National Institute of Advanced Industrial Science and Techlogy International Grid Trust Federation 1
National Institute of Advanced Industrial Science and Techlogy Three key functions in a Grid security model Multiple security mechanisms VO Dynamic creation of services Dynamic establishment of trust domains VO (trust domain) trust domain Von Welch, et.al., Security for Grid Services, HPDC-12, 2003 2
Security Challenges in a Grid Environment The Integration Challenge The Interoperability Challenge Hosting Environment interoperatility Protocol level (SOAP/HTTP) Policy level (party) Identity level Identity Identity Identity Credential Nataraj Nagaratnam, et.al., Security Architecture for Open Grid Services GWD-I (draft-ggf-ogsa-sec-arch-01) Security Challenges in a Grid Environment The Trust Relationship Challenge Identity and authorization identity, privilege Policy enforcement Assurance level discovery Privacy, virus protection, firewall usage, VPN, etc. Policy composition Delegation Nataraj Nagaratnam, et.al., Security Architecture for Open Grid Services GWD-I (draft-ggf-ogsa-sec-arch-01) 3
National Institute of Advanced Industrial Science and Techlogy GSI: Grid Security Infrastructure ( PKI X.509 X.509 SSL protocol WS-Security X.509 Proxy X.509(RFC3820) 4
Proxy Subject DN Issuer () Digital Signature grid-proxy-init Proxy Subject DN/Proxy Issuer ( ) Digital Signature Subject DN Issuer () Digital Signature GSI Proxy (globus ) grid-proxy-init grid-proxy-init Proxy Proxy Proxydelegation single sign on 5
Proxy Single Sign On + Delegation Globus Toolkit My Proxy Grid Portal Proxy ProxyAuthentication & delegation (by Globus Alliance) Globus World 2005 Web Gridshib, XACML PURSE, MyProxy, One-Time PW Auth & Key exchange GGF14 OGSA AuthZ WG SAML Authorization Trusted Computing RG TCG Firewall Issues RG OPs International Grid Trust Federation (ITGF) 6
Grid-Shibboleth Integration: A Policy Controlled Attribute Framework (Von Welch, Globus Alliance) NMI 2 2004 12 Shibboleth Grid(GT4) Grid(GT4) Internet2 Shibboleth SAML X.509 Identity SAML X.509 Pull Model Globus Services Shibboleth GT4.x WS Pre-WS Push Model Shibboleth VOMS S 2005 First Release (GT4.2?) Access Control for the Grid: XACML (Anne Anderson, Sun) XACML (extensible( Access Control Markup Language) XACML OASIS standard Open source implementations by Sun Microsystems Globus Toolkit will ship with XACML runtime by ANL ANL GT4.0 GT4.2 or later 7
Portal-based Authorization Solution for the Earth System Grid SciDAC Project (Veronika Nefedova, ANL) DOE Earthsystem Grid PURSE (Portal-based User Registration Service) MyProxy Web Long Lived MyProxy MyProxy ESG external GridFTP access Portal PortalURL SAML Assertion S MyProxyProxy SAML Assertion Proxy S-enabled GridFTP Using the MyProxy Online Credential Repository (Jim Besney, NCSA) MyProxy PURSE (Portal-based User Registration Service) Long Lived Short Lived Proxy MyProxy + SASL OTP MyProxy Password Kerberos ticket MyProxy Password 8
Secure (One-Time-) Password Authentication for the Globus Toolkit (Olivier Chevassut, LBNL) Long LivedData Center Data Center short lived OTP One-Time Password authentication and Key Exchange (OPKeyX) One Time Password Globus OPKeyX Transport Layer OPKeyX TSL OPKeyX OPKeyX WS-SecureConversation Virtual Machines as Virtual Resources on the Grid (Kate Kathey, ANL) VM VM GRAM VM Xen VM VM 9
SAML, XACML Web Proxy Single Sign On, Delegation Authorization Long Lived OTP VM International Grid Trust Federation National Institute of Advanced Industrial Science and Techlogy 10
/ X.509 X.509PKI 11
multi PKI domain Cross Certification, Cross Recognition, Bridged Pros/Cons HSM. Policy Management Authority (PMA) PMA (Policy Management Authority PMA PMA International Grid Policy Management Authority (http://www.gridpma.org) The goal of the Grid PMA will be to harmonize these various PMAs policies to allow for a global trust relationship to be established European Grid PMA Asia Pacific Grid PMA Americas Grid PMAs DOE Grids Grid Canada NCSA Alliance NASA IPG Grid PMA PMA 12
PMA PMA PMA EUGrid PMA (established May 2004) Former: EUDG WP6 Coordination Group (started in 2002) TAG PMA (going to be established) Former: DOEGrid PMA (started in 2002) APGrid PMA (established June 2004) Ufficially started in 2003 PMA PMA Regional PMA PMA PMA PMA 13
International Grid Trust Federation (IGTF) GGF OPs WG GGF7@Tokyo, March 2003 First meeting with EU, DOE, and AP members Agreed with working on forming the Grid PMA. develop minimum requirements develop GridPMA charter 2004 9 DOEGrid PMA, EUGrid PMA, APGrid PMA PMA 2005 3 PMA International Grid Trust Federation APGrid PMA 2005 5 IGTF/PMA Can EGEE trust your? How is the procedure for reviewing/accrediting your? Does your need to be reviewed by individual organizations in EGEE? If the other in Asia wish to be trusted by EGEE, is separate review necessary? APGridPMA will accredit your. EGEE does t need to review/accredit your. Can your organization trust s in EGEE? How is the procedure for reviewing? Do you need to review all s in EGEE? EUGridPMA will accredit s. Both you and APGridPMA do t need to review/accredit s in EGEE. If you will launch a new that is expected to be trusted by organizations in EGEE, how should you design policy and practices of your? APGrid PMA provides minimum requirements. 14
APGrid PMA: Asia Pacific Grid PMA PMA 2004 6 1 Minimum requirements APGrid PMA Experimental-level Production-level APGridPMA: Status (Members and s) Affiliation Name Production Experimental LCG? AIST / Japan Yoshio Tanaka will close ASCC / Taiwan Eric Yen ne yes KISTI / Korea Jae-Hyuck Kwak yes S / China Kai Nan IHEP / China Gonxing Sun CP under review ne yes VPAC/Australia Damon Smith planning yes NCHC / Taiwan Julian Yu-Chung Chen planning Osaka U / Japan Susumu Date planning SDSC / USA Mason Katz plan planning HKU / HongKong Chen Lin, Elaine plan U of Hyd / India Arun Agarwal plan USM / Malaysia Boon Yaik plan BII / Singapore Kishore Sakharkar plan NAREGI 15
IGTF OPs WG Charter Federation APGrid PMA, EUGrid PMA, TAGPMA IGTF PMA PMA 8Charter (EUGrid PMA RPM IGTF-PMA@gridpma.org IGTF-General@gridpma.org IGTF ChairPMA PMA RPM PMA PMA PMA PMA CRL minimum requirements 16
Summary EUGrid PMA TAG PMA APGrid PMA APGridPMA is a coordination body of policies in Asia Pacific. APGridPMA is collaborating with EUGrid PMA and TAGPMA for International Grid Trust Federation. More Information APGrid PMA http://www.apgridpma.org/ EUGrid PMA http://www.eugridpma.org/ TAGPMA http://www.tagpma.org/ GridPMA http://www.gridpma.org/ ApGrid http://www.apgrid.org/ PRAGMA http://www.pragma-grid.net/ GTRC/AIST http://www.gtrc.aist.go.jp/ My email address yoshio.tanaka@aist.go.jp 17