GT 3 Security Features Sam Meder
34 Slides979.50 KB
GT 3 Security Features Sam Meder
Assumptions Familiarity with PKI concepts Some knowledge of Web Services Security Standards: Certificates (CA, EEC, Proxy) Delegation WS-Security XML-Signature XML-Encryption Some knowledge of GSSAPI
GT Security Overview GT 3.0 Authentication Mechanisms X509/SSL/GSSAPI based (GSI Secure Conversation) X509/public key based (GSI Secure Message) GT 3.0 Authorization Mechanisms Gridmap Host Self None
WS Background Most security work is done in JAX-RPC/Axis Handlers Hosting Environment/Container Incoming Handler Incoming Handler Pivot Handler Outgoing Handler Outgoing Handler Service
Server Side Implementation Server Hosting Environment JAAS WS-Security Handler Security Policy Handler Client Authorization Handler Servic e Sec Conv Msg Handler SecCon v Service Sec Msg Handler
Server Side Implementation Continued Handlers, Handlers, Handlers WS-Security Handler Decrypts/verifies signature on incoming messages Populates the JAAS Peer Subject Security Policy Handler Checks that the security meets the requirements specified in the security deployment descriptor Authentication Policy Handler Sets the invocation (JAAS) subject as specified by the run-as policy in the security deployment descriptor Run As Handler
Server Side Implementation Continued Even more handlers Authorization Handler Credential Refresh Handler Refreshes credential in invocation subject based on delegated credential Authentication Service Handler Authorizes incoming messages – more later Redirects messages to Secure Conversation Service Secure Message Handler (aka X509 Sign Handler) Signs GSI Secure Message secured communications
Server Side Implementation Continued Only one more I promise Secure Conversation Message Handler (aka GSS Handler) Signs and encrypts GSI Secure Conversation secured communication Other pieces: Context Manager Keeps track of established contexts Destroy contexts on expiration
Server Side Programming Declarative Model: Security properties (for incoming communication) are specified in a deployment descriptor Wrapper handler(s) reads descriptor and populate security parameters Handlers act on security parameters Generally requires no explicit security calls by service implementer
Client Side Implementation Client Hosting Environment SecConv Service Sec Conv Service Handler Client Sec Msg Handler SecConv Message Handler Server Hosting Environment Service WS-Sec Client Handler
Client Side Implementation Continued Clients Side Handlers Secure Conversation Service Handler Establishes new Secure Conversation context if needed Secure Message Handler Secure Conversation Message Handler WS-Security (Client) Handler Above three are equivalent/same as server side handlers Client side Authorization Handled by the Secure Conversation Service and the WS-Security Client Handler Host authorization by default
Client Side Programming Clients need to set security properties explicitly – programmatic model Server/Service acting as client Handlers pick up security properties and act accordingly
JAAS Java Authentication & Authorization Service Currently (3.0) only used for managing/storing credentials JAAS Subject object Authorization checks Outgoing Connections Different Subject Types: System Container Peer Invocation Subject
GRIM (Grid Resource Identity Mapper) Allows GT3 components to run without special privileges Setuid to user with access to (host) credentials Reads credentials Creates GRIM Proxy from credentials and configuration information
GRIM Proxy Proxy contains a GRIM Policy GRIM Policy currently (3.0) consists of List of authorized porttypes List of authorized DNs GRIM Policy in 3.x will change to Always list GRAM porttype Backwards compatibility No other porttypes will ever be listed List of authorized DNs
GRIM Wish List Make GRIM produce independent proxy Proxy should contain non-critical extension Extension should contain SAML assertion on allowed DNs Does not require special handling of proxy in cases where you don’t care about the extension
Authorization – Cooking your own Replace the Authorization Handler Check out the current one Write your own Build/Compile it Replace existing handler in serverconfig.wsdd and make sure that handler is available in your CLASSPATH
public class AuthorizationHandler extends BasicHandler { . public void invoke(MessageContext messageContext) throws AxisFault { Subject subject (Subject) messageContext.getProperty(Constants.PEER SUBJECT); ServiceProperties props DescriptorHandler.getService(messageContext); ServiceAuthorization auth null; String tmp (String)props.getProperty(Authorization.AUTHORIZATION); if (tmp null) { auth DefaultAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("none")) { auth NoAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("self")) { auth SelfAuthorization.getInstance(); } else if (tmp.equalsIgnoreCase("gridmap")) { auth GridMapAuthorization.getInstance(); } else { Exception e new AuthorizationException( i18n.getMessage("badAuthMethod", new Object[] {tmp})); throw AxisFault.makeFault(e); } try { auth.authorize(subject, props, messageContext); } catch (AuthorizationException e) { throw AxisFault.makeFault(e); } } }
server-config.wsdd ?xml version "1.0" encoding "UTF-8"? deployment xmlns "http://xml.apache.org/axis/wsdd/" xmlns:java "http://xml.apache.org/axis/wsdd/providers/java" globalConfiguration requestFlow handler type "java:org.globus.ogsa.impl.security.authorization.AuthorizationHandler"/ /requestFlow /globalConfiguration /deployment
GSI Secure Conversation Based on GSSAPI, WS-Security, XML-Signature and XML-Encryption Session based Support for delegation Automatic refresh of delegated proxy on redelegation Uses our SSL based GSSAPI mechanism Protocol is driven by gss init/accept sec context get mic/verify mic and wrap/unwrap
Secure Conversation PortType gwsdl:portType name "SecureContextEstablishmentPortType" operation name "initTokenExchange" input message "tns:InitTokenExchangeInputMessage"/ output message "tns:InitTokenExchangeOutputMessage"/ fault name "MechanismTypeNotSupportedFault" message "tns:MechanismTypeNotSupportedFault"/ /operation operation name "continueTokenExchange" input message "tns:ContinueTokenExchangeInputMessage"/ output message "tns:ContinueTokenExchangeOutputMessage"/ fault name "InvalidContextIdFault" message "tns:InvalidContextIdFault"/ /operation /gwsdl:portType
Secure Conversation Messages complexType name "ContextTokenType" sequence element name "base64Token" type "base64Binary"/ element name "context-id" type "string"/ /sequence attribute name "continue-needed" type "boolean"/ /complexType complexType name "ContextTokenElementType" sequence element name "contextToken" type "authtypes:ContextTokenType"/ /sequence /complexType
Secure Conversation Messages Continued complexType name "ContextTokenOutType" sequence element name "base64Token" type "base64Binary"/ element name "context-id" type "string"/ /sequence attribute name "continue-needed" type "boolean"/ /complexType complexType name "ContextTokenOutElementType" sequence element name "contextTokenOut" type "authtypes:ContextTokenOutType"/ /sequence /complexType
Secure Conversation Messages Continued complexType name "InitContextTokenType" complexContent extension base "auth-types:ContextTokenType" attribute name "mechanism-type" use "required" type "string"/ /extension /complexContent /complexType complexType name "InitContextTokenElementType" sequence element name "initContextToken" type "auth-types:InitContextTokenType"/ /sequence /complexType
Secure Conversation Messages Recap Context establishment messages contain: Base 64 encoded GSS token Context Identifier Continue Needed indicator Mechanism OID – initial message only
GSI Secure Conversation & XML-Encryption soapenv:Envelope soapenv:Header wsse:Security soapenv:actor "" soapenv:mustUnderstand "0" xmlns:wsse "http://schemas.xmlsoap.org/ws/2002/04/secext" xenc:ReferenceList xmlns:xenc "http://www.w3.org/2001/04/xmlenc#" xenc:DataReference URI "EncryptedBody"/ /xenc:ReferenceList /wsse:Security /soapenv:Header soapenv:Body xenc:EncryptedData Id "EncryptedBody" Type "http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc "http://www.w3.org/2001/04/xmlenc#" xenc:EncryptionMethod Algorithm "http://www.globus.org/2002/04/xmlenc#gssapi-enc"/ ds:KeyInfo xmlns:ds "http://www.w3.org/2000/09/xmldsig#" ds:KeyName 00000000-7562-527e-00000000-0000322d926f /ds:KeyName /ds:KeyInfo xenc:CipherData xenc:CipherValue FwMAAQ .kwn55YyoSCw92ILu /xenc:CipherValue /xenc:CipherData /xenc:EncryptedData /soapenv:Body /soapenv:Envelope
GSI Secure Conversation & XML-Signature soapenv:Envelope soapenv:Header wsse:Security soapenv:actor "" soapenv:mustUnderstand "0" xmlns:wsse "http://schemas.xmlsoap.org/ws/2002/04/secext" ds:Signature xmlns:ds "http://www.w3.org/2000/09/xmldsig#" ds:SignedInfo ds:CanonicalizationMethod Algorithm "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/ ds:SignatureMethod Algorithm "http://www.globus.org/2002/04/xmlenc#gssapi-sign"/ ds:Reference URI "#digestSource" ds:DigestMethod Algorithm "http://www.w3.org/2000/09/xmldsig#sha1"/ ds:DigestValue CGnV0ogSVvsS dpABEJI2 hs4o4 /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue AAAAAAAAAAEAAALI9CswCadOGScGWbGsrSkAD6PcyS0 /ds:SignatureValue ds:KeyInfo ds:KeyName 00000000-5680-d374-00000000-00001223536a /ds:KeyName /ds:KeyInfo /ds:Signature /wsse:Security /soapenv:Header soapenv:Body shutdownResponse wsu:Id "digestSource" / /soapenv:Body /soapenv:Envelope
Performance Needs to be improved Currently about 10x slower than insecure Initialization is very slow Apache XML security libraries add large overhead (3x/message processed) JSR 105/106 are moving along Apache will adopt We don’t want to make major changes now Concentrate on low cost high impact improvements Move some interactions to Secure Message Fewer roundtrips
New Secure Conversation Features (3.x) Support for anonymous authentication Support for specifying context lifetime Some performance improvements
GSI Secure Message Supports integrity protection with X509 certificates Can be combined with GSI Secure Conversation Not fully featured Support for proxy certificates No replay attack prevention No encryption support Missing features slated for 3.x
GSI Secure Message Example soapenv:Envelope . soapenv:Header wsse:Security soapenv:actor "" soapenv:mustUnderstand "0" wsse:BinarySecurityToken EncodingType "wsse:Base64Binary" ValueType "wsse:PKIPath" wsu:Id "token1073175857792" 3glkeh6.wvZFY1waVEKaQ /wsse:BinarySecurityToken ds:Signature xmlns:ds "http://www.w3.org/2000/09/xmldsig#" ds:SignedInfo ds:CanonicalizationMethod Algorithm "http://www.w3.org/2001/10/xml-exc-c14n#"/ ds:SignatureMethod Algorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/ ds:Reference URI "#digestSource" ds:DigestMethod Algorithm "http://www.w3.org/2000/09/xmldsig#sha1"/ ds:DigestValue v8iQBeaSs9/XZNEyWb00z/23nuE /ds:DigestValue /ds:Reference /ds:SignedInfo ds:SignatureValue IFQS5.12mCw /ds:SignatureValue ds:KeyInfo wsse:SecurityTokenReference wsse:Reference URI "#token1073175857792"/ /wsse:SecurityTokenReference /ds:KeyInfo /ds:Signature /wsse:Security /soapenv:Header soapenv:Body pingResponse wsu:Id "digestSource" ./ /soapenv:Body /soapenv:Envelope
Username/Password Not clear which release this will show up in Potential mechanisms: WS-Security Username/Password token Should be used in combination with anonymous Secure Conversation More advanced/secure Username/Password schemes - AuthA
The AuthA Protocol Client has password Server has secret f(servername username password) f is a secure one way function Client & Server created Session Key using a encrypted Diffie-Hellman exchange Client & Server authenticate each other Security Proof Exists Details at http://grouper.ieee.org/groups/1363/passwdPK/co ntributions/autha.pdf
Discussion WS-Resource Impact One time passwords Smart Card support Kerberos Other authentication mechanisms?
