All of following discussion is based on PKI (public key infrastructure).
What's important in terms of security?
integrity of the user's identity credential(certificate + public/private key pair).
Note: What is important is not just a single part of the credential, but also integrity of different parts. If a certain component is compromised, the whole credential is not secure any more.
how to protect private key?
(1) Store it in desktop
May not be a good idea because usaually desktop is not protected professionally. It is vulnerable to keystrok loggers, trojan ...
(2) Smart card
A specific piece of hardware provides improved security for key storage.
Pros: allows keys to be used for signing and encryption without allowing the keys to be exported from the card's protected memory.
Cons: cost and support
(3) Virtual smart card
Similar to the physical smart card approach. It is a software system which protects private keys on secure servers without allowing the keys to be exported.
Grid computing
Usually, the user has a certificate issued by a CA and it has long life time (maybe several years). Before successul running of a task, the certificate must be authenticated by grid infrastructure. Tasks may be submitted and launched from different hosts.
(*) So it is not convenient to ask users to copy their credentials manually across different machines.
(*) It is not secure to put long-term credentials to many hosts in the grid.
It would be great if users can obtain a short-time(hours or days) credential which can be used for authentication during execution of a task.
There are two solutions:
(1) Online CA
Every time the user needs a short-time credential, he/she just sends certificate request to CA and CA returns the newly created certificate.
Drawback: cost. Adding a new CA needs a lot of extra work in terms of time, money, negotiating policies...
(2) Online credential repository
This solution makes use of X.509 proxy certificate described below.
MyProxy uses the third approach.
Proxy Certificate (RFC 3820)
Key idea: An entity delegates its rights or a subset of its rights to another entity which can behave on behalf of the original entity.
Security
Restrictions can be placed on the PC be means of policies.
Terminology
EEC(End Entity Certificate): an X.509 Public Key Certificate issued to an end entity by a CA.
PC(Proxy Certificate): can be issued by EEC or another PC.
PI(Proxy Issuer): an entity with an EEC or PC that issues a PC. The issued PC is signed using the corresponding private key.
Properties of PC
(*) Signed by EEC or PC
(*) It can sign another PC. Cannot sign EEC
(*) Its public/private key pair is different from that of the proxy issuer.
(*) Its identity is derived from identity of the original ECC that signed the PC.
Note: its identity is unique so that it can be used as an independent identity.
(*) It contains a new X.509 extension to indicate that it is a PC and to place restrictions on use of the PC.
Procedure
If an entity A wants to delegate its rights to entity B, the procedure is
(1) Entity B creates a private/public key pair
(2) Entity B creates a request for a PC and sends it to entity A
(3) Entity A creates a PC, singed by the private key of A's certificate (EEC or another PC).
In this process, restrictions can be placed on the newly created PC. For example, validity period...
(4) Entity A sends the certificate back to entity B.
Note: the private key of entity A is stored on the local file system.
Significant advantages
Private keys are never transferred over the internet.
How MyProxy works?
Proxy storing
This is similar to the procedure described above in section <Proxy Certificate> / <Procedure>. Entity A is the end user and entity B is MyProxy server. In step (4), end user sends both the newly created Proxy Certificate and the entire certificate chain to the server. Also access control can be imposed by means described below.
Proxy retrieval
Similar to proxy storing, except in reverse. Access control policies must be checked to see whether the client is allowed to retrieve the certificate.
Access Control
Server administrator can control who can store/retrieve credentials by:
(1) Requiring client-side TLS authentication
(2) Configuring a regular expression that must match the client certificate's subject for storage requests
(3) Configuring a regular expression that must match the client certificate's subject for retrieval requests
Credential owner can control access to their certificates by :
(1) setting a password when storing the certificates
The password is not stored in the server. It is used to encrypt server's private key which would be used to sign the proxy certificates.
(2) settting regular expression on the client certificate's subject that would retrieve the certificate.
Renewal
to be filled soon
To be investigated in the future
MyProxy and OGSI (Open Grid Services Infrastructure):
MyProxy is encapsulated as web services.
MyProxy and WS-Resource Framework
Posts
