Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
Friedrichs, Paul D CTR DISA PEO-IAN <Paul.Friedrichs.ctr@disa.mil> wrote:
> I am *very* interested in deploying MyProxy on a large scale,
Great!
> but I am
> concerned about the possibility of a phishing/pharming-like attack to
> capture the passphrase passed from the prospective proxy to what it
> thinks is the MyProxy server during the get process. What I don't like
> about this is that if the prospective proxy were fooled into revealing
> the passphrase here, it would be the principal who is harmed. Should I
> not be concerned about this? Am I missing something?
The MyProxy protocol requires the client to verify the server's identity
via TLS before sending the passphrase.
However, in general, yes, you should always be concerned about
sending/delegating credentials to another party. The use of one-time,
short-lived, or otherwise restricted credentials is one technique for
managing this risk.
> Given the use of PKI everywhere else, I am surprised a passphrase is
> used for this process. Is it possible for the principal to use the put
> command to give the MyProxy server the prospective proxy's public key
> (which the principal can obtain from its SSL session with the
> prospective proxy) and then for the MyProxy server, in the get process,
> to authenticate the prospective proxy using this public key and
> client-authenticated SSL?
Yes, this is accomplished via the 'myproxy-init --retrievable_by' and
'myproxy-init --retrievable_by_cert' options.
In addition to passphrase and certificate-based authentication, MyProxy
supports Kerberos and a variety of other authentication mechanisms via
the PAM and SASL standards, such as one-time password tokens.
> And this leads me to wonder... Since the principal already knows how to
> issue a proxy certificate and the prospective proxy already knows how to
> obtain a proxy certificate, what is the advantage of having a MyProxy
> server as an intermediary? Why couldn't the principal just issue a proxy
> certificate to the proxy?
It's not always feasible to perform delegation over existing,
implemented protocols (such as with standard web browsers), requiring an
indirect delegation approach.
MyProxy provides flexibility in the time and location of delegation. I
can delegate a credential from my laptop to the MyProxy server, then
later delegate that credential to a job on a supercomputer via the web
browser on my mobile phone through a web portal interface.
I may prefer to store my PKI credentials on a professionally-managed
MyProxy server rather than my desktop, laptop, or mobile phone, for both
security and ease-of-use reasons.
I may prefer to have MyProxy delegate short-lived, restricted
credentials to my jobs on the grid, on demand, without requiring me to
closely watch over the jobs all the time myself or to delegate
longer-lived, less restricted credentials directly to the jobs. I can
rely on MyProxy to log all activity, which can be monitored by dedicated
security personnel and IDSs.
MyProxy provides functionality that is sometimes useful, sometimes not.
Certainly there are scenarios where I can manage my credentials myself
(on a smartcard, for example) and can delegate them directly to services
to act on my behalf, without needing MyProxy.
Cheers,
Jim