Evaluation of the GLOBUS authentication architecture

• The need to geographically distribute and transparently access and analyse datasets on the scale of many Tbytes is already there.

• Today, many HE(N)P experiments still happily access and transfer their data over clear pipes, with traditional, username/password FTP authentication or AFS. Sometimes SSH is used.

• Little concern is shown for the intrinsic security of the data, since they are of negligible value without the appropriate analysis environment and collaboration expertise. This of course may not be true for other GRID customers and the GRID at large, and may change as the self-describing content of HE(N)P data in general increases.

• Some concern is shown for the protection of semi-final, unpublished processed data. It is important to be able to identify the group/experiment affiliation of GRID users, and grant access permissions accordingly. In general, however, data transfer ease/reliability is more important than data security.

• A lot of concern is shown towards increased security measures that complicate day-by-day work patterns. One-time-login mechanisms are welcome.

How does the Globus authentication architecture work ?

• An implementation of the GSS-API (RFC 2078/2743) based on OpenSSL/X509

• The GSS-API requires the ability to pass on authentication information to establish further authenticated connections ("one-time login"). This is achieved in this implementation via a "proxy".

• A "proxy" is made of a newly-generated certificate/key pair, along with the certificate of the user who is supposed to be represented by the proxy. The certificate has a short expiration time and is signed by the user. The user certificate is signed by a CA that is trusted at the resource provider's end.

• The resource provider is able to descend the certificate signature chain and thus verify the proxy certificate.

• The requesting user is mapped to the appropriate resource provider's identifiers via the user certificate subject (X.500 DN) only.

• X509 (the only digital signature mechanism that is currently granted legal meaning in Italy).

• The "one time login" paradigm.

• The ease of extending a relation of trust to "foreign" CAs, without having to interfere with their X.500 naming scheme:

 access_id_CA      X509         '/C=US/O=Globus/CN=Globus Certification Authority'

 pos_rights        globus        CA:sign

 cond_subjects     globus     '"/C=us/O=Globus/*" "/C=US/O=Globus/*"'

1. Granting local "identities" based only on certificate subjects allows the existance of multiple valid certificates for the same subject. Or: given that passwords are always "hotel keys", and never "car keys", in this case an innkeeper from another continent can enter your room disguised as your wife (or husband).

2. The authentication library is based on OpenSSL, but it is not currently in sync with the OpenSSL development (it links against OpenSSL 0.9.1c at latest).

3. The authentication library provides cryptic diagnostics (e.g. "certificate chain too long" when the CA policy check fails).

4. A note from the INFN security experts: the model where generally valid (even if for a limited time only) private keys are available on remote hosts fits a world where all system administrators are honest and able to implement a seamless security model. As we pointed out, this could be less of a problem in our case.

1. Eventually the Certificate Revocation List check and policy, which is currently handled by the Globus GSS implementation, will be handled by the underlying OpenSSL. There will be the possibility even to fetch a fresh CRL on each certificate check. What we are more likely to use is a periodic update of the CRL.

2. As of Globus v1.1.3 one should be able to link with the current OpenSSL, (but this isn't stated or written anywhere: we still have to test this).

3. The diagnostic message structure is under review.

4. A scheme for very fine-grained "limited" proxies is being developed. Currently the only limit that can be enforced prevents further certificate delegation by the GSS library.