My Private Cloud. Project Objectives

(1)

My Private Cloud

David W Chadwick

University of Kent

1 Dec 2011 IEEE CloudCom 2011 1

Project Objectives

• Migrate (as much as possible in 6 months of) the trust,

security and privacy preserving infrastructure from the

EC TAS3 project to cloud services.

• The TSP infrastructure relies on trusted cloud

providers to operate in good faith but this can be

checked –

trust but verify

• Infrastructure is built from legal agreements and open

source software services

• Software services include: trust and reputation

management, sticky policies with fine grained access

controls, privacy preserving delegation of authority,

federated identity management, different levels of

assurance and configurable audit trails

(2)

TAS3

• TAS3 – Trusted Architecture for Securely

Shared Service – is an EC FP7 Integrated

Project, running from Jan 2008-Dec 2011

• 16 partners, €9.4M EC contribution

• Objective. Develop and implement an

architecture for trusted services to manage

and process distributed personal information

Trust Network CSP Authz Infr P E P Audit IdP DS AA Authn Legend IdP=Identity Provider AA=Attribute Authority DS=Delegation Service Authn=Authentication Service P/S=Publish-Subscribe Service CSP=Cloud Service Provider PEP=Policy Enforcement Point PDP= Policy Decision

Point Authz=Authorisation Infrastructure Appln=Application Code WSC=Web Services Client Dash=User’s dashboard service TAAS=Trusted Attribute Aggregation Service WSC Audit Service TAAS Appln Trust and Reputation Service Service Directory P/S Dash DS PDP

(3)

Project Achievements

• Have defined and implemented APIs (in PHP)

for

–

Federated Identity Management with different

Levels of Assurance

–

Privacy Preserving Delegation of Authority

–

Granting of Access Rights to Other Account

Holders

• And built these into a front end Proxy Service

to Amazon/Eucalyptus S3 service

= External Services

= Cloud API Security Services LEGEND Delegation Issuing Web Service UK AMF Simple SAMLphp Proxy IdP Account DB WAYF

OpenID Facebook Google Twitter

Other IdPs Cloud Service Authn API (Simple SAML phpSP) IdP 1 IdP 2 IdP n

…

Org LDAP Delegation API CVS Authz API

(4)

= External Services = Locally Provided Services = Cloud API Security Services

LEGEND Delegation Issuing Web Service UK AMF Simple SAMLphp Proxy IdP Account DB WAYF

…

Authz Database _PDP

Authz API – Attribute Based AC

• getRights – given a set of user identity attributes (types and values), return

the resources (identified by a set of attribute types and values) and access rights that are granted to users possessing this identity. (DB)

• listAccess – given a resource (identified by a set of attribute types and values), return the sets of users with access rights to this resource, each set comprising a user identity (a set of attribute types and values) and its associated access rights. (DB)

• addRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values) and a set of access rights, grants these rights to users possessing this set of identity attributes (in addition to any existing rights). (DB)

• removeRights – given a set of user identity attributes (types and optionally values), a resource (identified by a set of attribute types and values), and a set of access rights, revoke these rights from users possessing this set of identity attributes. (DB)

• authzDecision – given a set of user identity attributes (types and values), a requested resource (identified by a set of attribute types and values) and a requested access right, return a Response object indicating whether access is granted (GRANT) or not (DENY). The Response object can be checked by using the method isGrant, which returns the value True if access is granted. (PDP)

(5)

…

Authz Database _PDP

Proxy IdP

• Acts as a Where Are You From service and protocol converter

between OpenID, Oauth, Twitter protocols etc. and SAMLv2

• Allows users who are not part of an existing SAMLv2

federation to join the cloud

• SP only needs to talk SAMLv2 to, and trust, proxyIdP

• SP says what LoA and attributes it requires, and proxyIdP

returns the SAML authn and attribute statements to the SP

• ProxyIdP also computes the LoA from the authenticating IdP,

and sends this as a subject attribute to make the SP’s

authorisation decision making easy

• It has an associated Account Database and Account Linking

Service which allows users to link their various accounts

together to gain further authz at the SPs (not discussed here)

• It has an associated Credential Validation Service for validating

the attribute credentials from the trusted IdPs (not discussed

here)

(6)

The Authn API

• getIdentity – given a URL and a set of identity requirements, return the authenticated user to this URL with his/her set of qualified identity attributes that match the requirements and the user’s persistent ID (PId) and name of the Identity Provider (IdP) authenticating the user. (If no identity requirements are specified then obtain as many identity attributes as possible from as many IdPs as possible along with the Pid)

• logout – given a URL to return to, log the user out of his session with this cloud service provider and return the user to this URL. Note that this is only logout of the cloud application and is not logout from the federated identity management infrastructure, i.e. SSO with the authenticating IdP is still active.

• setCVS – given the URL of the CVS, this method enables the use of the CVS by the proxyIdP. When this method is called all the attributes returned from the IDP are validated by the CVS according to the policy rules configured into it. (If not called, getIdentity will accept every attribute that it is given without validating if they came from the correct (i.e. trusted) IdPs.)

Identity Requirements

• An attribute type – taken from an attribute class

hierarchy

• An attribute issuer – which specifies who the

issuer of the attribute type should be. This can

either be a specific issuer instance (URL), or a

class of issuer (URN) taken from an issuer class

hierarchy

• The minimum required Level of Assurance (in the

range 1 (lowest) to 4 (highest)) for this identity

attribute

(7)

Qualified Identity Attributes

• An identity attribute type/name

• An attribute value

• The issuer of this attribute

• The LoA of this attribute

Examples

• getIdentity (creditCard, urn:org:bank, 2)

– This specifies that the user should be identified by a credit card attribute issued by a bank.

– An example of a return value is Visa=1234567890, Barclays.co.uk, 2

• getIdentity (UID, kent.ac.uk, 1; role, urn:federation:UK-AMF,

1; affiliation, urn:federation:UKAMF, 1)

– This specifies that the user should be identified by 3 attributes, namely a UID issued by kent.ac.uk, a role issued by a member of the UK Access Management Federation, and the name of the organization in the UK-AMF to which the user is affiliated.

– An example of a return value is (UID=dwc8, kent.ac.uk, 2), (role=professor, kent.ac.uk, 2), (affiliation= University of Kent, kent.ac.uk, 2)

(8)

…

Authz Database _PDP

Issue

• How to delegate access to your cloud

resources to a user who either does not have

any recognised attributes or does, but you

don’t know what they are (due to privacy

protection)?

• Even though each IdP user has a PId, you

don’t know what it is, and most likely neither

do they (and you probably don’t know your

own PId either)

(9)

Solution

1 Dec 2011

• Providing the user has a login account at one of the

recognised IdPs

– (in our case UK AMF, Google, Facebook, Twitter and OpenID)

• We introduce a Delegation Issuing Service, which will issue

freshly minted attributes to your chosen delegates

• Where

You

are the attribute authority

• You

chose the attributes to be delegated

• You

then use the existing ABAC authz system to assign rights

to these attributes

• The DIS registers your delegates in its database and keeps a

record of your attribute assignments to them, then

whenever they login to the cloud service, they are assigned

these attributes

– All DIS users are given a user friendly nickname for ease of reference

IEEE CloudCom 2011 17

How does it work?

• You enter a new delegate into the cloud service

by defining her group attribute name and value

e.g. Colleague (Chris) or Family (Mother)

• The system gives you a secret URL

• You give this URL to your delegate by some out of

band means

• The delegate clicks on the URL, logs into the

cloud service via her IdP, and is assigned the

attribute you gave her

• Every time your delegate logs in in the future, she

is assigned the attributes you gave her

(10)

Delegation API

• encodeDelAtt – given the identity of the delegator (as a set of attribute types and values) and the attribute to be delegated (e.g. delegationAttribute=MyFriend), it returns the (uniquely) encoded delegation attribute

• decodeDelAtt – given an encoded delegation attribute, return the identity of the delegator (as a set of attribute types and values) and the attribute that is delegated

• getSecret - given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate (string), and the encoded delegation attribute, return a secret to be given to the delegate.

• useSecret - given a secret, the identity of the delegate (as an IdP/PId pair), and the delegate’s nickname for the delegator, return the encoded delegation attribute.

• getDelegationAttributes - given the delegate's identity (as an IdP/PId pair) return the set of encoded delegation attributes, each set comprising: an encoded delegation attribute and the delegator (as a set of attribute types and values).

• revokeDelegate – given the identity of the delegator (as a set of attribute types and values), the nickname of the delegate and the encoded delegation attribute, revoke this attribute from this delegate.

• getDelegates – given the identity of a delegator (as a set of attribute types and values), return the set of delegates comprising the nickname of each delegate and the encoded delegation attribute.

• getDelegators – given the identity of a delegate (IdP/PId), return the set of delegators comprising the nickname of the delegator and the encoded delegation attribute.

Live Demo

• A live demo is available here

http://sec.cs.kent.ac.uk/demos/

• Choose 6. My Private Cloud

(11)

Acknowledgements

• This research received funding from

• EC’s FP7 under grant agreement n° 216287

(Trusted Architecture for Securely Shared

Services) and

• UK’s EPSRC under grant ref. n° EP/1034181/1

(My Private Cloud)

(12)

Welcome Screen

(13)

User Logs In via chosen IdP

User is shown all the Accounts that his Attributes give

him Ownership of, and Opens (or Creates) one

(14)

User is shown Account Details of Opened Account

List of Your Delegates

List of Buckets You Own

List of Buckets and Files that other Account Owners have shared with you

User Opens a Bucket

(15)

Showing Permissions that You have Granted to Others

Permissions given to Contacts/Delegates Permissions already given to other Account Holders

Give New Permissions to Others

Granting Permissions To Others

Granting access to Contacts/Delegates Granting access to other Account Holders

(16)