My Private Cloud EIC

25/05/2012

1

My Private Cloud

David W Chadwick

University of Kent

1 Dec 2011 IEEE CloudCom 2011 1

Project Objectives

• Migrate (as much as possible in 6 months of) the trust, security and privacy preserving infrastructure from the EC TAS3 project to cloud services.

• The TSP infrastructure relies on trusted cloud providers to operate in good faith but this can be checked – trust but verify

• Infrastructure is built from legal agreements and open source software services

• Software services include: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails


25/05/2012

2

TAS3

• TAS3 – Trusted Architecture for Securely

Shared Service – is an EC FP7 Integrated

Project, running from Jan 2008-Dec 2011

• 16 partners, €9.4M EC contribution

• Objective. Develop and implement an

architecture for trusted services to manage

and process distributed personal information


Trust

Network

CSP

Authz

Infr

P

E

P

Audit

IdP

DSAA

Authn

Legend

IdP=Identity Provider

AA=Attribute Authority

DS=Delegation Service

Authn=Authentication

Service

P/S=Publish-Subscribe

Service

CSP=Cloud Service

Provider

PEP=Policy

Enforcement Point

PDP= Policy Decision

Point

Authz=Authorisation

Infrastructure

Appln=Application Code

WSC=Web Services

Client

Dash=User’s dashboard

service

TAAS=Trusted Attribute

Aggregation Service

WSC

Audit

Service

TAAS

Appln

Trust and

Reputation

Service

Service

Directory

P/S

Dash

DSPDP

TAS3 Architectural Components


25/05/2012

3

Project Achievements

• Have defined and implemented APIs (in PHP) for

– Federated Identity Management with different Levels of Assurance

– Privacy Preserving Delegation of Authority

– Granting of Access Rights to Other Account Holders

• And built these into a front end Proxy Service to Amazon/Eucalyptus S3 service


= External Services

= Locally Provided Services

= Cloud API Security Services

LEGEND

Delegation Issuing

Web Service

UK AMF

Simple

SAMLphp

Proxy

IdP

Account

DB

WAYF

OpenID Facebook Google Twitter

Other IdPs

Cloud

Service

Authn

API

(Simple

SAML

phpSP)

IdP 1

IdP 2

IdP n

…

Org

LDAPDelegation API

CVS

Authz API

Authz Database PDP


25/05/2012

4

= External Services



LEGEND

Delegation Issuing

Web Service

UK AMF

Simple

SAMLphp

Proxy

IdP

Account

DB

WAYF


Other IdPs

Cloud

Service

Authn

API

(Simple

SAML

phpSP)

IdP 1

IdP 2

IdP n

…

Org

LDAPDelegation API

CVS

Authz API

Authz Database PDP


Authz API – Attribute Based AC• getRights – given a set of user identity attributes (types and values), return

the resources (identified by a set of attribute types and values) and access rights that are granted to users possessing this identity. (DB)

• listAccess – given a resource (identified by a set of attribute types and values), return the sets of users with access rights to this resource, each set comprising a user identity (a set of attribute types and values) and its associated access rights. (DB)

• addRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values) and a set of access rights, grants these rights to users possessing this set of identity attributes (in addition to any existing rights). (DB)

• removeRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values), and a set of access rights, revoke these rights from users possessing this set of identity attributes. (DB)

• authzDecision – given a set of user identity attributes (types and values), a requested resource (identified by a set of attribute types and values) and a requested access right, return a Response object indicating whether access is granted (GRANT) or not (DENY). The Response object can be checked by using the method isGrant, which returns the value True if access is granted. (PDP)


25/05/2012

5

= External Services



LEGEND

Delegation Issuing

Web Service

UK AMF

Simple

SAMLphp

Proxy

IdP

Account

DB

WAYF


Other IdPs

Cloud

Service

Authn

API

(Simple

SAML

phpSP)

IdP 1

IdP 2

IdP n

…

Org

LDAPDelegation API

CVS

Authz API

Authz Database PDP


Proxy IdP• Acts as a Where Are You From service and protocol converter

between OpenID, Oauth, Twitter protocols etc. and SAMLv2

• Allows users who are not part of an existing SAMLv2 federation to join the cloud

• SP only needs to talk SAMLv2 to, and trust, proxyIdP

• SP says what LoA and attributes it requires, and proxyIdPreturns the SAML authn and attribute statements to the SP

• ProxyIdP also computes the LoA from the authenticating IdP, and sends this as a subject attribute to make the SP’s authorisation decision making easy

• It has an associated Account Database and Account Linking Service which allows users to link their various accounts together to gain further authz at the SPs (not discussed here)

• It has an associated Credential Validation Service for validating the attribute credentials from the trusted IdPs (not discussed here)


25/05/2012

6

The Authn API• getIdentity – given a URL and a set of identity requirements, return the

authenticated user to this URL with his/her set of qualified identity attributes that match the requirements and the user’s persistent ID (PId) and name of the Identity Provider (IdP) authenticating the user. (If no identity requirements are specified then obtain as many identity attributes as possible from as many IdPs as possible along with the Pid)

• logout – given a URL to return to, log the user out of his session with this cloud service provider and return the user to this URL. Note that this is only logout of the cloud application and is not logout from the federated identity management infrastructure, i.e. SSO with the authenticating IdP is still active.

• setCVS – given the URL of the CVS, this method enables the use of the CVS by the proxyIdP. When this method is called all the attributes returned from the IDP are validated by the CVS according to the policy rules configured into it. (If not called, getIdentity will accept every attribute that it is given without validating if they came from the correct (i.e. trusted) IdPs.)


Identity Requirements

• An attribute type – taken from an attribute class hierarchy

• An attribute issuer – which specifies who the issuer of the attribute type should be. This can either be a specific issuer instance (URL), or a class of issuer (URN) taken from an issuer class hierarchy

• The minimum required Level of Assurance (in the range 1 (lowest) to 4 (highest)) for this identity attribute


25/05/2012

7

Qualified Identity Attributes

• An identity attribute type/name

• An attribute value

• The issuer of this attribute

• The LoA of this attribute


Examples

• getIdentity (creditCard, urn:org:bank, 2)

– This specifies that the user should be identified by a credit card attribute issued by a bank.

– An example of a return value is Visa=1234567890, Barclays.co.uk, 2

• getIdentity (UID, kent.ac.uk, 1; role, urn:federation:UK-AMF, 1; affiliation, urn:federation:UKAMF, 1)

– This specifies that the user should be identified by 3 attributes, namely a UID issued by kent.ac.uk, a role issued by a member of the UK Access Management Federation, and the name of the organization in the UK-AMF to which the user is affiliated.

– An example of a return value is (UID=dwc8, kent.ac.uk, 2), (role=professor, kent.ac.uk, 2), (affiliation= University of Kent, kent.ac.uk, 2)


25/05/2012

8

= External Services



LEGEND

Delegation Issuing

Web Service

UK AMF

Simple

SAMLphp

Proxy

IdP

Account

DB

WAYF


Other IdPs

Cloud

Service

Authn

API

(Simple

SAML

phpSP)

IdP 1

IdP 2

IdP n

…

Org

LDAPDelegation API

CVS

Authz API

Authz Database PDP


Issue

• How to delegate access to your cloud

resources to a user who either does not have

any recognised attributes or does, but you

don’t know what they are (due to privacy

protection)?

• Even though each IdP user has a PId, you

don’t know what it is, and most likely neither

do they (and you probably don’t know your

own PId either)


25/05/2012

9

Solution

1 Dec 2011

• Providing the user has a login account at one of the recognised IdPs– (in our case UK AMF, Google, Facebook, Twitter and OpenID)

• We introduce a Delegation Issuing Service, which will issue freshly minted attributes to your chosen delegates

• Where You are the attribute authority

• You chose the attributes to be delegated

• You then use the existing ABAC authz system to assign rights to these attributes

• The DIS registers your delegates in its database and keeps a record of your attribute assignments to them, then whenever they login to the cloud service, they are assigned these attributes– All DIS users are given a user friendly nickname for ease of

reference

IEEE CloudCom 2011 17

How does it work?

• You enter a new delegate into the cloud service by defining her group attribute name and value e.g. Colleague (Chris) or Family (Mother)

• The system gives you a secret URL

• You give this URL to your delegate by some out of band means

• The delegate clicks on the URL, logs into the cloud service via her IdP, and is assigned the attribute you gave her

• Every time your delegate logs in in the future, she is assigned the attributes you gave her


25/05/2012

10

Delegation API• encodeDelAtt – given the identity of the delegator (as a set of attribute types and

values) and the attribute to be delegated (e.g. delegationAttribute=MyFriend), it returns the (uniquely) encoded delegation attribute

• decodeDelAtt – given an encoded delegation attribute, return the identity of the delegator (as a set of attribute types and values) and the attribute that is delegated

• getSecret - given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate (string), and the encoded delegation attribute, return a secret to be given to the delegate.

• useSecret - given a secret, the identity of the delegate (as an IdP/PId pair), and the delegate’s nickname for the delegator, return the encoded delegation attribute.

• getDelegationAttributes - given the delegate's identity (as an IdP/PId pair) return the set of encoded delegation attributes, each set comprising: an encoded delegation attribute and the delegator (as a set of attribute types and values).

• revokeDelegate – given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate and the encoded delegation attribute, revoke this attribute from this delegate.

• getDelegates – given the identity of a delegator (as a set of attribute types and values), return the set of delegates comprising the nickname of each delegate and the encoded delegation attribute.

• getDelegators – given the identity of a delegate (IdP/PId), return the set of delegators comprising the nickname of the delegator and the encoded delegation attribute.


Live Demo

• A live demo is available here

http://sec.cs.kent.ac.uk/demos/

• Choose 6. My Private Cloud


25/05/2012

11

Acknowledgements

• This research received funding from

• EC’s FP7 under grant agreement n° 216287

(Trusted Architecture for Securely Shared

Services) and

• UK’s EPSRC under grant ref. n° EP/1034181/1

(My Private Cloud)


Demo Screenshots


25/05/2012

12

Welcome Screen


Login Redirects to Proxy IdP


25/05/2012

13

User Logs In via chosen IdP


User is shown all the Accounts that his Attributes give

him Ownership of, and Opens (or Creates) one


25/05/2012

14

User is shown Account Details of Opened Account

List of Your Delegates

List of Buckets You Own

List of Buckets and Files that other

Account Owners have shared with you


User Opens a Bucket

Can view/alter Access Rights Can upload/download files


25/05/2012

15

Showing Permissions that You have Granted to Others

Permissions given to Contacts/Delegates

Permissions already given to other Account Holders

Give New Permissions to Others


Granting Permissions To Others

Granting access

to Contacts/Delegates

Granting access to other

Account Holders

Granting Public access


25/05/2012

16

Adding a New Contact/Delegate


Documents

My Private Cloud EIC