1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4 and G. La Rocca 1 (1) National Institute of Nuclear Physics, Division of Catania, Italy (2) Department of Physics and Astronomy of the University of Catania, Italy (3) National Institute of Nuclear Physics, Division of Bologna, Italy (4) Nice srl, Italy International Workshop on Science Gateways (IWSG10) Sept. 2010, Acicastello, Italy
2 Grid Security: the current state-of-the-art; Introduction to smart card; –Why do we use smart card in Grid ? –Installation and Configuration; –The Aladdin eToken PRO smart card; –The NIKHEF solution; –The extended XML/Java EnginFrame framework. The “lightweight” crypto library; –Browsing the smart card; –Creating a VOMS proxy certificate; –Video. Summary and Conclusions; References. Outline
3 The existing Grid middleware, and in particular gLite, rely on the adoption of a Public Key Infrastructure (PKI); –User’s credentials (public and private keys) must be available on each User Interface server which is used to access the Grid infrastructure (e.g.: under $HOME/.globus/ ). Exposing the certificate’s private key on multiple UIs is considered a security weakness; –Non-authorized users may be subjected to possible fraudulent use (e.g.: the system administrator). There is a total lack of support for other authentication mechanisms; –Smart cards with their hardware characteristics can improve the security and avoid abuse. The current state-of-the-art
4 Smart cards are usually tamper-resistant devices that can be easily connected to a laptop and used to store private keys. –They have been introduced to protect the private credentials. In order to access private objects stored into the smart card, a user PIN is requested. –An additional protection is given to private keys and secret keys which are marked as ” sensitive ” or ” non- extractable ”. Sensitive keys cannot be revealed in plain text off the token; Non-extractable keys cannot be revealed off the token when encrypted. Smart Cards
5 In this work the features of the Aladdin eToken PRO 32Kb smart cards has been exploited. Smart Cards and Grid Since 2008, INFN CA uses this kind of smart cards to store grid certificates (in particular robot certificates ). The Aladdin eToken smart card can support several certificates: –A first prototype of the GENIUS Grid Portal ( using certificate to generate an user’s proxy and track what the user is doing in grid resources has been successfully designed ( See: A Grid Portal with Robot Certificates for Bioinformatics Phylogenetic Analyses – Concurrency and Computation: Practice and Experience, Special Issue IWPLS’09 )
6 Robot certificates in a nutshell Robot certificates have been introduced to allow users, who are not familiar with deal personal certificates and don’t belong to any VOs, to experience the Grid paradigm for research activity and reduce the initial barriers. –They are extremely useful, for instance, to automate grid service monitoring, data processing production, distributed data collection systems, etc.; –Basically, these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server.
7 The extended XML/Java EnginFrame framework 1. ask for a service 2. create a proxy with the robot certificate User 5. get the results 3. execute action 2’,3’. track user Admin 6/7. query for accounting data L&B 4. get output
8 The User Tracking System (1/2)
9 The User Tracking System (2/2)
10 Installation & Configuration (1/3) Before installing PKI Client 4.55, PCSC-lite, PCSC-lite-lib and CCID packages must be installed in your system –Maybe you can find these packages in your repo. These packages have dependencies between each other. –Start the daemon: /etc/init.d/pcscd start The eToken PKI Client includes all the necessary files and drivers to support eToken management. –It also includes the eToken Properties configuration tool, which enables easy user management of the eToken password and name. –Install: rpm –ivh pkiclient-full i386.rpm
11 Installation & Configuration (2/3) The Mkproxy-rhel4.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. Mkproxy-rhel4.tar.gz After unpacking the tarball, copy over the files to their respective locations: cp -rp etoken/bin/* /usr/local/bin cp -rp etoken/lib/* /usr/local/lib cp -rp etoken/etc/openssl.cnf /usr/local/etc
12 Installation & Configuration (3/3) Edit the /usr/local/mkproxy script and change the PKCS11_MOD enviroment variable The mkproxy script has been tested on: mkproxy –Windows XP (using cygwin) / Vista / 7 –Linux Fedora Core 5, 8, 9, 11, 12 –Linux CentOS 4, 5 –Scientific Linux 4 and 5 –Linux OpenSuse 10.1, 11.0, 11.1 –MacOS X 10.5 and higher
13 Administrating your eToken Before to start initialize your token, set the administrator password and upload your certificate To access the graphics Quick Function Menu right-click the eToken icon in the system tray or from Start -> Programs -> eToken -> eToken Properties
14 Browsing the smart card $ pkcs11-tool --module=/usr/lib/libeTPkcs11.so -L Available slots: Slot 0 AKS ifdh token label: eToken token manuf: Aladdin Ltd. token model: eToken token flags: rng, login required, PIN initialized, token initialized, other flags=0x200 serial num : 001c33f9 Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) [..] Slot 16 (empty)
15 If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy --label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: d d d d Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key writing new private key to 'proxykey.D17633' engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca/CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST Add VOMS extentions running the command : voms-proxy-init --noregen -voms Creating grid proxies with mkproxy
16 Supported APIs The following APIs are supported in the Linux version of eToken PKI Client 4.55: –Microsoft CryptoAPICryptoAPI –The Cryptographic Token Interface PKCS#11
17 The Cryptographic Token Interface Standard (PKCS#11) Java support a set of native interfaces to interact with cryptographic tokens (e.g.: hardware cryptographic accelerators and smart cards). It defines sixty prototypes for functions (referred to as cryptoki library) that together can be used to perform a wide range of cryptographic mechanisms, including: –digital signatures ; –public key ciphers ; –symmetric key cipher ; –hash functions ; –etc. The Sun PKCS#11 provider is supported on Solaris SPARC platforms (32-bit and 64-bit Java VM) and on x86 compatible platforms ( Solaris, Linux and Windows OS). It is not supported, however, on 64-bit AMD64 and Itanium platforms.
18 The “lightweight” crypto library (1/4) The new “lightweight” crypto library has been designed and developed considering the native PKCS#11 cryptographic, the Bouncy Castle and the Cog-jGlobus (ver 1.8.0) APIs.
19 The “lightweight” crypto library (2/4) The Bouncy Castle Provider has been used to generate a self-signed certificate // Generate the Proxy Certificate structure. X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set the serial Number for the certificate. certGen.setSerialNumber(sn); // Set the validity of the certificate. certGen.setNotBefore(firstDate); certGen.setNotAfter(lastDate); // Set the public key for the certificate. certGen.setPublicKey(pair.getPublic()); // Set the Issuer distinguished name. certGen.setIssuerDN(cert.getSubjectX500Principal()); // Set the signature of the new certificate. certGen.setSignatureAlgorithm(cert.getSigAlgName()); // Set the subject. certGen.setSubjectDN(new X500Principal (proxyDN)); // Generate the new certificate. X509Certificate cert = certGen.generate(privateKey);
20 The “lightweight” crypto library (3/4) The Cog-jGlobus APIs have been used to set up a GSI connection with the VOMS server of the given VO in order to add the VOMS Attributes Certificate (AC) to the original proxy certificate.
21 The “lightweight” crypto library (4/4) Extract the AC from the payload and create a VOMS proxy Start video
22 A real use case… The high customizable features of Liferay portal has been combined with the EnginFrame 2010 framework in order to have a new e-Collaboration environment designed to make scientific researcher easy access grid services; R. Rotondo, R. Barbera, G. La Rocca, A. Falzone, P. Maggi and N. Venuti. Conjugating science gateways and grid portals into e-collaboration environments: the Liferay and GENIUS/EnginFrame use case. Proceedings of the 2010 TeraGrid conference, Pittsburgh, Pennsylvania – ISBN: ,
23 Conclusions The Java SE platform provides developers with a large set of security APIs, algorithms, tools and protocols. We have extended the PKCS#11 cryptographic library together with the Bouncy Castle and Cog-jGlobus Java APIs to implement a new security solution for the gLite Grid middleware. The solution described in this paper can be used by users, applications, Grid portals and/or Science Gateways to generate VOMS proxies starting from the credentials stored into an eToken smart card.
24 References & Links