Managing Confidential Data in the gLite Middleware

Diego Scardaci, Giordano Scuderi INFN Catania, UNICO S.R.L.

diego.scardaci@ct.infn.it, gscuderi@unicosrl.it

Abstract

How to manage confidential data in the grid

environment is a critical issue because users’ data can be saved in untrusted remote storages. This paper introduces a service to store in a secure way and in an encrypted format confidential data (e.g. medical or financial data) on the grid storage elements, the Secure Storage. Moreover, this service solves the insider abuse problem preventing also the administrators of the storage elements to access the confidential data in a clear format. It is fully integrated on the grid Middleware of the EGEE infrastructure, gLite, and has been designed and developed in the context of the TriGrid VL Project. 1. Introduction

One of the main benefits of the Grid Infrastructure [1] is the possibility to use distributed storage space. A community could like to use storage elements owned by an external organization to delegate the management of these machines avoiding to buy specialized hardware. In this way the community could rent the storage space as needed and minimize human and hardware costs.

In the case of confidential data this scenario is not feasible. Indeed, the community should satisfy strongly privacy requirements, for example when it has to manage medical or financial data. To store the confidential data in a storage element managed by an external organization a mechanism to prevent the administrator of the machine accessing the data is required.

At the present time the EGEE infrastructure [7] grid Middleware, gLite [8], provides the same security infrastructure for all the grid services. The authentication is performed using the X.509 infrastructure [2] and the VOMS [6] attributes are used to authorize the users. Moreover, an authorization method based on Access Control Lists (ACL) guarantees data access only by their owners.

However, the data are stored in clear format. The storage element administrator can access the data avoiding the grid security infrastructure, for example he can login on the machine as super-user. This is known as the insider abuse problem [3].

The following properties must be satisfied to guarantee data confidentiality and to solve the insider abuse problem: 1. the data must be stored in an encryption format; 2. the encryption operation must be performed in a

trusted machine; 3. the information (e.g. the keys) required to decrypt

the data must be accessible only by their owners (or authorized users) and stored in a trusted machine.

2. The Secure Storage Service

The Secure Storage Service has been designed to be integrated in the gLite middleware.

It is composed by the following components: 1. Command Line Applications: integrated in the

gLite User Interface to encrypt and upload, decrypt and download files on the storage elements;

2. An Application Program Interface: it allows users’ programs to manage confidential data securely.

3. The Keystore: a new grid element used to store and retrieve the users’ keys in a secure way.

2.1. Command Line Applications

The Command Line Applications are available on

the gLite User Interface and they allow users to manage simply confidential data in a secure way.

A list of the main Command Line Applications of the Service is showed below:

(1) lcg-scr: The input parameters of this command are a local file, a storage element, a Logical File Name (LFN) and a list of users authorized to access the file (ACL). The command generates an encryption key, encrypts the input file and uploads it on the storage

element, registering its Logical File Name in a LFC catalogue. Moreover, it stores the key generated and used to encrypt the file in the keystore. The provided Access Control List (ACL, composed by a list of distinguished names, DNs) will be associated to the encryption key on the keystore (see Figure 1).

Figure 1. File uploading: 1) A new random secret key is generated. 2) The key and the ACL are saved on the keystore. 3) The input file is encrypted inside user trusted environment. 4) The encrypted file is uploaded on the Grid Storage Element.

(2) lcg-scp: The input parameter of this command

is a LFN. It downloads the encrypted file identified by the input LFN, gets the key to decrypt the file from the keystore, decrypts the file and then store it on the local file-system. This command successfully returns only if the user is an authorized user (his DN is on the ACL associated to the key needed to decrypt the file).

The service also provides commands to manage the file access permissions (modifiable only by the file owner) and to delete the files.

2.2. Application Program Interface

Developers can use the Secure Storage API in their Grid Applications to manage confidential data in a secure way.

The Secure Storage API functions behaviour is similar to that of the Command Line Applications.

Moreover the API provides a set of functions to read or write encrypted file blocks stored on a remote storage elements in a simply way (developer can manage the files as clear local file). 2.3. The Keystore

The Keystore is a new grid element used to store and retrieve the users’ key in a secure way. It is

identified by an host X.509 digital certificate and accepts mutually authenticated and encrypted connections only, as required by the Grid Security Infrastructure (GSI) model [5]. Identified the user, it decides to serve or not the request through an authorization process: 1. the client request is processed only if the client is a

member of a enabled users list and/or it belongs to an enabled Virtual Organization or to a specific Virtual Organization Group. The request is discarded in the other cases;

2. if the client want to retrieve a key (or want to modify the ACL associated to an existing key), the keystore checks if the request is coming from an authorized user inserted on the key ACL.

The keystore clients are the command line applications and the API functions previously described. For example, the keystore saves the encryption key and the associated ACL received by the lcg-scr command on its repository and provides the key to the lcg-scp command.

The Keystore is a critical node of this service and for this reason it should be placed in a trusted domain and protected from undesired connections. 3. Conclusions

This paper introduces the managing of confidential data issue in the grid environment providing also a solution to store data in a secure way and to solve the insider abuse problem. The proposed solution is fully implemented on the gLite grid middleware. 4. References [1] I. Foster, “The Grid: A New Infrastructure for 21st

Century Science”, in Physics Today, Vol. 55, pp. 42-27, 2002.

[2] Internet X.509 Public Key Infrastructure: http://www.ietf.org/rfc/rfc3280.txt

[3] U.S.A. Department of the Treasury - Office of Thrift Supervision. “Fraud and Insider Abuse”:

[4] http://www.ots.treas.gov/docs/4/422134.pdf [5] Grid Security Infrastructure (GSI):

http://www.globus.org/toolkit/docs/4.0/security/key-index.html

[6] Virtual Organization Membership Service (VOMS): http://voms.forge.cnaf.infn.it/home.html

[7] EGEE project web site: http://public.eu-egee.org/ [8] gLite project web site: http://www.glite.org/