Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 1 Managing Confidential Data in the gLite Middleware – The Secure Storage.

Slides:

Advertisements

Similar presentations

Data Management Expert Panel - WP2. WP2 Overview.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

1 CHEP 2000, Roberto Barbera Tests of data management services in EDG 1.2 ALICE Off-line Week,

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

1 HeMoLab - Porting HeMoLab's SolverGP to EELA glite Grid Environment FINAL REPORT Ramon Gomes Costa - Paulo Ziemer.

The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) GISELA Additional Services Diego Scardaci

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Group 1 : Grid Computing Laboratory of Information Technology Supervisors: Alexander Ujhinsky Nikolay Kutovskiy.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.

E-science grid facility for Europe and Latin America Using Secure Storage Service inside the EELA-2 Infrastructure Diego Scardaci INFN (Italy)

Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.

MTA SZTAKI Hungarian Academy of Sciences Introduction to Grid portals Gergely Sipos

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

T3 analysis Facility V. Bucard, F.Furano, A.Maier, R.Santana, R. Santinelli T3 Analysis Facility The LHCb Computing Model divides collaboration affiliated.

The Global Land Cover Facility is sponsored by NASA and the University of Maryland.The GLCF is a founding member of the Federation of Earth Science Information.

Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

INFSO-RI Enabling Grids for E-sciencE Αthanasia Asiki Computing Systems Laboratory, National Technical.

Managing Data DIRAC Project. Outline  Data management components  Storage Elements  File Catalogs  DIRAC conventions for user data  Data operation.

INFSO-RI Enabling Grids for E-sciencE Introduction Data Management Ron Trompert SARA Grid Tutorial, September 2007.

Database authentication in CORAL and COOL Database authentication in CORAL and COOL Giacomo Govi Giacomo Govi CERN IT/PSS CERN IT/PSS On behalf of the.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid2Win : gLite for Microsoft Windows Roberto.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Command Line Grid Programming Spiros Spirou Greek Application Support Team NCSR “Demokritos”

1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.

The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

INFSO-RI Enabling Grids for E-sciencE University of Coimbra GSAF Grid Storage Access Framework Salvatore Scifo INFN of Catania EGEE.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Data Management cluster summary David Smith JRA1 All Hands meeting, Catania, 7 March.

The Institute of High Energy of Physics, Chinese Academy of Sciences Sharing LCG files across different platforms Cheng Yaodong, Wang Lu, Liu Aigui, Chen.

EGEE is a project funded by the European Union under contract IST Data Management Data Access From WN Paolo Badino Ricardo.

1 Data Management for Internet Backplane Protocol by Tang Ming Assoc/Prof. Francis Lee School of Computer Engineering, Nanyang Technological University,

Grid Execution Management for Legacy Code Architecture Exposing legacy applications as Grid services: the GEMLCA approach Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Data management in EGEE.

FESR Consorzio COMETA - Progetto PI2S2 GSAF Grid Storage Access Framework Salvatore Scifo

EGEE-II INFSO-RI Enabling Grids for E-sciencE Architecture of LHC File Catalog Valeria Ardizzone INFN Catania – EGEE-II NA3/NA4.

FESR Trinacria Grid Virtual Laboratory Grid Industry Day Catania October 2006 Secure Data Storage Into Grid Enviroment Unico Srl :

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America LFC Server Installation and Configuration.

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

INFSO-RI Enabling Grids for E-sciencE Security needs in the Medical Data Manager EGEE MWSG, March 7-8 th, 2006 Ákos Frohner on behalf.

EGEE Data Management Services

Gri2Win: Porting gLite to run under Windows XP Platform

Grid2Win Porting of gLite middleware to Windows XP platform

GFAL Grid File Access Library

GFAL Grid File Access Library

GFAL: Grid File Access Library

Authentication, Authorisation and Security

Java API del Logical File Catalog (LFC)

Data Bridge Solving diverse data access in scientific applications

Scuola Grid INFN, Martina Franca, Nov

gLite Data management system overview

Grid Training done in/by the Italian Federation in 2007 Roberto Barbera Univ. of Catania and INFN NA3 Partner Review Meeting at EGEE’07 Budapest,

Introduction to Data Management in EGI

Grid2Win: Porting of gLite middleware to Windows XP platform

AMGA Web Interface Salvatore Scifo INFN sez. Catania

The gLite API – Part II Giuseppe LA ROCCA ACGRID-II School

Gri2Win: Porting gLite to run under Windows XP Platform

GSAF Grid Storage Access Framework

Grid2Win: Porting of gLite middleware to Windows XP platform

GSAF Grid Storage Access Framework

AMGA Web Interface Vincenzo Milazzo

Data services in gLite “s” gLite and LCG.

Presentation transcript:

Scuola Grid INFN, Trieste, 1-12 Dic Managing Confidential Data in the gLite Middleware – The Secure Storage Service Fabio Scibilia per conto di - Diegi Scardaci (INFN Catania) - Giordano Scuderi (UNICO srl - Catania) Seconda Scuola su aspetti pratici del grid computing Trieste, 1-12 Dic. 2008

Scuola Grid INFN, Trieste, 1-12 Dic Outline Data Encryption and Secure Storage –Insider Abuse: Problem and Solution The Secure Storage Service for the gLite Middleware: –Command Line Applications –Application Program Interface –The Keystore

Scuola Grid INFN, Trieste, 1-12 Dic Data Encryption and Secure Storage The Secure Storage project is carried out by UNICO S.R.L. ( in collaboration with INFN Catania. The objective of the project is to create a mechanism to store in a secure way and in an encrypted format data on the grid storage elements. Thanks to this solution we want to solve the insider abuse problem.

Scuola Grid INFN, Trieste, 1-12 Dic Insider Abuse: Problem A grid user could store sensitive data in a Storage Elements managed by external organizations. Storage Elements Administrators could access data (but the data are sensitive!). For this reason data MUST be stored in an encrypted format. Data Encryption/Decryption MUST be performed inside user secure environment (for example inside the user’s organization).

Scuola Grid INFN, Trieste, 1-12 Dic SE KeyStore SE USER (VIRTUAL) ORGANIZ ATION Key File Encryption /Decryption Encrypted File Insider Abuse: A Solution SECURE ENVIRONMENT

Scuola Grid INFN, Trieste, 1-12 Dic A Secure Storage service for the gLite Middleware Provides gLite users with suitable and simple tools to store confidential data in storage elements in a transparent and secure way. The service is composed by the following components: Command Line Applications: commands integrated in the gLite User Interface to encrypt/upload and decrypt/ download files. Application Program Interface: allows the developer to write programs able to manage confidential data. Keystore: a new grid element used to store and retrieve the users’ keys.

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications We provide a new set of commands on the gLite User Interface: –Like lcg-utils commands, but they work on encrypted data. –Encryption and decryption process are transparent to the user. –Example (copy a local file on a GRID Storage Element): lcg-cr -d -L lcg-scr -d -L These commands allow to make the main Data Management operations: –Copy data/file on Storage Elements –Read data/file from Storage Elements –Delete data/file on Storage Elements –….

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications Main Commands: – lcg-scr  encrypts a file and uploads it on a storage element, registering its Logical File Name in a LFC catalog. Moreover, it stores the key used to encrypt the file in a key repository. An ACL will be associated to each key on the repository. This ACL will contain all users authorized to access the file. – lcg-scp  downloads an encrypted file, gets the key to decrypt the file from the repository, decrypts the file and store it on a local file-system. Only authorized users (inserted into an ACL ) can access the key necessary to decrypt the file. – lcg-sdel  deletes one or all the replicas of a file. It also deletes the key associated to this file (only if you delete the last replica!)

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications lcg-scr: lcg-scp:

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications lcg-sdel:

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications Man pages available:

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Applications details Details about the main commands: –lcg-scr –lcg-scp

Scuola Grid INFN, Trieste, 1-12 Dic lcg-scr: Encryption and Storage

Scuola Grid INFN, Trieste, 1-12 Dic lcg-scp: Retrieval and Decryption

Scuola Grid INFN, Trieste, 1-12 Dic Command Line Interface details Encryption Algorithm: –The command line applications use AES (Advanced Encryption Standard) with 256 bit key length. Main development problems: –GFAL does not allow to create a new file using a LFN as input  It is necessary to use lower level API. –It is not possible to use standard (last version) OpenSSL library  Conflicts with OpenSSL version used by Globus.  New routines for encryption/decryption and keys generation are been developed.

Scuola Grid INFN, Trieste, 1-12 Dic Secure Storage API Secure Storage C API ( like lcg API encrypt and decrypt entire file ): –int lcg_scr ( char *src_file, char *dest_file, char *guid, char* lfn, char *vo, char *relative_path, char *conf_file, int insecure, int verbose, char *actual_gid ); –int lcg_scp ( char *src_file, char *dest_file, char *vo, char *conf_file, int insecure, int verbose ); –int lcg_sdel ( char *src_file, int aflag, char *se, char *vo, char *conf_file, int insecure, int verbose, int timeout); To use Secure Storage C API add in your code: –#include “securestorage.h”

Scuola Grid INFN, Trieste, 1-12 Dic Secure Storage API 2 Development of API like GFAL ( encrypt and decrypt block of data ):  int securestorage_open( char *lfn, int flags, mode_t mode );  int securestorage_write ( int fd, void *buffer, size_t size );  int securestorage_read ( int fd, void *buffer, size_t size );  int securestorage_close ( int fd ); Read and Write encrypted data like plain data! –open –read/write –close

Scuola Grid INFN, Trieste, 1-12 Dic The Keystore (1) The Keystore is a new grid element used to store and retrieve the users’ key in a secure way. The Keystore: is identified by an host X.509 digital certificate; all its Grid transactions are mutually authenticated and encrypted as required by the GSI model; should be placed in a trusted domain and should be appropriately protected by undesired connections; is a black box with a single interface towards the external world. This interface accepts only GSI authenticated connections;

Scuola Grid INFN, Trieste, 1-12 Dic The Keystore (2) The Keystore: the client request is processed only if the client is a member of a enabled users list and/or it belongs to an enabled Virtual Organization; if the client want to retrieve a key, the keystore checks if the request is coming from an authorized user inserted on the ACL associated to the request key.

Scuola Grid INFN, Trieste, 1-12 Dic Refernces Wiki page – –At the bottom of the page you can download an AVI clip Web page –

Scuola Grid INFN, Trieste, 1-12 Dic Any questions ?