Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
25/05/2012
1
My Private Cloud
David W Chadwick
University of Kent
1 Dec 2011 IEEE CloudCom 2011 1
Project Objectives
• Migrate (as much as possible in 6 months of) the trust, security and privacy preserving infrastructure from the EC TAS3 project to cloud services.
• The TSP infrastructure relies on trusted cloud providers to operate in good faith but this can be checked – trust but verify
• Infrastructure is built from legal agreements and open source software services
• Software services include: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails
1 Dec 2011 IEEE CloudCom 2011 2
25/05/2012
2
TAS3
• TAS3 – Trusted Architecture for Securely
Shared Service – is an EC FP7 Integrated
Project, running from Jan 2008-Dec 2011
• 16 partners, €9.4M EC contribution
• Objective. Develop and implement an
architecture for trusted services to manage
and process distributed personal information
1 Dec 2011 IEEE CloudCom 2011 3
Trust
Network
CSP
Authz
Infr
P
E
P
Audit
IdP
DSAA
Authn
Legend
IdP=Identity Provider
AA=Attribute Authority
DS=Delegation Service
Authn=Authentication
Service
P/S=Publish-Subscribe
Service
CSP=Cloud Service
Provider
PEP=Policy
Enforcement Point
PDP= Policy Decision
Point
Authz=Authorisation
Infrastructure
Appln=Application Code
WSC=Web Services
Client
Dash=User’s dashboard
service
TAAS=Trusted Attribute
Aggregation Service
WSC
Audit
Service
TAAS
Appln
Trust and
Reputation
Service
Service
Directory
P/S
Dash
DSPDP
TAS3 Architectural Components
1 Dec 2011 IEEE CloudCom 2011 4
25/05/2012
3
Project Achievements
• Have defined and implemented APIs (in PHP) for
– Federated Identity Management with different Levels of Assurance
– Privacy Preserving Delegation of Authority
– Granting of Access Rights to Other Account Holders
• And built these into a front end Proxy Service to Amazon/Eucalyptus S3 service
1 Dec 2011 IEEE CloudCom 2011 5
= External Services
= Locally Provided Services
= Cloud API Security Services
LEGEND
Delegation Issuing
Web Service
UK AMF
Simple
SAMLphp
Proxy
IdP
Account
DB
WAYF
OpenID Facebook Google Twitter
Other IdPs
Cloud
Service
Authn
API
(Simple
SAML
phpSP)
IdP 1
IdP 2
IdP n
…
Org
LDAPDelegation API
CVS
Authz API
Authz Database PDP
1 Dec 2011 IEEE CloudCom 2011 6
25/05/2012
4
= External Services
= Locally Provided Services
= Cloud API Security Services
LEGEND
Delegation Issuing
Web Service
UK AMF
Simple
SAMLphp
Proxy
IdP
Account
DB
WAYF
OpenID Facebook Google Twitter
Other IdPs
Cloud
Service
Authn
API
(Simple
SAML
phpSP)
IdP 1
IdP 2
IdP n
…
Org
LDAPDelegation API
CVS
Authz API
Authz Database PDP
1 Dec 2011 IEEE CloudCom 2011 7
Authz API – Attribute Based AC• getRights – given a set of user identity attributes (types and values), return
the resources (identified by a set of attribute types and values) and access rights that are granted to users possessing this identity. (DB)
• listAccess – given a resource (identified by a set of attribute types and values), return the sets of users with access rights to this resource, each set comprising a user identity (a set of attribute types and values) and its associated access rights. (DB)
• addRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values) and a set of access rights, grants these rights to users possessing this set of identity attributes (in addition to any existing rights). (DB)
• removeRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values), and a set of access rights, revoke these rights from users possessing this set of identity attributes. (DB)
• authzDecision – given a set of user identity attributes (types and values), a requested resource (identified by a set of attribute types and values) and a requested access right, return a Response object indicating whether access is granted (GRANT) or not (DENY). The Response object can be checked by using the method isGrant, which returns the value True if access is granted. (PDP)
1 Dec 2011 IEEE CloudCom 2011 8
25/05/2012
5
= External Services
= Locally Provided Services
= Cloud API Security Services
LEGEND
Delegation Issuing
Web Service
UK AMF
Simple
SAMLphp
Proxy
IdP
Account
DB
WAYF
OpenID Facebook Google Twitter
Other IdPs
Cloud
Service
Authn
API
(Simple
SAML
phpSP)
IdP 1
IdP 2
IdP n
…
Org
LDAPDelegation API
CVS
Authz API
Authz Database PDP
1 Dec 2011 IEEE CloudCom 2011 9
Proxy IdP• Acts as a Where Are You From service and protocol converter
between OpenID, Oauth, Twitter protocols etc. and SAMLv2
• Allows users who are not part of an existing SAMLv2 federation to join the cloud
• SP only needs to talk SAMLv2 to, and trust, proxyIdP
• SP says what LoA and attributes it requires, and proxyIdPreturns the SAML authn and attribute statements to the SP
• ProxyIdP also computes the LoA from the authenticating IdP, and sends this as a subject attribute to make the SP’s authorisation decision making easy
• It has an associated Account Database and Account Linking Service which allows users to link their various accounts together to gain further authz at the SPs (not discussed here)
• It has an associated Credential Validation Service for validating the attribute credentials from the trusted IdPs (not discussed here)
1 Dec 2011 IEEE CloudCom 2011 10
25/05/2012
6
The Authn API• getIdentity – given a URL and a set of identity requirements, return the
authenticated user to this URL with his/her set of qualified identity attributes that match the requirements and the user’s persistent ID (PId) and name of the Identity Provider (IdP) authenticating the user. (If no identity requirements are specified then obtain as many identity attributes as possible from as many IdPs as possible along with the Pid)
• logout – given a URL to return to, log the user out of his session with this cloud service provider and return the user to this URL. Note that this is only logout of the cloud application and is not logout from the federated identity management infrastructure, i.e. SSO with the authenticating IdP is still active.
• setCVS – given the URL of the CVS, this method enables the use of the CVS by the proxyIdP. When this method is called all the attributes returned from the IDP are validated by the CVS according to the policy rules configured into it. (If not called, getIdentity will accept every attribute that it is given without validating if they came from the correct (i.e. trusted) IdPs.)
1 Dec 2011 IEEE CloudCom 2011 11
Identity Requirements
• An attribute type – taken from an attribute class hierarchy
• An attribute issuer – which specifies who the issuer of the attribute type should be. This can either be a specific issuer instance (URL), or a class of issuer (URN) taken from an issuer class hierarchy
• The minimum required Level of Assurance (in the range 1 (lowest) to 4 (highest)) for this identity attribute
1 Dec 2011 IEEE CloudCom 2011 12
25/05/2012
7
Qualified Identity Attributes
• An identity attribute type/name
• An attribute value
• The issuer of this attribute
• The LoA of this attribute
1 Dec 2011 IEEE CloudCom 2011 13
Examples
• getIdentity (creditCard, urn:org:bank, 2)
– This specifies that the user should be identified by a credit card attribute issued by a bank.
– An example of a return value is Visa=1234567890, Barclays.co.uk, 2
• getIdentity (UID, kent.ac.uk, 1; role, urn:federation:UK-AMF, 1; affiliation, urn:federation:UKAMF, 1)
– This specifies that the user should be identified by 3 attributes, namely a UID issued by kent.ac.uk, a role issued by a member of the UK Access Management Federation, and the name of the organization in the UK-AMF to which the user is affiliated.
– An example of a return value is (UID=dwc8, kent.ac.uk, 2), (role=professor, kent.ac.uk, 2), (affiliation= University of Kent, kent.ac.uk, 2)
1 Dec 2011 IEEE CloudCom 2011 14
25/05/2012
8
= External Services
= Locally Provided Services
= Cloud API Security Services
LEGEND
Delegation Issuing
Web Service
UK AMF
Simple
SAMLphp
Proxy
IdP
Account
DB
WAYF
OpenID Facebook Google Twitter
Other IdPs
Cloud
Service
Authn
API
(Simple
SAML
phpSP)
IdP 1
IdP 2
IdP n
…
Org
LDAPDelegation API
CVS
Authz API
Authz Database PDP
1 Dec 2011 IEEE CloudCom 2011 15
Issue
• How to delegate access to your cloud
resources to a user who either does not have
any recognised attributes or does, but you
don’t know what they are (due to privacy
protection)?
• Even though each IdP user has a PId, you
don’t know what it is, and most likely neither
do they (and you probably don’t know your
own PId either)
1 Dec 2011 IEEE CloudCom 2011 16
25/05/2012
9
Solution
1 Dec 2011
• Providing the user has a login account at one of the recognised IdPs– (in our case UK AMF, Google, Facebook, Twitter and OpenID)
• We introduce a Delegation Issuing Service, which will issue freshly minted attributes to your chosen delegates
• Where You are the attribute authority
• You chose the attributes to be delegated
• You then use the existing ABAC authz system to assign rights to these attributes
• The DIS registers your delegates in its database and keeps a record of your attribute assignments to them, then whenever they login to the cloud service, they are assigned these attributes– All DIS users are given a user friendly nickname for ease of
reference
IEEE CloudCom 2011 17
How does it work?
• You enter a new delegate into the cloud service by defining her group attribute name and value e.g. Colleague (Chris) or Family (Mother)
• The system gives you a secret URL
• You give this URL to your delegate by some out of band means
• The delegate clicks on the URL, logs into the cloud service via her IdP, and is assigned the attribute you gave her
• Every time your delegate logs in in the future, she is assigned the attributes you gave her
1 Dec 2011 IEEE CloudCom 2011 18
25/05/2012
10
Delegation API• encodeDelAtt – given the identity of the delegator (as a set of attribute types and
values) and the attribute to be delegated (e.g. delegationAttribute=MyFriend), it returns the (uniquely) encoded delegation attribute
• decodeDelAtt – given an encoded delegation attribute, return the identity of the delegator (as a set of attribute types and values) and the attribute that is delegated
• getSecret - given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate (string), and the encoded delegation attribute, return a secret to be given to the delegate.
• useSecret - given a secret, the identity of the delegate (as an IdP/PId pair), and the delegate’s nickname for the delegator, return the encoded delegation attribute.
• getDelegationAttributes - given the delegate's identity (as an IdP/PId pair) return the set of encoded delegation attributes, each set comprising: an encoded delegation attribute and the delegator (as a set of attribute types and values).
• revokeDelegate – given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate and the encoded delegation attribute, revoke this attribute from this delegate.
• getDelegates – given the identity of a delegator (as a set of attribute types and values), return the set of delegates comprising the nickname of each delegate and the encoded delegation attribute.
• getDelegators – given the identity of a delegate (IdP/PId), return the set of delegators comprising the nickname of the delegator and the encoded delegation attribute.
1 Dec 2011 IEEE CloudCom 2011 19
Live Demo
• A live demo is available here
http://sec.cs.kent.ac.uk/demos/
• Choose 6. My Private Cloud
1 Dec 2011 IEEE CloudCom 2011 20
25/05/2012
11
Acknowledgements
• This research received funding from
• EC’s FP7 under grant agreement n° 216287
(Trusted Architecture for Securely Shared
Services) and
• UK’s EPSRC under grant ref. n° EP/1034181/1
(My Private Cloud)
1 Dec 2011 IEEE CloudCom 2011 21
Demo Screenshots
1 Dec 2011 IEEE CloudCom 2011 22
25/05/2012
12
Welcome Screen
1 Dec 2011 IEEE CloudCom 2011 23
Login Redirects to Proxy IdP
1 Dec 2011 IEEE CloudCom 2011 24
25/05/2012
13
User Logs In via chosen IdP
1 Dec 2011 IEEE CloudCom 2011 25
User is shown all the Accounts that his Attributes give
him Ownership of, and Opens (or Creates) one
1 Dec 2011 IEEE CloudCom 2011 26
25/05/2012
14
User is shown Account Details of Opened Account
List of Your Delegates
List of Buckets You Own
List of Buckets and Files that other
Account Owners have shared with you
1 Dec 2011 IEEE CloudCom 2011 27
User Opens a Bucket
Can view/alter Access Rights Can upload/download files
1 Dec 2011 IEEE CloudCom 2011 28
25/05/2012
15
Showing Permissions that You have Granted to Others
Permissions given to Contacts/Delegates
Permissions already given to other Account Holders
Give New Permissions to Others
1 Dec 2011 IEEE CloudCom 2011 29
Granting Permissions To Others
Granting access
to Contacts/Delegates
Granting access to other
Account Holders
Granting Public access
1 Dec 2011 IEEE CloudCom 2011 30
25/05/2012
16
Adding a New Contact/Delegate
1 Dec 2011 IEEE CloudCom 2011 31