Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December 11 th -16 th 2006 Sophie Nicoud CNRS/UREC
2Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Overview What do we need to access to Grid Computing infrastructure ? Authentication Digital certificates Certification Authority collaboration Grid Security Infrastructure (GSI) Authorization Concept of Virtual Organizations Mechanisms and architecture Security Groups
3Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec What do we need to access to Grid Computing infrastructure ? Authentication=> Digital Certificate X509v3 (CA) Who I am ? Authorization=> Virtual Organization (VO or VOMS) What I am allowed to do Access to GRID=> User Interface or Web portal (UI) Single Sign-On Accounting WHO do WHAT and WHEN ? Future billing
4Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Overview Authentication Digital certificates Certification Authorities collaboration Grid Security Infrastructure (GSI)
5Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec What’s a digital certificate ? Build on mathematical asymmetric algorithms and trust in a third party, the Certification Authority (CA) It’s a couple of two keys The keys are generated together It is impossible to derive the private key from the public one A message encrypted by one key can be decrypted only by the other one It’s composed of a public key and a private key The public key Plus some information about the owner is signed by the Certification Authority Published worldwide by the CA In the current language, it’s named certificate The private key Stored in the hard disk of the user machine Encrypted and protected by password
6Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec X509v3 Certificate (1) A digital certificate (or X509v3 certificate) can be issued for Physical person (personal certificate) Machine (host certificate) Program (service certificate) The CA check the identity of the requester => RA‘s job Registration Authority The digital certificate has a validity period and an unique serial number CA has a certificate signed by itself => Root CA by other CA => sub-CA
7Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec X509v3 Certificate (2) When a certificate is lost, stolen or password forgotten the certificate is revoked The CRL, Certificate Revocation List, contains all serial number of revoked certificates is published when a certificate is revoked at least every month
8Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec X509v3 Certificate (3) The certificate contains : Subject or DN (Distinguish Name) Serial number Time of validity Public key Info on the CA X509v3 extensions s Owner s Allowed use of the certificate s... Digital signature of the CA
9Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec X509v3 Certificate (4) # openssl x509 -text -noout -in usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 656 (0x290) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, O=CNRS, CN=GRID-FR Validity Not Before: Feb 8 10:04: GMT Not After : Feb 8 10:04: GMT Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Sophie Nicoud Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b9:8d:52:15:ee:80:d8:8f:3c:a7:1f:fb:59:6d: Serial number Issuer CA Time of validity Subject Public key
10Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Un certificat X509v3 (2) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Certificate Policies: Policy: X509v3 Subject Alternative Name: X509v3 CRL Distribution Points: URI: : unicoreClient Signature Algorithm: sha1WithRSAEncryption 7a:ea:e5:96:d6:cb:2f:2e:a6:9c:1d:06:55:8a:af:2a:7a:1c: X509v3 extensions Allowed use X509v3 extensions CP/CPS version CRL CA signature
11Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Digital signature Hash code Public key Fingerprint CA private key Signing of a certificate by the issuer CA Encripted fingerprint CA signing £$ Public key + info + CA signature £$ Certificate £$
12Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Certificate checks Public key + info + CA signature £$ Certificate £$ Fingerprint A Hash code CA public key Fingerprint B Equal ? £$ Public key + info + CA signature £$ Time of validi ty ? Inclu de in CRL ? CRL £$ Public key + info + CA signature £$
13Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Certification Authorities collaboration (1) In a Grid environment with many users and many organizations need single sign-on and identity certificates for all national and global grid projects thus issued by independent identity providers and trusted by everyone in the grid Impossible to use only one CA by project or partner => One CA by country s But also by set of country or institute Need collaboration in each country Need CA coordination to establish CA trust domain Need Catch-all CA for countries without CA
14Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Certification Authorities collaboration (2) At start of EDG in CA : CNRS, INFN, CERN One coordination group CACG then EuGridPMA Now, in 2006 Coordination group splits in 3 continents European coordination : 37 CAs Asia and Pacific coordination : 8 CAs Americas coordination : 2 CAs Every year new CAs come Many Grid projects : EGEE, LCG, DEISA, EELA, EuMedGrid, EScience, PPDG, …
15Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Organisation of GRID PMAs IGTF, International Grid Trust Federation Establish worldwide trust for Grid Establish rules and charter between PMAs Approved at GGF 15, October 5, EUGridPMA First PMA to establish IGTF In fact covers not only Europe but stays the reference for most continents TAGPMA America South and North 2 CA, DOE and Canada. Many in accreditation process for South America APGridPMA Asia and Pacific 10 CA, Australia, Japan, China, Taiwan, …
16Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Purpose of GRID PMA Policy Management Authority : GRID PMA Establish minimal requirements and best practices for GRID CA Accredit CAs by review CP/CPS Audit CAs Minimal requirements : Certificate Revocation List (CRL) s Lifetime must be no more than 30 days s New CRL must be generated at least 7 days before expiration s New CRL must be issued immediately after a certificate revocation CA Namespace s No clash with any other CA CA System s Dedicated machine in a secure environment where access is controlled Some certificate extensions must be set to specific values …
17Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Chinese CA IHEP CA Issue certificates to people and sites participating in Grid Computing CA running since 2004 Accredited by EUGridPMA and APGridPMA in 2005 Managed by Gongxing SUN SDG CA SDG CA provides PKI services for the Scientific Data Grid research community that are involved in Grid activities Accrdited by APGridPMA Managed by Kai Nan
18Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec French CA : Datagrid-fr CA Sub-CA of CNRS CA dedicated to DataGrid (EDG) project Since 2005 : GRID-FR CNRS CA Sub-CA of CNRS CA dedicated to GRID projects Issues certificates for: All French entities: s French institutes or private companies involved in GRID project with the CNRS Catch-all CA: s Institutes or private companies, no HEP, involved with CNRS in a GRID project which have not a national GRID CA Now, we issue around 800 certificates per year in 27 countries
19Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Grid Security Infrastructure (GSI) Authentication based on digital certificates and trusted CA A standard for Grid softwares Implement : Single sign-on: the password is given only one time Mutual authentication : every Grid transaction is mutually authenticated Proxy: allows remote process to authenticate on behalf of the user, to allow someone to use his authorizations and his authentication Proxy certificates Certificate with limited lifetime signed with user private key
20Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Overview Authorization Concept of Virtual Organizations Mechanisms and architecture
21Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Authorization Virtual Organizations (VO) A set of entities sharing the same objective Users Resources A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.
22Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Virtual Organizations (1) A VO can be a set of user sharing the same experiment, or from the same lab, area or project : Experiment : Biomed, gene, Alice, Atlas, Babar, LHCb, ESR, EGEODE,... Labs, areas : vo.dapnia.cea.fr, vo.lal.in2p3.fr,... Projects : ambrace, infngrid, GridPP, auvergrid,... Other : dteam,... One administrator per Virtual Organization He’s the manager of the users of his VO Site managers allow VO to access to site resources Specific rights can be allowed by site administrators Refuse users with specific certificate subject patterns VO
23Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec LDAP VO At each site each user certificate is mapped into a unique local user account (UID/GID) in function of his VO This UID/GID is picked up in the VO pool account defined by the site administrator Now, there’re 2 types of VO : LDAP VO and VOMS LDAP VO The oldest method, it is based onLDAP server that contains the list of VO members A user can be a member of only one VO All members of a VO have the same rights access User authentication command is : grid-proxy-init The local authorization file, grid-mapfile, is rebuilt every few hours from the LDAP server. Each certificate subject of the VO is mapped with its VO pool account. "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=Sylvain Reynaud".dte "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Alexandre Rozanov".atl "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev" lhcs
24Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec VO LDAP architecture VO Service grid-mapfile Mutual authentication + authorization checks Proxy Cert. (24 h max) VO CA CRL update low frequency high frequency Host Cert. (1 an max) grid-proxy-init User Interface CA Cert. registration User Cert. (1 an max)
25Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec VOMS (1) VOMS, Virtual Organization Membership Service VOMS database contains VO members with their specific rights A VOMS user can have many different set of authorization, next a user can be a member of many VOMS User rights depend of his group or role membership in the VOMS Groups, roles and rights are included in the user proxy User authentication command is : voms-proxy-init --voms Authorizations are expressed by FQAN* and included in proxy attributes /Role=[ ][/Capability= ] *FQAN : Fully Qualified Attributes Name
26Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec VOMS (2) Groups Groups can have a hierarchical structure, indefinitely deep Useful to give different authorization in function of group membership Default group is / Roles Software manager, VO-Administrator, Production, … Roles have no hierarchical structure – there is no sub-role Roles are not used in ‘normal operation’ They must be specifically requested when user creates his proxy Proxy attributes are check by each site with LCAS and LCMAPS
27Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec VOMS (3) LCMAPS Maps grid credentials (subject + attributes of the proxy certificate) to local credentials (UID/GID) LCAS Checks if the user is authorized or banned at the site (currently using the grid-mapfile) Local authorization file, grid-mapfile, is rebuilt every few hours. Each VOMS/group/role is mapped with its pool account. "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer".dte "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer" dtes "/VO=dteam/GROUP=/dteam".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL/CAPABILITY=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin" dtes "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin/CAPABILITY=NULL" dtes "/VO=dteam/GROUP=/dteam/ROLE=production" dtep "/VO=dteam/GROUP=/dteam/ROLE=production/CAPABILITY=NULL" dtep
28Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec VOMS architecture VOMS Service Mutal authentication and authorization VOMS CA CRL update Low frequency high frequency Host Cert. (1 an max) voms-proxy-init User Interface CA Cert. registration User Cert. (1 an max) Proxy cert. (24 h max) Authorization = Cert. LCAS LCMAPS VOMS Cert.
29Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Overview Security Groups
30Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Security groups Security Incident Response Policy (EGEE/LCG) Grid Security Incident Handling and Response Guide, Announcements and Information Dissemination Incident Detection and Analysis Incident Response on-site => Member(s) on each site Vulnerability Handling Middleware Security Group (EGEE) Focalized on middleware developments JSPG, Joint Security Policy Group (LCG) Advise and make recommendations to the LCG Grid Deployment Manager and the LCG Grid Deployment Board (GDB) on matters related to LCG Security. AUP, Grid Acceptable Use Policy, CA Manager Groups VO Manager Group
31Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec Links Certification Authorities VOMS Security Groups Thanks !