMA, TAGPMA, and APGridPMA.
• How can we integrate better, with other PKI
  initiatives how do we determine when and
  whether this makes sense?

9
Extending TrustIGTF the International Grid
Trust Federation

• Common, global best practices for trust
  establishment
• Better manageability of the PMAs

The Americas Grid PMA
Asia Pacific Grid PMA
European Grid PMA
10
Grid PKI Software and Limitations

• http//www.globus.org/toolkit/docs/4.0/security/
• However, many Grid environments operate in legacy
  (pre 4.0) mode
• PKI Authentication
• X.509 certificates close to IETF PKIX RFC 3280
• Proxy certificates RFC 3820 short lived
  delegated rights
• Also, numerous legacy (pre-3820) implementations
• Mutual authentication based on TLS model
• openssl is essential software component
• Authorization many different solutions
• Simple lists and map files (like UNIX account
  services)
• Account management services
• Delegated rights attributes in proxy certificates
• X.509 authorization certificates
• GGF-managed Web Services-based authorization
  services
• Shibboleth-Grid bridging
• And more
• Credential management
• Software tokens
• MyProxy a credential store

11
Federation Model for Grid Authentication
CA 2
CA 1
relying party n
CA n
CA 3
relying party 1

• A Federation of many independent CAs
• Policy coordination based on common minimum
  requirements(not policy harmonisation)
• Acceptable for major relying parties in Grid
  Infrastructures
• No strict hierarchy with a single top
• spread liability and enable failure containment
  (better resilience)
• maximum leverage of national efforts and
  subsidiarity

12
IGTF Federation Common Policy
IGTF Federation Document
trustrelations
SubjectNamespaceAssignment
DistributionNaming Conventions
Common Authentication Profiles
Classic(EUGridPMA)
SLCS(TAGPMA)
worldwide relying parties see a uniform IGTF
mesh
13
International Grid Trust Federation

• The IGTF - WWW.GridPMA.org
• 2002 GGF turns down PMA proposal Grassroots
  effort begins
• Commissioned Mar 2003 (Tokyo) - - Chartered
  October 5th, 2005 at GGF 16 (Chicago)
• Federation of European, Asian, and Western
  Hemisphere Policy Management Authorities
• Focused on Identity management and authentication
  for Grids
• Regional Authorities
• EU Grid Policy Management Authority
• EGEE Enabling Grids for E-science in Europe
• Asian Pacific Policy Management Authority
• APGrid National Institute of Advanced
  Industrial Science and Technology
• The Americas Grid PMA newly chartered Sep 2005
• Canada and USA (DOE, NSF) Latin American
  organizations soon
• Establishment of top level CA registries and
  related services
• Root CA certificates, CA repositories and CRL
  publishing points.
• EU Grid PMA registry de facto (CNRS French
  National Center for Scientific Research)
• Asian Pacific CA registry (AP PMA)
• TERENA TACAR (TERENA Academic CA Repository)
• Standards
• Certificate policies, Certificate profiles,
  Accreditation

14
IGTF (2)

• IGTF Federation
• Namespace specification and allocation
• NB Grids do not use directory-managed naming
• Grid PKI support file Gold distribution
• Provided to middleware packagers such as VDT,
  large scale Grids c
• IGTF Managed Certificate profiles
• Certificate Profiles Subset of certification
  practices describing essential, distinguishing
  characteristics of Grid certificate usage
• Developed by Regional PMA or member organization
• Current profiles
• Classic X.509 CAs
• Development managed by EUGridPMA
  (www.eugridpma.org)
• Influenced by NIST and PKI industry best practice
• Short-Lived Certificate Services
• Development managed by TAGPMA (www.tagpma.org)
• Bridge site authentication services to
  Grid-compatible PKI
• Experimental CA
• Development managed by APGridPMA
  (www.apgridpma.org)
• Profiles that need to be developed
• Bridge based PKI (policy mapping, transitive
  trust)

15
Building the federation

• Providers and Relying Parties together shape the
  common minimum requirements
• Several profiles for different identity
  management models
• different technologies
• Authorities testify to compliance with profile
  guidelines
• Peer-review process within the federation to
  (re) evaluate members on entry periodically
• Reduce effort on the relying parties
• single document to review and assess for all
  Authorities
• collective acceptance of all accredited
  authorities
• Reduce cost on the authorities
• but participation in the federation comes with a
  price
• the ultimate decision always remains with the RP

16
EUGridPMA

• Green Countries with an accredited CA
• The EU member states (except LU, MT)
• AM, CH, IL, IS, NO, PK, RU, TR, SEE-catch-all
• Other Accredited CAs
• DoEGrids (.us)
• GridCanada (.ca)
• CERN
• ASGCC (.tw)
• IHEP (.cn)

Migrated to APGridPMA per Oct 5th, 2005
17
EUGridPMA

• www.eugridpma.org
• Features
• 36 members most from EU, some from closely
  affiliated countrieschaired by David Groep
  (NIKHEF)
• The senior partner
• Classic X.509 Grid profile
• Member organizations/countries
• Canonical list http//www.eugridpma.org/members/i
  ndex.php
• Membership includes many European national and
  regional (eg Nordunet, Baltic Grid) Grid
  projects Canarie (Canada) DOEGrids and FNAL
  (US) significant relying parties such as LHC
  several AP Grid CAs

18

• The Americas Grid PMA Members
• HEBCA/USHER/Dartmouth College
• Texas High Energy Grid
• Fermi National Laboratory
• San Diego Supercomputing Center
• TeraGrid
• Open Science Grid
• DOEGrids
• CANARIE

• Texas High Energy Grid
• EELA
• Venezuela ULA
• Chile REUNA
• Mexico UNAM
• Argentina UNLP
• Brazil UFF

19
TAGPMA

• The Americas Grid PMA Chartered Sep 2005 Very
  new
• www.tagpma.org
• Features
• 9 members Canarie (CA) and US, and now
  EELA
• Several Latin American Grid projects to join soon
• Chaired by Darcy Quesnel (CANARIE)
• Short Lived Certificate Server profile
• Member organizations/countries
• Canonical list http//www.tagpma.org/members
• 1st TAGPMA member meeting 27-29 Mar 2006, Rio de
  Janeiro (RDP)

• EELA
• Venezuela
• Chile
• Mexico
• Argentina
• Brazil

• HEBCA/USHER/Dartmouth College
• TeraGrid
• Texas High Energy Grid
• DOEGrids (US-DOE Labs)
• Fermi Lab (FNAL)
• San Diego Supercomputer Ctr
• Open Science Grid (OSG)
• CANARIE (Grid Canada)

20
EELAE-Infrastructure Shared Between Europe and
Latin America

• Through specific support actions, to position the
  Latin American countries at the same level of the
  European developments in terms of
  E-Infrastructure (Grids, e-Science,
  e-Infrastructure)
• http//www.eu-eela.org
• Kickoff meeting 30 Jan 2006
• Grid CAs at early phase of lifecycle
• Design initial roll-out accreditation soon
• Membership and project management
• http//www.eu-eela.org/public/eela_about_partners.
  php
• Brazil Many other PKI activities in play

21

• Asia Pacific PMA
• Australia APAC
• China SDG, IHEP Beijing
• Hong Kong HKU
• India U. Hyderabad
• Japan AIST, NAREGI, KEK, Osaka U.
• Korea KISTI
• Malaysia USM
• Singapore NGO
• Taiwan ASGC, NCHC
• Thailand NECTEC
• USA SDSC

22
APGridPMA

• (Material provided by David Groep, IGTF chairman,
  from TF-EMC2 update Sep 05
• www.apgridpma.org
• Features
• 16 members from the Asia-Pacific
  Region,chaired by Yoshio Tanaka (AIST)
• 7 Production CAs are in operation
• AIST, APAC, ASGC, IHEP, KEK, KISTI, NAREGI
• Experimental CA profile
• Auditing Standard practice GGF effort
• Member organizations/countries
• Canonical list https//www.apgrid.org/CA/Certific
  ateAuthorities.html

• AIST (Japan)
• APAC (Australia)
• ASGC (Taiwan)
• IHEP (China)
• KEK (Japan)
• KISTI (Korea)

• HKU (Hong Kong)
• U.Hyderabad (India)
• Osaka U. (Japan)
• USM (Malaysia)

• NAREGI (Japan)
• NCHC (Taiwan)
• NECTEC (Thailand)
• NGO (Singapore)
• SDG (China)
• SDSC (US)

23
TACAR Repository Function

• Collection point for trust anchors
• Not qualified in itself
• accreditation by a PMA is an additional attribute
• Provides key role for the community
• Well-known place to liaise and obtain trust
  anchors
• Single point to validate integrity of trust
  anchors

24
Certificate Profiles

• Classic PKI
• DOEGrids as example
• Short Lived Certificate Services
• Rotary example
• FNAL KX509 CA
• Experimental
• Use at conferences, demos, short term projects
• Other work
• Bridge PKI
• Grid PKI has no concept of policy mapping or
  levels
• Grid PKI has no concept of transitive trust
• US HEBCA needs this profile
• Other services may be required as a result
• Active Credential Store PKI
• Extend the MyProxy model link a CA to
  credential store
• Core problem Service owns user private keys.

25
Classic X.509 Certificate Profile

• Comprehensive Security Requirements for CA
  services
• Evolved Grid operational needs vs Security best
  practices
• Hardware Security Modules or Offline operation
• Two fairly distinct classes of end-entity
  certificates
• Hosts and Grid services essentially TLS
  server certs
• Evolving concepts of ownership and rights
• Users and software agents Client certificates
• Strict Identity management and verification
  requirements
• We concentrate on this class here but hosts
  equally important
• Missing not yet defined software signing
  certificates for abstract entities (processes)

26
DOEGrids Classic X.509 PKI
Offline Vaulted Root CA
Grid User
PKI Systems
Hardware Security Modules
HSM
Firewall
Internet
Access controlled racks
Secure Data Center
Building Security
LBNL Site security
Intrusion Detection
27
Grid Classic PKIPeople Certificate Workflow
Registration Manager (RM) PKI1.DOEGrids.Org
4
CA
Sponsor
2
4
3
Project DBMS
5
Registration Authority (RA) Agent
Subscriber
7
6

• Subscriber requests Certificate
• RM posts signing request notice
• The RA for the Subscriber retrieves request
• The RA agent reviews request with Grid project
• The agent updates/approves/rejects request
• Approved Certificate Request is sent to CM

Certificate Manager (CM) (Certificate Signing
Engine)

• CM issues certificate
• RM sends Email notice to Subscriber
• Subscriber picks up new certificate

28
FNAL KCA Workflow
FNAL Kerberos KDC

• FNAL User certificate workflow
• Authenticate to KDC
• Receive Kerberos TGT
• Present Kerberos ticket and CSR to CA
• KX509 CA returns short lived certificate
• Use certificate with Grid services

FNAL Account Services
Update
1
2
3
FNAL KX509 Certification Authority
4
Grid resources (FNAL,external)
5
29
Short Lived Certificate Service Architecture
Sources of Identity
Grid Identity Mint
Short lived Grid Identity/Proxy/Attribute
Certificates
LDAP
Authentication Protocol Query/Response
Kerberos
slic
slic
RADIUS
slic
slic
Shibboleth IdP
slic
slic
Certificate Authority
Windows Domain
CA can rotor through suite of authentication
methods as needed
Other PKI
Add custom extensions / delegations as needed
Local Site / VO Authentication infrastructure
30
Rotary SLCS

• Concept is expansion of KX509 like operation
  from enterprise to the scope of a Virtual
  Organization, and national network resource
• Mostly, a matter of integration and federation
• The federation agreements and interop are not
  trivial
• Shibboleth, and rotary concept, need testing
• CA can be replicated into (secure) sites
• Our HSM technology may be able to change the
  definition of secure site

31
Certificate Validation Service

• Outsource certificate trust decisions to a
  trusted service
• Benefits
• Light client maintains one relationship, not
  10s-100s
• Obviously, we cannot expect to eliminate ALL
  client trust decisions, nor is that desirable.
• Service can adapt more rapidly to changing
  conditions
• Replication of validation service can be managed
  more effectively
• Provide certificate path discovery and path
  validation for bridge PKI architecture
• Essential for Grid support of Higher Education
  Bridge CA
• OCSP is a subset, and analogy
• Online Certificate Status Protocol
• However some OCSP deployment scenarios
  exacerbate existing scaling problems.

32
Current Problems

• Usability vs Security
• Integration with commercial and bridge CA
  infrastructures
• Integration with alternative and/or legacy
  authentication systems
• Personal Appearance and LoA
• Difficulty translating CP/CPS to something
  understandable and usable by community

33
Contacts Acknowledgements

• IGTF David Groep davidg_at_eugridpma.org
• TAGPMA
• Darcy Quesnel - darcy.quesnel_at_canarie.ca
• Alan Sill (secretary) - Alan.Sill_at_ttu.edu
• EELA Diego Carvalho - d.carvalho_at_ieee.org
• HEBCA Scott Rea - Scott.Rea_at_Dartmouth.edu
• DOEGrids doegrids-ca-1_at_doegrids.org
• (Dhivakaran Muruganantham, Tony Genovese, Michael
  Helm)