gt 3 security features
DESCRIPTION
GT 3 Security Features. Sam Meder. Assumptions. Familiarity with PKI concepts Certificates (CA, EEC, Proxy) Delegation Some knowledge of Web Services Security Standards: WS-Security XML-Signature XML-Encryption Some knowledge of GSSAPI. GT Security Overview. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/2.jpg)
Assumptions
Familiarity with PKI concepts Certificates (CA, EEC, Proxy) Delegation
Some knowledge of Web Services Security Standards: WS-Security XML-Signature XML-Encryption
Some knowledge of GSSAPI
![Page 3: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/3.jpg)
GT Security Overview
GT 3.0 Authentication Mechanisms X509/SSL/GSSAPI based (GSI Secure
Conversation) X509/public key based (GSI Secure
Message) GT 3.0 Authorization Mechanisms
Gridmap Host Self None
![Page 4: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/4.jpg)
WS Background
Most security work is done in JAX-RPC/Axis Handlers
Hosting Environment/Container
Outgoing Handler
Incoming Handler
Outgoing Handler
Incoming Handler
Pivot Handler
Service
![Page 5: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/5.jpg)
Server Side ImplementationServer Hosting Environment
Client
WS-Security Handler
Sec Conv Msg Handler
JAAS
Security Policy Handler
Service
Authorization Handler
SecConv Service
Sec Msg Handler
![Page 6: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/6.jpg)
Server Side ImplementationContinued
Handlers, Handlers, Handlers WS-Security Handler
Decrypts/verifies signature on incoming messages Populates the JAAS Peer Subject
Security Policy Handler Checks that the security meets the requirements
specified in the security deployment descriptor Authentication Policy Handler
Sets the invocation (JAAS) subject as specified by the run-as policy in the security deployment descriptor
Run As Handler
![Page 7: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/7.jpg)
Server Side ImplementationContinued
Even more handlers Authorization Handler
Authorizes incoming messages – more later
Credential Refresh Handler Refreshes credential in invocation subject based on
delegated credential
Authentication Service Handler Redirects messages to Secure Conversation Service
Secure Message Handler (aka X509 Sign Handler)
Signs GSI Secure Message secured communications
![Page 8: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/8.jpg)
Server Side ImplementationContinued
Only one more I promise Secure Conversation Message Handler (aka
GSS Handler) Signs and encrypts GSI Secure Conversation secured
communication
Other pieces: Context Manager
Keeps track of established contexts Destroy contexts on expiration
![Page 9: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/9.jpg)
Server Side Programming
Declarative Model: Security properties (for incoming
communication) are specified in a deployment descriptor
Wrapper handler(s) reads descriptor and populate security parameters
Handlers act on security parameters Generally requires no explicit security calls
by service implementer
![Page 10: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/10.jpg)
Client Hosting Environment
Client Service
Sec Conv Service Handler
SecConv Service
SecConv Message Handler
Sec Msg Handler
WS-Sec Client
Handler
Server Hosting Environment
Client Side Implementation
![Page 11: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/11.jpg)
Client Side ImplementationContinued
Clients Side Handlers Secure Conversation Service Handler
Establishes new Secure Conversation context if needed
Secure Message Handler Secure Conversation Message Handler WS-Security (Client) Handler
Above three are equivalent/same as server side handlers
Client side Authorization Handled by the Secure Conversation Service and the
WS-Security Client Handler Host authorization by default
![Page 12: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/12.jpg)
Client Side Programming
Clients need to set security properties explicitly – programmatic model Server/Service acting as client
Handlers pick up security properties and act accordingly
![Page 13: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/13.jpg)
JAAS
Java Authentication & Authorization Service Currently (3.0) only used for managing/storing
credentials JAAS Subject object
Authorization checks Outgoing Connections
Different Subject Types: System Container Peer
Invocation Subject
![Page 14: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/14.jpg)
GRIM(Grid Resource Identity Mapper)
Allows GT3 components to run without special privileges
Setuid to user with access to (host) credentials Reads credentials Creates GRIM Proxy from credentials and
configuration information
![Page 15: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/15.jpg)
GRIM Proxy
Proxy contains a GRIM Policy GRIM Policy currently (3.0) consists of
List of authorized porttypes List of authorized DNs
GRIM Policy in 3.x will change to Always list GRAM porttype
Backwards compatibility No other porttypes will ever be listed
List of authorized DNs
![Page 16: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/16.jpg)
GRIM Wish List Make GRIM produce independent proxy Proxy should contain non-critical extension Extension should contain SAML assertion
on allowed DNs Does not require special handling of proxy
in cases where you don’t care about the extension
![Page 17: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/17.jpg)
Authorization – Cooking your own
Replace the Authorization Handler Check out the current one Write your own Build/Compile it Replace existing handler in server-
config.wsdd and make sure that handler is available in your CLASSPATH
![Page 18: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/18.jpg)
public class AuthorizationHandler extends BasicHandler { ... public void invoke(MessageContext messageContext) throws AxisFault { Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT);
ServiceProperties props = DescriptorHandler.getService(messageContext);
ServiceAuthorization auth = null;
String tmp = (String)props.getProperty(Authorization.AUTHORIZATION); if (tmp == null) { auth = DefaultAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("none")) { auth = NoAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("self")) { auth = SelfAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("gridmap")) { auth = GridMapAuthorization.getInstance(); } else { Exception e = new AuthorizationException( i18n.getMessage("badAuthMethod", new Object[] {tmp})); throw AxisFault.makeFault(e); }
try { auth.authorize(subject, props, messageContext); } catch (AuthorizationException e) { throw AxisFault.makeFault(e); } }}
![Page 19: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/19.jpg)
server-config.wsdd<?xml version="1.0" encoding="UTF-8"?><deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> … <globalConfiguration> …
<requestFlow>
… <handler
type="java:org.globus.ogsa.impl.security.authorization.AuthorizationHandler"/> …
</requestFlow>
…
</globalConfiguration>
…
</deployment>
![Page 20: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/20.jpg)
GSI Secure Conversation
Based on GSSAPI, WS-Security, XML-Signature and XML-Encryption
Session based Support for delegation
Automatic refresh of delegated proxy on re-delegation
Uses our SSL based GSSAPI mechanism Protocol is driven by gss_init/accept_sec_context get_mic/verify_mic and wrap/unwrap
![Page 21: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/21.jpg)
Secure Conversation PortType
<gwsdl:portType name="SecureContextEstablishmentPortType"><operation name="initTokenExchange">
<input message="tns:InitTokenExchangeInputMessage"/><output message="tns:InitTokenExchangeOutputMessage"/><fault name="MechanismTypeNotSupportedFault"
message="tns:MechanismTypeNotSupportedFault"/></operation>
<operation name="continueTokenExchange"><input message="tns:ContinueTokenExchangeInputMessage"/><output message="tns:ContinueTokenExchangeOutputMessage"/><fault name="InvalidContextIdFault"
message="tns:InvalidContextIdFault"/></operation>
</gwsdl:portType>
![Page 22: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/22.jpg)
Secure Conversation Messages
<complexType name="ContextTokenType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType>
<complexType name="ContextTokenElementType"> <sequence> <element name="contextToken" type="auth-
types:ContextTokenType"/> </sequence> </complexType>
![Page 23: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/23.jpg)
Secure Conversation MessagesContinued
<complexType name="ContextTokenOutType"> <sequence> <element name="base64Token" type="base64Binary"/> <element name="context-id" type="string"/> </sequence> <attribute name="continue-needed" type="boolean"/> </complexType>
<complexType name="ContextTokenOutElementType"> <sequence> <element name="contextTokenOut" type="auth-
types:ContextTokenOutType"/> </sequence> </complexType>
![Page 24: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/24.jpg)
Secure Conversation MessagesContinued
<complexType name="InitContextTokenType"> <complexContent> <extension base="auth-types:ContextTokenType"> <attribute name="mechanism-type" use="required" type="string"/> </extension> </complexContent> </complexType>
<complexType name="InitContextTokenElementType"> <sequence> <element name="initContextToken"
type="auth-types:InitContextTokenType"/> </sequence> </complexType>
![Page 25: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/25.jpg)
Secure Conversation MessagesRecap
Context establishment messages contain: Base 64 encoded GSS token Context Identifier Continue Needed indicator Mechanism OID – initial message only
![Page 26: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/26.jpg)
GSI Secure Conversation &XML-Encryption
<soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="EncryptedBody"/> </xenc:ReferenceList> </wsse:Security> </soapenv:Header> <soapenv:Body> <xenc:EncryptedData Id="EncryptedBody" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-enc"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName> 00000000-7562-527e-00000000-0000322d926f</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> FwMAAQ………….kwn55YyoSCw92ILu </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soapenv:Body></soapenv:Envelope>
![Page 27: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/27.jpg)
GSI Secure Conversation &XML-Signature
<soapenv:Envelope …> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.globus.org/2002/04/xmlenc#gssapi-sign"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>CGnV0ogSVvsS+dpABEJI2+hs4o4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> AAAAAAAAAAEAAALI9CswCadOGScGWbGsrSkAD6PcyS0=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName> 00000000-5680-d374-00000000-00001223536a</ds:KeyName> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <shutdownResponse wsu:Id="digestSource" … /> </soapenv:Body></soapenv:Envelope>
![Page 28: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/28.jpg)
Performance
Needs to be improved Currently about 10x slower than insecure Initialization is very slow
Apache XML security libraries add large overhead (3x/message processed)
JSR 105/106 are moving along Apache will adopt We don’t want to make major changes now
Concentrate on low cost high impact improvements Move some interactions to Secure Message
Fewer roundtrips
![Page 29: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/29.jpg)
New Secure Conversation Features (3.x)
Support for anonymous authentication Support for specifying context lifetime Some performance improvements
![Page 30: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/30.jpg)
GSI Secure Message
Supports integrity protection with X509 certificates Support for proxy certificates
Can be combined with GSI Secure Conversation
Not fully featured No replay attack prevention No encryption support
Missing features slated for 3.x
![Page 31: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/31.jpg)
GSI Secure MessageExample
<soapenv:Envelope ...> <soapenv:Header> <wsse:Security soapenv:actor="" soapenv:mustUnderstand="0" …> <wsse:BinarySecurityToken EncodingType="wsse:Base64Binary" ValueType="wsse:PKIPath" wsu:Id="token1073175857792" …> 3glkeh6.....wvZFY1waVEKaQ==</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#digestSource"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> v8iQBeaSs9/XZNEyWb00z/23nuE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IFQS5..........12mCw== </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#token1073175857792"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soapenv:Header> <soapenv:Body> <pingResponse wsu:Id="digestSource" .../> </soapenv:Body></soapenv:Envelope>
![Page 32: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/32.jpg)
Username/Password
Not clear which release this will show up in Potential mechanisms:
WS-Security Username/Password token Should be used in combination with anonymous Secure
Conversation
More advanced/secure Username/Password schemes - AuthA
![Page 33: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/33.jpg)
The AuthA Protocol
Client has password Server has
secret = f(servername|username|password) f is a secure one way function
Client & Server created Session Key using a encrypted Diffie-Hellman exchange
Client & Server authenticate each other Security Proof Exists Details at
http://grouper.ieee.org/groups/1363/passwdPK/contributions/autha.pdf
![Page 34: GT 3 Security Features](https://reader035.vdocuments.us/reader035/viewer/2022062218/56815b07550346895dc8b67d/html5/thumbnails/34.jpg)
Discussion
WS-Resource Impact One time passwords Smart Card support Kerberos Other authentication mechanisms? …