caGrid News

November caGrid User Group Call

The monthly caGrid User Group meeting is scheduled for Thursday, November 19.

Topic: Secure caGrid Data Services with Data-level Authorization

Our discussion is aimed at creating secure data services based on caCORE SDK and CSM authorization. The three components together (caCORE SDK, CSM, and caGrid) allow a data service developer to build a data service with "data-level authorization". This capability allows service owners (those that deploy the service) to give access to portions of
the shared data set to specific users.

Presentation Slides: https://ncisvn.nci.nih.gov/svn/cagrid/trunk/cagrid/Documentation/general/meetings/UGM/2009-11-19_CSM-Data-Level-Authorization.ppt
Knowledgebase Article: https://cabig-kc.nci.nih.gov/CaGrid/KC/index.php/Create_a_Secure_Data_Service_using_CSM_for_Data-Level_Authorization

Agenda:

1. Update on caGrid
   1. New Article: Add a New Target Grid to the caGrid Installer:
      1. http://www.cagrid.org/display/knowledgebase/Add+a+New+Target+Grid+to+the+caGrid+Installer
   2. Update: caGrid is not impacted by TLS renegotiation MITM vulnerability:
      1. http://www.cagrid.org/display/community/2009/11/12/caGrid+is+not+impacted+by+TLS+renegotiation+MITM+vulnerability
2. Target Discussion:
   1. Presenter: Joe George, caGrid Knowledge Center
3. Open Floor: Issues, concerns, and questions on caGrid

The Knowledge Center continues to request recommendations for User Group presenters. Please email knowledge@cagrid.org to to recommend a Topic.

Meeting info:

When: Thursday, November 19 at 11:00am Eastern
Teleconference: 1-800-619-0279 Passcode: 91671
Centra: http://ncicb.centra.com
Centra Meeting ID: CAGRID_USER
Guest Attend URL: http://mt202.centra.com/GA/main/0000006d6aa0000001211ed7786dccd5

caGrid is not impacted by TLS renegotiation MITM vulnerability

Announced last week, CVE-2009-3555 details a vulnerability in the Transport Layer Security (TLS) protocol used for secure communication over HTTP (HTTPS).

caGrid, which is based on the Globus Toolkit, uses their Grid Security Infrastructure (GSI) for secure communications between clients and services within caGrid. SSL/TLS are employed by GSI to secure such communications.

Since the announcement was made, our partners at Globus have been investigating the impact of this issue on Globus Toolkit-based secure services. Jim Basney, on behalf of the Globus Security Committee, made this announcement earlier today:

"After testing, code review, and analysis, the security committee has concluded that the man-in-the-middle vulnerability in the SSL/TLS protocol (CVE-2009-3555) does not impact Globus Toolkit services. Specifically, the committee has determined that Globus Toolkit services do not support SSL/TLS renegotiation after receiving application-level protocol data, thereby blocking the MITM attack."

caGrid uses the Globus Toolkit libraries exclusively for secure communication and is not impacted by the TLS vulnerability.

If you have further concerns about this issue, feel free to contact the caGrid Knowledge Center directly at knowledge@cagrid.org

References

• CVE-2009-3555 (via NIST): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
• Globus Security Committee post on CVE-2009-3555: http://lists.globus.org/pipermail/security-announce/2009-November/000012.html