HPC lab 2002 1

Current Practices on Security Technologies

Clifford NeumanBook chapter 16(Security, Accounting, and Assurance in “The GRID: Blueprint for a new Computing Infrastructure”

HPC lab 2002 2

The Computer security technologies most widely used include File and Email encryption technologies such as

PGP(Pretty Good Privacy)cf. PEM(Privacy Enhanced Mail) : standardized by ITEF

Transport layer security technologies such as SSL Authentication technologies such as Kerberos and

alternatives using public-key certificates Assurance technologies such as Authenticode Confinement technologies to limit the action of

untrusted applications Network encryption technologies including IPSec,

sometimes used to implement VPN

HPC lab 2002 3

File encryption, Email and Public-key Authentication

Many programs that are in widespread use ensure the integrity, authentication, and confidentiality of email and data files. PGP is one of the most popular programs providing these

protections The same techniques and message formats are usable to protect

programs and data for grid applications. For confidentiality

A random(session) key(128 bit) is generated. This key is used to encrypt the message by IDEA(International Data Encryption Algorithm). Encrypted key(sender’s public key) and message is transferred to the trusted friend.

For Message authentication Compute a message digest function over a message(MD5, one-

way hash function), and encrypted by sender’s private key. Send it with message to the receiver.

The receiver extracts the hash value by own public key, and compares it with own hash value. If no difference, it is authenticated.

Thus integrity (i.e., a digital signature) is provided.

HPC lab 2002 4

Certification of public keys in most of these systems uses a common technique: a certificate containing each user's public key is signed by another entity that acts as a certifier. The systems differ in the policies regarding who certifies user

certificates. In PGP any user can certify any other user's certificate, and

the verifier decides which certifiers to accept. This acceptance policy can range from very secure, such as

accepting only the verifier's own certifications, to weaker policies including accepting certifications by personal friends or those held in high regard in the Internet community.

HPC lab 2002 5

Most other implementations depend on established certification authorities run by trusted organizations (e.g. , the user's own employer) whose authority is itself certified by higher-level authorities, including organizations such as Verisign. In these systems, the "root CAs" are the organizations who

certifies other CAs, and applications must be configured to know the public keys of these root CAs. This latter policy is a specialization of the first policy, where the choice of CAs is more rigidly specified, and it provides a means to enforce an organization's policies and limit the errors that might occur from misconfiguration or misplaced trust by users.

Although certification policies differ from system to system, most of the systems in widespread use today have adopted a common certificate format specified by the X.509 standard. Other certificate formats have been proposed and are under discussion.

HPC lab 2002 6

Embedded in practically every Web browser, SSL is probably the most widely deployed technology for confidentiality on the Internet today.

As shown in Figure 16.1, when a Web browser supporting SSL communicates with an SSL-enabled Web servers, the server sends a public-key certificate to the client, which verifies the signature on the certificate by decrypting with the public key of the CA. This key was obtained in advance during installation and

subsequent configuration of the browser. Verification of this certificate and then checking the host name

embedded within the certificate ensures the client that it is talking with the intended server (the one from the URL that it is following), and it provides the server's public key.

The server's pubic key is then used to encrypt a session key from a conventional cryptosystem.

Secure Sockets Layer and Transaction-Level Security

HPC lab 2002 7

HPC lab 2002 8

The encrypted session key is sent to the server, which decrypts it, and subsequent communication between the client and the server (for the duration of the session) is confidentiality and integrity protected by using this session key.

As it is typically used, only the server has a certificate, and only the server is authenticated. Authentication of the user is supported through a standard

password-based mechanism; but because the password passes over a confidentiality-protected connection, it is not vulnerable to eavesdropping.

In cases where the client has a certified public key, the SSL protocol supports cryptographic authentication of the client. In this scenario the client's response to the server includes the

client's certificate, plus additional data that is sent to the server encrypted by using the private key that corresponds to the public key from the client's certificate.

HPC lab 2002 9

Although used primarily to protect communication on the Web, SSL may be used to protect communication by other applications, including communication between tasks in a grid system such as Globus. When considering the use of SSL for an application,

performance of the connection establishment phase may be an issue because the public-key operations can become a bottleneck (although once an SSL connection is established, the performance of the conventional cryptosystems used is less of a factor).

To improve performance, an SSL server can be allowed to cache the conventional keys used for subsequent connections between the same client and server.

When performance is an issue, the patterns of communication (how frequently new connections are established) must be considered to determine the performance effect of connection establishment.

HPC lab 2002 10

Kerberos

Kerberos is an authentication and key distribution protocol that uses conventional cryptography, providing significantly better performance than authentication mechanisms that rely on public-key cryptography. Kerberos is well suited for applications and services requiring

frequent authentication, and its central administration makes it well suited for integration with intrusion detection and authorization systems.

The primary disadvantage of Kerberos over systems using public-key cryptography is the requirement for a trusted "online" (connected to the Internet) certification authority called the key distribution center (KDC) and the need to go back to the KDC for each pair of communicating entities.

This is less of an issue than it might seem, however, since online intermediary is necessary even in public-key systems to support fast revocation of credentials.

HPC lab 2002 11

HPC lab 2002 12

The Kerberos protocol is based in part on the symmetric version of the Needham and Schroeder authentication protocol, with changes to reduce the number of messages needed for basic authentication and the addition of a facility for subsequent authentication without reentry of the user's password.

When a client (C) wishes to communicate with a service provider (the verifiers V), it contacts the Kerberos authentication server (AS), sending its

own name, the name of the server to be contacted, and additional information(1)(digitally signed by Key server’s public key).

The Kerberos server randomly generates a session key (Kc,v) and returns it to the client encrypted in the key derived from the user's password (Kc) and registered in advance with the Kerberos server(2).

The encrypted session key is returned together with a ticket (Tc,v) that contains the name of the client and the session key, all encrypted in the service provider's key (Kv).

HPC lab 2002 13

The session key and ticket received from the Kerberos server are valid until timeexp and are cached by the client, reducing the number of requests to the Kefberos server. Additionally, the user's secret key is needed only when initially

logging in. Instead of using the user's secret key, subsequent requests during the same log-in session use the session key returned by the Kerberos server in response to an initial request.

To prove its identity to a service providers the client forwards the ticket together with a timestamp encrypted in the session key from the ticket (3). The service provider decrypts the ticket and uses the session key

contained therein to decrypt the timestamp. If the timestamp is recent, the server knows that the message was recently generated by someone who knew the session key.

Since the session key was issued only to the user named in the ticket, the client is authenticated. If the client requires authentication from the servers the server extracts the timestamp, reencrypts it using the session key, and returns it to the client (4).

HPC lab 2002 14

We emphasize that users and service providers need to register encryption keys in advance only with the Kerberos server itself, and not with each party with which they will eventually communicate. Authentication by using Kerberos can work across

administrative domains; when the client and application server are registered with different Kerberos servers, interrealm authentication supports access to services in other realms.

The Kerberos servers as a trusted intermediary, generates a session key when needed, distributes it to the client, and places it in the ticket where it can be subsequently recovered by the service provider.

This session key can then be used directly by the client and the service provider for encrypted communication as described in the preceding paragraphs.

HPC lab 2002 15

Although the Kerberos authentication protocol is based on conventional cryptography, recent extensions have provided for integration with public-key systems. In particular, the PKINIT extensions to the Kerberos protocol

provide for the use of public-key cryptography and the use of existing certificates for initial authentication to the KDC.

Subsequent authentication to application services uses the traditional Kerberos protocol and conventional cryptography.

This hybrid approach allows for the use of certifications from public-key CAs and common administration, but the performance penalty for using public-key cryptography is felt only when the user first logs into the system (when it is less likely to be noticed).

HPC lab 2002 16

Assurance

While assurance technologies are not widely deployed on the Internet today, several organizations offer images that may be placed on Web sites to indicate adherence to acceptable standards of practice.

The limitation of these approaches is that their presence and authenticity are not validated and enforced by the application. Several frameworks for assurance have been proposed,

including a mechanism for issuing assurance credentials and the Platform for Internet Content Selection (PICS).

Microsoft's Authenticode and the Betsi system provide for assurance of the validity and authenticity of executable content that may be downloaded (or uploaded). Authenticode has seen deployment within Microsoft products

such as Internet Explorer. In general, though, acceptance of the techniques has been limited.

HPC lab 2002 17

In the absence of absolute trust in the originator of executable code, systems may run untrusted code in an interpreter that will limit the functions that may be called by the code, and several systems are available to confine the execution of entrusted applications in this manner.

While this approach provides some protection against malicious code, the desire to give legitimate code enough power to perform the intended function often provides malicious code with functionality that was not intended. Many of the interpreters available today have bugs that allow

malicious code to do more than is intended, and it isn't clear how effectively the needs of legitimate functions can be balanced with the desire to contain malicious code.

HPC lab 2002 18

Authorization

Distributed authorization mechanisms are included as part of systems like the Open Software Foundation's Distributed Competing Environment (OSF-DCE), and local solutions are provided on computing platforms like UNIX and Windows-NT. Only recently have we seen the definition of comprehensive frameworks

for authorization, and to date only components of these frameworks have been implemented.

In general, distributed authorization services provide for the distributed maintenance of authorization information, such as group membership and access control lists. Information about group membership, or authority to perform a particular

operation, is transmitted to an end service provider through restricted authentication credentials or through the addition of special authorization attributes to public-key certificates.

HPC lab 2002 19

Upon receiving such a certificate, a service provider verifies the signature of the issuer of the certificate, or the authenticity of the authentication credentials, and checks to make sure the rights conveyed allow the operation requested by the user. Implementation of the signed authorization certificates depends on

the integrity and authentication services described earlier. Performance will be an important consideration when selecting

authorization mechanisms for computational grids. We expect that authorization decisions will be made multiple times

during the life of a task, but authentication might be necessary only during initiation of the task. Thus, we anticipate a large number of operations to validate a task's authority to perform a particular operation.

When using public-key cryptography as a basis for authorization, the use of the slower operation (for RSA it is signing; for DSA it is verification) should be minimized.

Finally, if delegation is to be based on the issuance of a new certificate with more restricted attributes and a new encryption key, the cost of generating the encryption key may be prohibitive for frequent use.

HPC lab 2002 20

IPsec, IPv6, and Virtual Private Networks

Many of the attacks on the security of distributed systems rely on the ability of an attacker to monitor and modify packets on the network. The IPsec suite of protocols developed by the Internet

Engineering Task Force (IETF) and the security services that are present in IP version 6 provide for confidentiality and integrity protection of data at the network layer when sent between end systems.

When communication is first established between a pair of Internet hosts, a key distribution function is initiated to exchange a conventional encryption key. That key is used to provide confidentiality auld integrity of the

packets subsequently exchanged between the two systems. The key distribution function may be based on public-key

cryptography, it may be based on other key distribution mechanisms like Kerberos, or it may use keys that were distributed in advance between the communicating systems.

In contrast to the other examples of authentication and key distribution, these keys are associated with the communicating hosts lather than with applications of end users .

HPC lab 2002 21

IPsec, IPv6, and proprietary technologies available from some vendors allow the creation of VPNs, networks implemented by using the shared physical infrastructure of the Internet but with communication permitted only between participating nodes in the private network and where communication is protected from disclosure to and modification by nodes that are not participants.

These systems provide some improvement in security for distributed applications and will often be the appropriate technologies to use when it is impractical to integrate security at the application layer (which might be difficult without the source code for the distributed application). However because these systems operate at the network layers

they cannot provide for authentication of the end users and they do not have knowledge of the application-level objects that are to be protected.

Hence, they have limited ability to support security policies that distinguish users and application objects.

HPC lab 2002 22

Firewalls

Firewalls provide a barrier at the boundary to an organization's network through which only specifically authorized communication may proceed. In general, firewalls fill an important need in an organization's

security policy because if they have teen property configured and if all paths into the network are protected by a firewall, then they prevent many kinds of attack on hosts within the organization's network.

Firewalls are less useful as a means to protect grid applications because the communication patterns for legitimate applications running on a computational grid will, by their very nature, require communication through the firewall, making it difficult for the firewall to distinguish legitimate communication from security violations.

HPC lab 2002 23

By integrating IPsec and VPN technologies at network boundaries, firewalls can play a role in constructing a computational grid across a set of cooperating organizations. In such a system, communication on the internal networks of the

cooperating organizations could remain unprotected. A firewall at the boundary between each unprotected network and

the rest of the Internet would encrypt messages leaving the local network and decrypt messages entering the local network.

Communication between nodes in this private grid shared by the cooperating organizations would then be protected when sent over the Internet, but would remain in the clear for communication within the local network, hence removing the need for each internal host to maintain its own set of security parameters.

HPC lab 2002 24

Integration with Communication Layers

For the services described so far to have an effect on the security of a computational grid, the protocols already developed and those under development must be integrated with the communications and resource management mechanisms used by the grid. In general, integration is one of the most difficult aspects of

deploying security services today. Security services can be integrated with protocols at several layers.

Efforts are under way in the IETF to add security services at the IP layer. With these extensions, computer systems will be able to authenticate to one another and communication between the systems can be encrypted. Integrating security services at this layer does not provide

authentication of the individual users of the system to the remote service providers and thus does not, by itself, meet the requirements for authentication (in support of access control) by many applications.

It does, however, improve the confidentiality and integrity of communications by applications running on these systems, including applications that have been not modified to use application-level security services.

HPC lab 2002 25

Integration of security services can also occur at the application layer, and changes at the application layer are necessary for services where the operations allowed depend on the identity of the user. Integrating security at this layer can be cumbersome, requiring

changes to the application protocol for each application. The Common Authentication Technology Working Group of the

IETF has developed the Generic Security Services Application Programming Interface (GSS-API) to facilitate the integration of security services at the application layer.

When using the GSS-API, applications make calls to authentication, confidentiality, and integrity services in a manner that is independent of the underlying security services.

Integration of security services is easier for applications that run on top of RPC and similar transport mechanisms. When running on top of such transport protocols, user

authentication, confidentiality, and integrity can be provided at the transport layer.

HPC lab 2002 26

Though the application must still be modified to ask the right questions and to use the answers as a basis for authorization, such changes to the application are less intrusive than changes to the application protocol itself.

Security services have been integrated at the RPC layer for the Open Software Foundation's DCE RPC, and Sun's ONC RPC.

The transport layer is likely to be the correct place to integrate security services for a computational grid. Security services can be integrated with the communications layer

used for communication between cooperating tasks, providing the appropriate level of communications security (confidentiality and integrity protection) for the application's needs.

The level of protection provided at this layer may be adjusted as appropriate also to take into account knowledge about the lower-level communications medium.

For example, when two tasks are communicating across a bus on a tightly coupled multiprocessors where it is known that no entrusted jobs have access to the bus, encryption might be bypassed, improving the performance of the communications primitives.

HPC lab 2002 27

Modular integration

Because of the differing requirements for security, and because differing physical network topologies can allow significant improvement in application performance by leaving out security modules when the network topology guarantees the level of security that is required, the integration of security services into the computational grid must be modular. Decisions will be made based on topology and other factors to

select the security modules to be used. However, it must be understood that for two processes to

communicate directly, they should share a common security mechanism, and this will dictate a relatively small set of required mechanisms.