1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.

Slides:



Advertisements
Similar presentations
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Advertisements

Chapter 14 – Authentication Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security Mechanisms The European DataGrid Project Team
Chapter 8 Web Security.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Secure Socket Layer (SSL)
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Unit 1: Protection and Security for Grid Computing Part 2
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Module 9: Fundamentals of Securing Network Communication.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Security, Authorisation and Authentication.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Authentication, Authorisation and Security
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391

2 Security As Grid Resources and Users are Distributed and Owned by different organizations, only authorized users should be allowed to access them. A simple authentication infrastructure is needed. Also, both users and owners should be protected from each other. The Users need be assured about security of their: Data Code Message

3 Cryptography Overview Keys, Encryption and Decryption Symmetric and Asymmetric Public and Private keys Digital Signatures Secure hashes

4 Keys A key can be thought of as simply a collection of bits The more bits, the stronger the key Keys are tied to specific encryption algorithms Lengths vary depending on the encryption algorithm e.g. 128 bits is long for some algorithms, but short for others

5 Encryption Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encrypted data is, in principal, unreadable unless decrypted Encryption Function

6 Decryption Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data Encryption and decryption functions are linked Decryption Function

7 Symmetric Encryption Encryption and decryption functions that use the same key are called symmetric In this case everyone wanting to read encrypted data must share the same key DES is an example of symmetric encryption Encrypt Decrypt

8 Asymmetric Encryption Encryption and decryption functions that use a key pair are called asymmetric Keys are mathematically linked RSA is an example of asymmetric encryption

9 Asymmetric Encryption When data is encrypted with one key, the other key must be used to decrypt the data And vice versa Encrypt Decrypt Encrypt

10 Public and Private Keys With asymmetric encryption each user can be assigned a key pair: a private and public key Private key is known only to owner Public key is given away to the world

11 Public and Private keys Anything encrypted with the private key can only be decrypted with the public key And vice versa Since the private key is known only to the owner, this is very powerful … Encrypt Decrypt

12 Digital Signatures Digital signatures allow the world to verify I created a hunk of data e.g. , code

13 Digital Signatures Digital signatures are created by encrypting a hash of the data with my private key The resulting encrypted data is the signature This hash can then only be decrypted by my public key Hash Encrypt

14 Digital Signature Given some data with my signature, if you decrypt a signature with my public key and get the hash of the data, you know it was encrypted with my private key Hash =? Decrypt

15 Digital Signature Since I ’ m the only one with access to my private key, you know I signed the hash and the data associated with it But, how do you know that you have my correct public key? Answer: A Public Key Infrastructure … ?

16 Public Key Infrastructure (PKI) PKI allows you to know that a given public key belongs to a given user PKI builds on asymmetric encryption: Each entity has two keys: public and private Data encrypted with one key can only be decrypted with other. The private key is known only to the entity The public key is given to the world encapsulated in a X.509 certificate Owner

17 Public Key Infrastructure (PKI) Overview X.509 Certificates Certificate Authorities (CAs) Certificate Policies (CPs) Namespaces Requesting a certificate Certificate Request Registration Authority Owner

18 Certificates A X.509 certificate binds a public key to a name It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer) Name Issuer Public Key Signature

19 John Smith 2/25, Brunton Rd Victoria BD Male 165cms, 65Kg B&W Eyes State of Victoria Seal Certificates Similar to passport or driver ’ s license Name Issuer Public Key Signature

20 Certificates By checking the signature, one can determine that a public key belongs to a given user. Name Issuer Public Key Signature Hash =? Decrypt Public Key from Issuer

21 Certificates Question: Who signs certificates? Answer: A small set of trusted entities known as Certificate Authorities (CAs) Issuer? Name Public Key

22 Certificate Authorities (CAs) A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates The CA signs it ’ s own certificate which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature

23 Certificate Authorities (CAs) The public key from the CA certificate can then be used to verify other certificates Name Issuer Public Key Signature Hash =? Decrypt Name: CA Issuer: CA CA’s Public Key CA’s Signature

24 Certificate Policy (CP) Each CA has a Certificate Policy (CP) which states when and how a CA issues certificates. It states who it will issue certificates for Just like the State of Victoria only issues driver ’ s licenses ’ for residents of the state of Victoria A CA for a grid typically only issues certificates for folks that are already approved to use resources on the grid

25 Certificate Policy (CP) A CA ’ s CP states how it identifies the people it issues certificates to Similar to having to show a birth certificate to get a driver ’ s license Some CA ’ s are very stringent and require similar proof of identity Others are lenient and only require proof via

26 Namespaces Each CA ’ s Certificate Policy also states the namespace of certificates issued by the CA A namespace is a hierarchy similar to the hierarchy used for Internet hostnames Grid Globus mcs.anl.gov Von Welch NASA LBNL Root Top-level organizations Organizational Units Entity uiuc.edu

27 Namespaces Each CA constrains itself to signing certificates that are in a namespace that are a portion of the overall space E.g. the Globus CA signs certificates only under the Globus organization Grid Globus mcs.anl.gov Von Welch NASA LBNL uiuc.edu

28 Requesting a Certificate To request a certificate a user starts by generating a key pair

29 Certificate Request The user then signs their own public key to form what is called a Certificate Request Sign Certificate Request Public Key

30 Certificate Issuance The user then takes the certificate to the CA The CA usually includes a Registration Authority (RA) which verifies the request: The name is unique with respect to the CA It is the real name of the user Etc. Certificate Request Public Key ID

31 Certificate Issuance The CA then signs the certificate request and issues a certificate for the user Certificate Request Public Key Name Issuer Public Key Signature Sign

32 Secure Socket Layer (SSL) Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide a secured connection Authentication of one or both parties using the certificates Message protection Confidentiality (encryption) Integrity Certificates TCP Sockets SSL/TLS

33 SSL Authentication Start by exchanging X.509 certificates Each side then sends over a challenges Challenge is signed with private key and sent back over Sign

34 SSL Authentication Each side then verifies certificate using PKI and signature using certificate If everything checks then the identity from the certificate can be trusted CA Check Certificate Check Signature

35 Mutual Authentication A and B are two parties: Both need to trust each others ’ CA. A  B (A establishes connection to B and gives his certificate (name,pub. Key) to B). B makes sure that it can trust CA of A. B generates random message  A and asks it encrypt it. A encrypts it and send to B B decrypts using A ’ s public key. If the msg. is same as what B has sent, then A is who it is claiming to be.

36 SSL Message Protection After authentication a shared session key is established to be used for message protection Confidentiality == Encryption of messages to prevent eavesdropping Integrity == Signing of messages to prevent modification Encrypt Sign Message

37 Globus/Grid Security Infrastructure (GSI) based on PKI GSI is: PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-on PKI: Public Key Infrastructure, SSH: Secure Socket Layer TLS: Transport Level Security

38 Globus Security: Review GSI extends existing standard protocols & APIs Based on standards: SSL/TLS, X.509, GSS-API Extensions for single sign-on and delegation The Globus Toolkit provides: Generic Security Services API (GSS-API) on GSI protocols The GSS-API is the IETF standard for adding authentication, delegation, message integrity, and message confidentiality to applications. Various tools for credential management, login/logout, etc.

39 Preparation procedure for GSI Three important files on your grid host: The CA ’ s public key The grid host ’ s private key The grid host ’ s digital certificate

40 Authentication procedure

41 Obtaining a Certificate The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/: usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file Must be readable only by the owner (with the given pass phrase) Mail usercert_request.pem to Receive a Globus-signed certificate Place in ~/.globus/usercert.pem Other organizations use different approaches NCSA, NPACI, NASA, etc. have their own CA

42 Your New Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21: GMT Not After : Apr 22 19:21: GMT Subject: /O=Grid/O=Globus/OU=cs.mu.oz.au/CN= John Smith Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: b4:e1:54:e7:87:57:b7:d0:61 Exponent: (0x10001) Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: 8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17: Validity Start

BEGIN CERTIFICATE----- MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK END CERTIFICATE----- Sample usercert.pem: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1 +W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s= -----END RSA PRIVATE KEY----- Sample userkey.pem: Certificate and Key Data

44 Certificate Information To get cert information run grid-cert-info % grid-cert-info -subject /O=Grid/O=Globus/OU=cs.mu.oz.au/CN=John Smith Options for printing cert information -all-startdate -subject-enddate -issuer-help

45 “ Logging on ” to the Grid To run programs, authenticate to Globus: % grid-proxy-init Enter PEM pass phrase: ****** Creates a temporary, local, short-lived proxy credential for use by our computations Options for grid-proxy-init: -hours -bits -help

46 grid-proxy-init Details grid-proxy-init creates the local proxy file. User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. User ’ s private key not exposed after proxy has been signed Proxy placed in /tmp, read-only by user NOTE: No network traffic! grid-proxy-info displays proxy details

47 Authentication process Three people in meeting: CA, Alice, Proxy You keep a copy of CA ’ s signature Compare CA ’ s signature on Alice ’ s card to authenticate Alice ’ s signature You can trust on Proxy which holds the Alice ’ s Signature

48 Grid Sign-On With grid-proxy-init User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file

49 Destroying Your Proxy (logout) To destroy your local proxy that was created by grid-proxy-init: % grid-proxy-destroy This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes

50 Proxy Information To get proxy information run grid-proxy-info % grid-proxy-info -subject /O=Grid/O=Globus/OU=cs.mu.oz.au/CN=John Smith Options for printing proxy information -subject-issuer -type-timeleft -strength-help Options for scripting proxy queries -exists -hours -exists -bits Returns 0 status for true, 1 for false:

51 Important Files /etc/grid-security hostcert.pem: certificate used by the server in mutual authentication hostkey.pem: private key corresponding to the server ’ s certificate (read-only by root) grid-mapfile: maps grid subject names to local user accounts (really part of gatekeeper) /etc/grid-security/certificates CA certificates: certs that are trusted when validating certs, and thus needn ’ t be verified ca-signing-policy.conf: defines the subject names that can be signed by each CA

52 Important Files $HOME/.globus usercert.pem: User ’ s certificate (subject name, public key, CA signature) userkey.pem: User ’ s private key (encrypted using the user ’ s pass phrase) /tmp Proxy file(s): Temporary file(s) containing unencrypted proxy private key and certificate (readable only by user ’ s account) Same approach Kerberos uses for protecting tickets

53 Secure Services On most unix machines, inetd listens for incoming service connections and passes connections to daemons for processing. On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files in /etc/grid-security It maps to local users via the gridmap file

54 Sample Gridmap File # Distinguished name Local # username /O=Grid/O=Globus/OU=cs.mu.oz.au/CN=John Smithjsm "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost "/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543 "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf Gridmap file maintained by Globus administrator Entry maps Grid-id into local user name(s)

55 Example Secure Remote Startup key cert gatekeeperclient 1. Exchange certificates, authenticate, delegate 2. Check gridmap file 3. Lookup service 4. Run service program (e.g. jobmanager) jobmanager key cert map 4. services 3.

56 Simple job submission globus-job-run provides a simple RSH compatible interface % grid-proxy-init Enter PEM pass phrase: ***** % globus-job-run host program [args] Authentication Test % globusrun –a –r hostname Running a Job on Remote node % globusrun hostname globus-job-run belle.anu.edu.au /bin/dat

57 Delegation Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Proxy cert and public key sent to client Clients signs proxy cert and returns it Server (usually) puts proxy in /tmp Allows remote process to authenticate on behalf of the user Remote process “ impersonates ” the user

58 Proxy Certificate The proxy certificate is signed by the owner, rather than a CA.

59 Delegation procedure of user's proxy

60 Limited Proxy During delegation, the client can elect to delegate only a “ limited proxy ”, rather than a “ full ” proxy GRAM (job submission) client does this Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited proxy to be used

61 Restricted Proxies A generalization of the simple limited proxies Desirable to have fine-grained restrictions Reduces exposure from compromised proxies Embed restriction policy in proxy cert Policy is evaluated by resource upon proxy use Reduces rights available to the proxy to a subset of those held by the user A proxy no longer grants full impersonation rights Extensible to support any policy language

62 Exercise Sign-On & Remote Process Creation Use grid-cert-info to examine your cert: % grid-cert-info -all Use grid-proxy-init to create a proxy certificate: % grid-proxy-init Enter PEM pass phrase: Use grid-proxy-info to query proxy: % grid-proxy-info -subject Use globus-job-run to start remote programs: % globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp

63 Site A (Kerberos) Site B (Unix) Site C (Kerberos) Computer User 1. Single sign-on via “grid-id” & generation of proxy cred. Or: retrieval of proxy cred. from online repository or CA User Proxy Proxy credential Computer Storage system 4. Communication* GSI-enabled FTP server Authorize Map to local id Access file 5. Remote file access request* GSI-enabled GRAM server GSI-enabled GRAM server 2. Remote process creation requests* * With mutual authentication Process Kerberos ticket Restricted proxy Process Restricted proxy Local id 3. Authorize Map to local id Create process Generate credentials GSI in Action “ Create Processes at A and B that Communicate & Access Files at C ”

64 Generic Security Service API The GSS-API is the IETF draft standard for adding authentication, delegation, message integrity, and message confidentiality to apps For secure communication between two parties over a reliable channel (e.g. TCP) GSS-API separates security from communication, which allows security to be easily added to existing communication code. Filters on each end of the communications link GSS-API Extensions defined in GGF draft Globus Toolkit components all use GSS-API

65 Authorization GSI handles authentication, but authorization is a separate issue Authorization issues: Management of authorization on a multi-organization grid is still an interesting problem. The grid-mapfile doesn ’ t scale well, and works only at the resource level, not the collective level. Large communities that share resources exacerbates authorization issues, which has led us to CAS (Community Authorization Service) … Why not use Grid Bank Services ? All those GSPs providing services through the Grid Marketplace can allow any consumer to access their services as long as GridBank guarantees the payment,

66 Security Summary Programs for credential management grid-cert-info, grid-proxy-init, grid-proxy- destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid Security Infrastructure (GSI) uses this API, which allows programs to easily add security globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use