Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster

Outline Security concepts – Asymmetric encryption algorithms – Digital Signature – Digital Certificates Grid security – Certification and Registration authorities – Request of an INFN certificate – Virtual Organizations and VOMS – voms-proxy-init 26 Settembre 20112Calcolo Parallelo su Grid e CSN4cluster

Cryptography Mathematical algorithm that provides important building blocks for the implementation of a security infrastructure Symbology – Plaintext: M – Cyphertext: C – Encryption with key K 1 : E K1 (M) = C – Decryption with key K 2 : D K2 (C) = M Algorithms – Symmetric: K 1 = K 2 – Asymmetric: K 1 ≠ K 2 26 Settembre 20113Calcolo Parallelo su Grid e CSN4cluster

Asymmetric Algorithms Every user has two keys: one private and one public: – it is hard to derive the private key from the public one; – a message encrypted by one key can be decrypted only by the other one. No exchange of private keys is necessary – the sender ciphers using the public key of the receiver; – the receiver decrypts using his private key; 26 Settembre 20114Calcolo Parallelo su Grid e CSN4cluster

One-Way Hash Functions Functions (H) that, given as input a variable-length message (M), produce as output a string of fixed length (h)‏ – the length of h must be at least 128 bits (to avoid birthday attacks)‏ – given M, it must be easy to calculate H(M) = h – given h, it must be difficult to calculate M = H -1 (h)‏ – given M, it must be difficult to find M’ such that H(M) = H(M’)‏ Examples: – MD4/MD5: hash of 128 bits; – SHA (Standard FIPS): hash of 160 bits. 26 Settembre 20115Calcolo Parallelo su Grid e CSN4cluster

Hash Examples ~]$ cat prova1 testo di prova ~]$ sha1sum prova1 e7ea480a73b5e294e28ff48338c68090c5ce9c49 prova1 ~]$ cat prova2 testo di prove ~]$ sha1sum prova2 558dd585e789c8d80f2fe6c0fc6939f25a76998f prova2 26 Settembre 20116Calcolo Parallelo su Grid e CSN4cluster

Digital Signature Paul calculates the hash of the message Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message and verifies it with the one received by A and decyphered with A’s public key. If hashes equal: message wasn’t modified; Paul cannot repudiate it. 26 Settembre 20117Calcolo Parallelo su Grid e CSN4cluster

Digital Certificates Paul’s digital signature is safe if: 1.Paul’s private key is not compromised 2.John knows Paul’s public key How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? – A third part guarantees the correspondence between public key and owner’s identity – Both A and B must trust this third party Two models: – X.509: hierarchical organization – PGP: “web of trust” 26 Settembre 20118Calcolo Parallelo su Grid e CSN4cluster

X.509 Certificates The “third part” is called Certification Authority (CA). Issue Digital Certificates for users, programs and machines Check the identity and the personal data of the requestor – Registration Authorities (RAs) do the actual validation CA’s periodically publish a list of compromised certificates – Certificate Revocation Lists (CRL): contain all the revoked certificates yet to expire CA certificates are self-signed 26 Settembre 20119Calcolo Parallelo su Grid e CSN4cluster

An X.509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; digital signature of the CA Public key Subject:C=IT, O=INFN, OU=Personal Certificate, L=CNAF CN=Daniele Cesini Issuer: C=IT, O=INFN, CN=INFN Certification Authority Expiration date: May 10 14:15: GMT Serial number: 080E CA Digital signature Structure of a X.509 certificate X.509 Certificates 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster10

The Grid Security Infrastructure (GSI) every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CA’s; every Grid transaction is mutually authenticated: 1. John sends his certificate; 2. Paul verifies signature in John’s certificate; 3. Paul sends John a challenge string; 4. John encrypts the challenge string with his private key; 5. John sends encrypted challenge to Paul 6. Paul uses John’s public key to decrypt the challenge. 7. Paul compares the decrypted string with the original challenge 8. If they match, Paul verifies John’s identity and John can not repudiate it. John Paul John’s certificate Verify CA signature Random phrase Encrypt with John’s private key Encrypted phrase Decrypt with John’ s public key Compare with original phrase VERY IMPORTANT Private keys Private keys must be stored only by owners: protected in protected placesAND encrypted in encrypted form 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

CA and RA 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

Obtaining a digital certificate 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

Request of an INFN certificate 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster Before requesting a personal certificate, user must be authenticated by a Registration Authority. In detail: – User goes phisically to RA which verifies his identity ( shows all the INFN RA) – RA opens URL: and fills it with user’s data: name, surname, ; finally, a random number is generated and communicated to user.

Request of an INFN certificate – within 48 hours from the communication of the code by the RA, the user submit the certificate request using the same values used before by the RA – if everything is ok, with 48 working hours, user will receive instruction on how to download its personal certificate; he/she must use the same browser used for the request 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster

Renewing an INFN certificate 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster When a certificate is close to the expiration, CA sends a reminder 20, 10 and 5 days before Simply click on the web url shown in this mail in order to renew your personal certificate To check the lifetime of your personal certificate – openssl x509 -in.globus/usercert.pem -noout -dates notBefore=Mar 19 16:18: GMT notAfter=Mar 18 16:18: GMT –Or simply consult your CA web site

Access to the GRID Access by means of an User Interface (UI) – A dedicated PC, installed in a similar way to the others Grid elements To access the Grid you need a personal certificate released by a Certification Authority trusted by EGI infrastructure To be authorized to submit jobs you have to belong to a Virtual Organisation (VO). A VO is a kind of users group usually working on the same project and using the same application software on the Grid. 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster

Certificate Management Import your certificate on the UI – You receive already a PKCS12 certificate (can import it directly into the web browser) – For future use, you will need usercert.pem and userkey.pem in a directory ~/.globus on your UI – Export the PKCS12 cert to a local dir on UI and use again openssl: openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem openssl pkcs12 -clcerts -nokeys -in my_cert.p12 - out usercert.pem – permissions: “chmod 400 userkey.pem” “chmod 644 usercert.pem” Import your certificate in your browser – If you received a.pem certificate you need to convert it to PKCS12 – Use openssl command line (available in each egee/LCG UI) openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

Virtual Organizations 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster19 To submit to the Grid, personal certificates are not the end of the story Users MUST join at least one of the group allowed to use the Grid resources: Virtual Organization (VO) – User must sign the usage guidelines for the VO – You will be registered in the VOMS server (wait for notification) VO, groups and roles can be associated to an identity by a VO Membership Service (VOMS)

VOMS groups and roles 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster The number of users of a VO can be very high: – E.g. the experiment CDF has more than 4000 members Make VO manageable by organizing users in groups Groups can have a hierarchical structure, undefinitely deep Roles are specific roles a user has and distinguish him from others in his group: – Software manager – VO-Administrator Difference between roles and groups: – Roles have no hierarchical structure – there is no sub- role – Roles are not used in ‘normal operation’ They are not added to the proxy by default when running voms-proxy-init But they can be added to the proxy for special purposes when running voms-proxy-init

On the Grid the user does not use its own long living certificate  Security problems may arise. X.509 Proxy Certificate GSI extension to X.509 Identity Certificates Has a limited lifetime Is signed by the normal end entity certificate or by another proxy Delegation = remote creation of a (second level) proxy credential Allows remote process to authenticate on behalf of the user X.509 Proxy Certificate 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster21

VOMS proxy The VOMS extends the proxy info with VO membership, groups and roles Related commands: – voms-proxy-init voms-proxy-destroy voms-proxy-info voms-proxy-init creates your proxy for the Grid – If you forget this command, nothing will work! Many, many options. – Most advanced – Will show only basic usage – If you are reporting a bug, add –debug to voms-proxy-init’s command line before reporting the output 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster23 voms-proxy-init – Creates a proxy locally on the UI – Contacts the VOMS server and extends the proxy with groups and roles VOMS server signs the proxy – Grid sites recognise and accept signature of VOMS voms-proxy-init –voms theophys

voms-proxy-init basic usage ~]$ voms-proxy-init -voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Feb 10 04:18: ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:27 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:27 uri : voms.cnaf.infn.it:15000 VO 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init basic usage ~]$ voms-proxy-list --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms-01.pd.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it] "infngrid" Done Available attributes: /infngrid/Role=NULL/Capability=NULL /infngrid/Role=SoftwareManager/Capability=NULL /infngrid/Role=VO-Admin/Capability=NULL /infngrid/TEST/Role=NULL/Capability=NULL What attributes can you request? 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init basic usage ~]$ voms-proxy-init --voms infngrid:all Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Feb 10 04:28: ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:50 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:50 uri : voms.cnaf.infn.it:15000 Values 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init basic usage [ ~]$ voms-proxy-init --voms infngrid:/infngrid/Role=SoftwareManager Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Feb 10 04:40: ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 11:59:55 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 11:59:55 uri : voms.cnaf.infn.it:15000 Role 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-destroy Destroying proxy credentials: ~]$ voms-proxy-destroy ~]$ 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init advanced usage ~]$ voms-proxy-init --voms infngrid --valid 10:00 Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms-01.pd.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it] "infngrid" Done Creating proxy Done Your proxy is valid until Thu Feb 10 02:42: ~]$ voms-proxy-init --voms infngrid --valid 1000:00 Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Warning: voms.cnaf.infn.it:15000: The validity of this VOMS AC in your proxy is shortened to seconds! Creating proxy Done Your proxy is valid until Wed Mar 23 08:42: Be Aware!!! 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

voms-proxy-init advanced usage ~]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini type : proxy strength : 1024 bits path : /tmp/x509up_u9003 timeleft : 999:53:09 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/TEST/Role=NULL/Capability=NULL attribute : eyee = 5653 (/infngrid/TEST) timeleft : 23:53:09 uri : voms.cnaf.infn.it:15000 Length has been shortened 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

Common problems 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster31 voms-proxy-init --voms gridit Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Somewhere/CN=Someone Creating temporary proxy Done Contacting voms.cnaf.infn.it:15008 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "gridit" Failed Error: Could not establish authenticated connection with the server. globus_gss_assist token :-1: read failure: unknown None of the contacted servers for gridit were capable of returning a valid AC for the user. BE CAREFUL!! There is a clock skew between your UI and the voms server: of course the voms server is flawless!! The guilty is your UI For VOMS the user certificate is not yet valid

Common problems voms-proxy-init -voms embè VOMS Server not known! ~]$ voms-proxy-init -voms atlas Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Alessandro Paolini Creating temporary proxy Done Contacting vo.racf.bnl.gov:15003 [/DC=org/DC=doegrids/OU=Services/CN=vo.racf.bnl.gov] "atlas" Failed Error: atlas: User unknown to this VO. Trying next server for atlas. Creating temporary proxy Done Contacting voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "atlas" Failed Error: atlas: User unknown to this VO. Trying next server for atlas. Creating temporary proxy Done Contacting lcg-voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "atlas" Failed Error: atlas: User unknown to this VO. None of the contacted servers for atlas were capable of returning a valid AC for the user. VO non ben configurata sulla UI Non siete ancora presenti nella VO 26 Settembre Calcolo Parallelo su Grid e CSN4cluster

Thank you Questions ? 26 Settembre 2011Calcolo Parallelo su Grid e CSN4cluster33