daonity: grid security with behaviour conformity from trusted computing daonity team led by hp labs...
TRANSCRIPT
Daonity: Grid Security withBehaviour Conformity
from Trusted Computing
Daonity Team
Led by HP Labs China
Joint work withWuhan UniversityHuazhong University of Science & TechnolobyOxford University
Outline
Grid Security: Requirements & Solutions
Project Daonity
Work so far (with innovations)
Deliverables (to Global Grid Forum)
Grid Security: Requirements
1 Authentication (the basics: user/resource identification)
2 Single-sign-on (SSO, one credential to rule them all, with ubiquitous usability)
3 Authorization (policy, e.g., access control list)
4 Security for dynamic virtual organization with policy enforcement
5 Security for federated computing (e.g., science collaboration)
Grid Security: GSI – Grid Security Infrastructure for Globus Tookit 4
1 (Authentication) PKI applications, proxy certificates for Virtual Organisation (VO)
2 (SSO) MyProxy: an online credential server using shared password
3 (Authorization) GridMap: a file mapping between VO policy to local policy
4 (Security tuned for VO): unclear in GSI
5 (Security for federated computing): unclear in GSI
Authentication: PKI applications – notion of proxy certificate in GSI
A typical VO (tapping computation from super computers elsewhere):
Denote user Alice by Proxy 0
Proxy i has a proxy cryptographic credential created by Proxy i-1
A proxy credential (and certificate) is short-lived (default lifetime = 12h if sent to a foreign machine or 7 days if stored in the owner’s)
Verification of proxy certificates at each proxy must trace back to CA along the chain (so it’s a genuine resource request from Alice)
CA Proxy1 Proxy nAlice
Certificate CertificatesCertificates
sign signsign
CertificatesCertificates
Authorization: GridMap in GSI
GSI utilizes a gridmap file to map
an accessing user to a local user
in order to resolute policy status
for the former
Similar to leaving a proxy private key in disk, a weak
protection for GridMap file: a plaintext file in the file space,
modifiable by the root user, readable by CAS
CAS = Community Authorization Service
Project Daonity
A Grid security standard development track in
Global Grid Forum (GGF)
https://forge.gridforum.org/projects/tc-rg/
“Trusted Computing for Grid Security” (TC-RG)
RG = “Research Group” which I co-chair with
Andrew Martin of Oxford University
Implementation work is with the Chinese colleagues:
Wuhan Univ: Trusted Computing (hot in China)
Huazhong Univ of Sci & Tech: ChinaGrid (a big grid project)
Mission
Trusted Computing for Grid Security TCG based cryptographic credential protection Using TPM in the Grid security environment
Approach To work on the standards of TCG and Grid (GT & EGEE) To port OpenSSL to TSS TC enabled GSI To develop open source software package as on-going GSI
open standard development
Not just code implementation Non-trivial research results obtained: (security suitable for
VO; policy enforcement for VO; sharing of security resource; solutions to grid authorization problems, etc.)
Description of Work
TCG extended GSS-API
J CE (SPI)
J avaGSS
J ava GSS-API C GSS-API
C GSS
SSL
OpenSSL Crypto API
TPM
TSS Device Driver Library
TCG Crypto Security
Hardware CSP Software CSP
Crypto APITCG Security Extension
GSS API
Grid middleware (Globus Toolkit, CGSP)
Legacy grid applications TCG enabled grid applications
HardwareSoftware Crypto Package
Original GSI
TSS Core Service
TSS Service Provider
Special Security Module for Grid
TPM Device Driver
TC for Grid Security Innovations– VO with Behavior ConformityInstead of using a long chain of proxy certificates,Daonity uses TC’s key migration technique between TPMs
Result: Constant time and storage cost for certificate verification Behavior conformity I: No need of short lifetime stipulation. As a migration
authority, Alice has her liberty to switch the migrated copy of her certificate off after the job completes
Behavior conformity II: Property-based VO, using property certificates, Alice can have a VO satisfying given properties (eg, hardware configurations)
CA Server 1 Server nAlice
CertificateCertificateprivate keyin TPM
sign
Certificateprivate keyin TPM
Migrationto TPM
Migrationto TPM
TC for Grid Security Innovations– MyProxy
MyProxy is an online server to achieve single
sign on (SSO) using shared password between
user and server. Weak security of course,
(encryption of private key using password), but
SSO is indispensable
Problems as a result of TC enhanced GSI: How can a user without a TPM use TC enhanced
GSI with SSO? How can a user of a desktop TPM roam without
downgrading security?
Grid is about resource sharing!Property of TC: behaviour conformity: TPM owner is prohibited from doing certain things, eg, accessing the private key of a user
New Protocol between a guest user and MyProxy:
1) MyProxy generates a user proxy credential as usual (i.e., password protected);
2) It encrypts the result using a public key of the TPM of a hosting platform;
So, not only SSO is preserved with TC strengthened security,
but also TPM becomes a shared resource; the owner cannot use the guest’s credential
One may not own a TPM. But from Daonity, TPM enhanced Grid security will make shared use of TPM to become available to ALL in one go
TC for Grid Security Innovations – Gridmap Gridmap Modify : a module for modifying gridmap files, writing to pe
rsistent storage , and signing for integrity protection
Gridmap Use : a module for allowing GSI to read and verify signature of the current gridmap file, and alerting integrity failure
Gridmap Renew : a module for keeping in TPM an audit trail of gridmap files:
PCR SHA-1(PCR || gm_i)
The audit trail is: PCR, gm_1, gm_2, …, gm_i, …
This is also a mechanism allowing proof of proper
conduct by the root user (protection from being framed)
Auditing trail for Gridmap
Implementation Status
Daonity’s implementation has enjoyed great benefit from the open source availability of TrouSerS, GT4 and OpenSSL
Credential migration is the most significant bit in the implementation so far, and done in open source for the first time (TrouSerS has no migration for Daonity to work with)
So far, implementation is done only for TPM (version 1.1b) of Infineon Technology AG, and HP platforms
Since Daonity will be open source, so it can soon become available to TPM-platforms of all vendors
Implementation Status
Still very buggy, and because of so, the demo is limited to “credential migration” (the most difficult and significant bit)
Difficult because Infineon has not made hardware development manual available for the Daonity team to use, and TrouSerS has not done migration either
Significant because we think migration is the key element to achieve property-based Grid VO (this is in fact a Daonity’s contribution to TCG proper, i.e., not just a TCG application, it’s a return)
What will be shown todayA proxy “certificate” in GT includes a private key in cleartext
in order for a destination proxy to use. Not anymore in Daonity, a proxy cert is now 100% public!
The matching private key stays in TPMs and transfers (in TCG’s term: migrates) from one to another, never to be exposed outside TPM
The demo will show a general case of three-hop credential migration: Alice let her proxy credential migrate to a server, then the server follows Alice’s order to let it further migrate (or duplicate to a number of TPMs)
Future Work
The following will be worked in Daonity Phase II
Grid security requirement 5: Grid for science
collaboration, secure multiparty computation.
This involves attestation technique.
TPM for servers: Trusted Servers Technology.
This should be in accordance with TCG standard
progress.