EGEE security

Current status
2006-02-27


1. Description of work performed, open issues and future work	2
1.1. Logging	2
1.2. Auditing	2
1.3. Identity Credentials and Trust infrastructure	2
1.4. Site-integrated credential services	2
1.5. Enforcing validity constraints	2
1.6. Revocation	3
1.7. Certificate renewal	3
1.8. Anonymity, Privacy, Pseudonymity	3
1.9. Key hygiene and repudiation	3
1.10. Bootstrapping authentication	3
1.11. Credential stores	3
1.12. Encryption key management	4
1.13. Authorization services	4
1.14. Delegation	4
1.15. Mutual authorization	4
1.16. Authorization interfaces to existing systems	4
1.17. Authorization Framework	4
1.18. Securing the hosted to native interface	5
1.19. Network isolation	5
2. Security modules developed/reengineered by JRA3	6

1. DESCRIPTION OF WORK PERFORMED, OPEN ISSUES AND FUTURE WORK

See full description in the 
DJRA3.4 EGEE Security Assessment Document (https://edms.cern.ch/document/686044) 
where we, on a component basis, summarize the advancements made and problems that have been solved. We also identify outstanding issues and report on current status.

1.1. LOGGING 
A common infrastructure for the recording of system events for tracking, accountability, and auditing purposes.

Status and future plans
A common logging model is being developed but not yet implemented project-wide. There are currently no plans in our architecture to address remote log inspection.

1.2. AUDITING 
The auditing system uses information recorded about system and user activity for the purposes of accountability and security assurance.

Status and future plans
Basic functionality is defined in the security requirements and architecture but not implemented project-wide. Practical auditing service implementation is outsourced to Grid sites. Common auditing model and infrastructure still to be developed. End date currently unknown.

1.3. IDENTITY CREDENTIALS AND TRUST INFRASTRUCTURE
The identification of users, agents, hosts, and services, when they interact with each other.

Status and future plans
Middlewares need to allow for a more dynamic trust infrastructure, e.g. with support for certificate chaining and OCSP. More flexible ways to control and assess identity namespace constraints are being developed.

1.4. SITE-INTEGRATED CREDENTIAL SERVICES
Site-integrated credential services (SICS) leverage the organisational authentication infrastructure to protect and issue (short-lived) Grid credentials to its (local) users.

Status and future plans
An authentication profile for Short-lived credential services are being developed. Scalability in the number of issuers is foreseen as a problem that needs further investigation.

1.5. ENFORCING VALIDITY CONSTRAINTS
Additional validation tests are required to assess that credentials (in particular proxy certificates) are adhering to established operational policies.

Status and future plans
Proxy certificate lifetime checks are in the implementation phase. The default lifetime settings are still a point of discussion when considering a certificate chain with more than two proxy certificates. Identifying and classifying credential protection levels is an outstanding issue.
1.6. REVOCATION 
The process of invalidating a credential, and the secure distributed propagation of such status change information.

Status and future plans
CRLs currently used, which is deemed as too slow and too static. OCSP addressed in the architecture but not yet operationally.

1.7. CERTIFICATE RENEWAL 
The automated, yet controlled and managed, renewal of short-lived credentials and authorization assertions.

Status and future plans
VOMS-aware renewal service exists. Integrated support for VOMS in online keystores (such as MyProxy) is being investigated.
1.8. ANONYMITY, PRIVACY, PSEUDONYMITY
The controlled protection of user identities and data, and escrow of the same for management and authorities.

Status and future plans
Work in this area has not yet started.
1.9. KEY HYGIENE AND REPUDIATION 
Enforcement of proper handling practices of user-held credentials.

Status and future plans
Addressed in the architecture but not operationally. Guidelines, PMA authentication profile, and deployment is underway. End date currently unknown.
1.10. BOOTSTRAPPING AUTHENTICATION 
A collective term for the initial security mechanisms that can be used to acquire a Grid credential.

Status and future plans 
Some experiments have been done with USB-based smart cards. While future plans include integration with Shibboleth, the requirement to move away from static passwords is still an open issue.
1.11. CREDENTIAL STORES 
The controlled secure management of user credentials, to permit the enforcement of key hygiene.

Status and future plans 
See status on Key Hygiene.
1.12. ENCRYPTION KEY MANAGEMENT 
The secure management of cryptographic keys that in turn protect data stored in encrypted form.

Status and future plans 
Security and Data Management modules are being developed but not operational. Still at a prototype stage. End date currently unknown.
1.13. AUTHORIZATION SERVICES 
A collective term for the (centralized) services used to manage access control (typically one per VO).

Status and future plans
VOMS development is ongoing and improving.
1.14. DELEGATION 
The capability to transfer rights and privileges to allow for someone else (e.g. an application) to act on your behalf.

Status and future plans
Addressed in the architecture. Gap implementation provided. Interoperable solution and a better solution for constrained delegations are still open issues.
1.15. MUTUAL AUTHORIZATION 
The process in which both parties authorize each other before engaging in a message exchange, typically to avoid information leakage.

Status and future plans
Besides finding the manpower to move the prototype into production deployment, we have no outstanding issues.
1.16. AUTHORIZATION INTERFACES TO EXISTING SYSTEMS
An authorization interface to existing and legacy systems, which allows a combined and flexible decision making process by taking into account information, assertions and policies from a variety of authorities.

Status and future plans
Addressed in the architecture, integrated, and deployed (LCMAPS, Java authorization framework). Interoperability comes next; harmonization and agreement on common interfaces that these components should implement.
1.17. AUTHORIZATION FRAMEWORK 
A framework that collect and combines policies and information from several sources using pluggable extensions.

Status and future plans
Implemented in both Java and C, with plugins for VOMS, gridmap files, and blacklists. New plugins to interface local authorization systems and other external services will
be required. Integration is underway.

1.18. SECURING THE HOSTED TO NATIVE INTERFACE
Isolating the (user-provided) applications from each other and from the local system as much as possible, while preserving the appearance of transparent access to shared remote resources.

Status and future plans
LCAS and LCMAPS have been in use from the start of the project. The implications of the various glexec deployment scenarios on the (site) security architecture are being investigated. The sandboxing components will be enhanced by the addition of a call-out to remote authorization services. Virtual machine technology will adopted when it is ready for production systems.

1.19. NETWORK ISOLATION 
Dynamically adapting firewall policy to enforce strict rules yet being able to obey the connectivity needs of (some) users and applications.

Status and future plans

Development of the Dynamic Connectivity Service has not begun but is on our agenda. Ideas are being developed to cover most requirements. An end date is currently unknown.

2. SECURITY MODULES DEVELOPED/REENGINEERED BY JRA3

Module				AuthZ framwork (java)
Component available		Yes
Component Implemented 		gLite1.0
Component Integrated 		Yes

Module				Grid enhancement for OpenSSL
Component available		Yes
Component Implemented 		No
Component Integrated		Yes, in openssl-0.9.7g

Module				glexec
Component available		Yes
Component Implemented 		gLite3.0
Component Integrated 		No

Module 				Jobrepository
Component available 		Yes
Component Implemented 		gLite1.5
Component Integrated 		No

Module 				Security test utils
Component available 		Yes
Component Implemented 		gLite1.3
Component Integrated 		Yes

Module 				Trustmanager
Component available		Yes
Component Implemented 		gLite1.0
Component Integrated 		Yes

Module 				LCAS
Component available 		Yes
Component Implemented 		gLite1.0
Component Integrated 		Yes

Module 				LCMAPS
Component available 		Yes
Component Implemented 		gLite1.0
Component Integrated 		Yes

Module 				Gatekeeper
Component available 		Yes
Component Implemented 		gLite1.0
Component Integrated 		Yes

Module 				Delegation
Component available 		Yes
Component Implemented 		gLite1.2/1.5
Component Integrated 		Yes

Module 				gsoap plugin
Component available 		Yes
Component Implemented 		gLite1.2(not JRA3)
Component Integrated 		Yes

Module 				Encrypted storage
Component available 		
Component Implemented 		
Component Integrated