Mechanisms of ensuring security in Keystone service

Ievgeniia Kuzminykh, Maryna Fliustikova
2019 Problemi telekomunìkacìj  
User authentication is one of the most important aspects in the area of cloud services, followed by the storing of sensitive information about customers. A number of solutions exist for authentication, security, and privacy provisioning in cloud, while cloud identity management systems aim to simplify and harmonise access. This paper presents an investigation into the security problems associated with cloud identity and access management system (IAMS), using the Keystone identity service within
more » ... Open-Stack as an example. In order to analyse the existing challenges, the paper expands security provisioning into authentication management, authorization management, personal data protection, privacy and confidentiality, as well as logging and auditing and considers the security mechanisms required for any cloud IAMS for each one of these categories. The paper also investigates some of the existing and potential attacks against the Keystone service, then follows with recommendations and mechanisms for enhancing the security. The vulnerabilities in cloud IAMS show that most systems support at most a subset of security provisioning mechanisms or have their own flaws; in addition, there are no unified international standards in this cloud identity systems area for cloud and service providers. The identified list of attacks and the associated mitigation mechanisms will help to provide the identity and access management system with the protection of identity credentials in the cloud system. The provided results can help with further researching mechanisms aiming to ensure personal data confidentiality and integrity. Анотація -В хмарних сервісах автентифікація користувача є одним з найважливіших процесів. Збереження конфіденційної інформації про клієнтів -це другий найважливіший процес. Забезпечення безпеки для цих двох процесів є основним питанням в хмарних технологіях. Автентифікація та збереження облікових даних користувача -завдання для системи управління ідентифікацією в хмарних сервісах. У статті представлено аналіз проблем безпеки, пов'язаних з ідентифікацією в хмарних сервісах та системою управління доступом, використовуючи приклад служби ідентифікації Keystone у платформі OpenStack. Основні категорії забезпечення безпеки були класифіковані як управління автентифікацією, управління авторизацією, захист персональних даних, конфіденційність та довіра, а також реєстрування та аудит. Розглянуто механізми забезпечення безпеки у кожній із категорій, необхідні для будь-якої хмарної системи управління доступом. Також було проаналізовано атаки на службу Keystone, як потенційні, так і вже виявлені, і запропоновано механізми підвищення безпеки служб ідентифікації. Практика та уразливості в системі ідентифікації та управління доступом показують, що більшість систем не підтримують всі основні механізми забезпечення безпеки. Жоден із механізмів не забезпечує всіх функцій безпеки; крім того, ще однією проблемою забезпечення безпеки хмарних сервісів є відсутність єдиних міжнародних стандартів у цій сфері для всіх хмарних сервісів та для постачальників послуг. Отриманий список атак та можливі механізми їх усунення допоможуть забезпечити захист особистих даних користувачів в хмарних сервісах та у системі ідентифікації та управління доступом. Надані результати можуть допомогти у проведенні досліджень щодо удосконалення механізмів, що дозволяють забезпечити неможливість несанкціонованого доступу до персональних даних. Peer-review e-journal «Problemi telekomunìkacìj» • № 2 (25) • 2019 • http://pt.nure.ua Y. Kuzminykh, M. Fliustikova < 79 > Different Service providers propose different cloud-based solutions and include cloud computing and cloud storage from different cloud providers, such as Amazon, Alibaba Cloud, Google, IBM, Sun, Cisco, Dell, HP, Intel, Novell, and Oracle. One of the typical choices for provisioning such cloud environments is to construct the infrastructure using the OpenStack technology, an open source software for creating public and private clouds. Similar to any other critical infrastructure software, OpenStack is regularly updated and improved by its developers, with the associated caveat that the changes may introduce variations in interfacing or functionality with the technology. In order to avoid the pitfalls of adapting to new version, infrastructure managers may prefer reinstallation and redeployment of the cloud infrastructure. If services do not provide updates, the outdated vulnerabilities can be used by attackers or malicious users. As part of the regular updates, individual OpenStack services will have specific patches applied, but addressing all the problems across the entire OpenStack architecture is non-trivial task. In this context, the purpose of this paper is to provide a starting point for the updating process by analysing the vulnerabilities of the identity management service and protection mechanisms using the example of OpenStack, more specifically, the Keystone service. The paper is organised as follows: sections 1 and 2 discuss the complexity of providing security and privacy in an Identity and Access Management System (IAMS) and give an overview of attacks on cloud services. Section 3 gives an overview of the front-and backend Keystone services, including their main functions as well as the typical most common attacks. Section 4 proposes a taxonomy of mechanisms for applying security in authentication, authorization management, personal data protection, privacy and confidentiality, as well as logging and auditing categories. Section 5 provides a summary of the mechanisms for enhancing the security and identifies a number of additional security tools for OpenStack. Based on the combination of security provisioning and enhancing mechanisms introduced, section 6 aggregates the information in a set of recommendations, then the Conclusions section summarises the achievements and limitations of the study. Peer-review e-journal «Problemi telekomunìkacìj» • № 2 (25) • 2019 • http://pt.nure.ua Y. Kuzminykh, M. Fliustikova < 80 > Peer-review e-journal «Problemi telekomunìkacìj» • № 2 (25) • 2019 • http://pt.nure.ua Y. Kuzminykh, M. Fliustikova < 81 > Keystone core components Keystone consists of the following components [37]: 1) Server. A centralized server provides authentication and authorization services using the RESTful interface. Peer-review e-journal «Problemi telekomunìkacìj» • № 2 (25) • 2019 • http://pt.nure.ua Y. Kuzminykh, M. Fliustikova < 84 > 2) Drivers. Drivers or the back ends are installed on a centralized server. They provide access to information for authentication in directories external to OpenStack. These directories can already exist in the infrastructure where OpenStack is deployed (for example, SQL databases or LDAP directory). 3) Modules. Intermediate layer modules are executed in the address space of the OpenStack component that is using Keystone. These modules intercept service requests, retrieve user credentials, and send them to a centralized server for authorization. Interfaces between the middleware modules and OpenStack components use the Python interface WSGI (Web Server Gateway Interface). Keystone Backend Services The Keystone package provides services identification for all OpenStack projects. Integration into heterogeneous environments is performed with the help of backend plugins that are supported by each Keystone service. All plug-ins are able to provide a variety of functionality. The most widely used back end plug-ins are described below. 1) Key Value Store. Plug-in that store, retrieve, and manage data structure such as a dictionary or hash, make search of the value-key. 2) Memcached is chaching system that stores data and objects in RAM according to a key, reduces the number of external data source such as a database or API that should be read. 3) Structured Query Language (SQL) stores data persistently. Keystone uses SQLAlchemy migrate of the SQL database between revisions. 4) Pluggable Authentication Module (PAM). Plug-in integrates multiple low-level authentication scheme to API calls through local system's PAM. 5) Lightweight Directory Access Protocol (LDAP). Keystone connects to LDAP directory, for example, to Active Directory, for authentication and authorization services. Keystone Authorization Model Authentication in OpenStack is a two-stage mechanism. The first stage is the initial authentication when the user is created in Keystone and one-time-password is generated. This password is used for establishing a key-pair, public key signed with X.509 certificate is stored in Keystone, private key is only stored on the end user's side. Keystone uses its signing key and certificate to sign the user token. The second stage is the usage of the token to provide single-sign-on [37] and delegated authorization scheme in the OpenStack cluster. The format of the signed document is the Cryptographic Message Syntax [38] . PKI can improve the security at the first stage. It can both help security and scalability at the second one. For more information refer to OpenStack wiki [39]. Classical authorization model in Keystone service with generation and validation of tokens is shown in Figure 1 , where RNc is a random number generated by the client, RNs is the random number generated by the server, Peer-review e-journal «Problemi telekomunìkacìj» • № 2 (25) • 2019 • http://pt.nure.ua
doi:10.30837/pt.2019.2.06 fatcat:4kebipgsb5cbzncj5itgi4a6ym