Authentication, Authorisation and Security

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.
Security, Authorisation and Authentication.
Enabling Grids for E-sciencE Authentication & Authorization Assaf Gottlieb Material from: Andrea Sciabà Åke Edlund, JRA3 Manager, KTH David.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Security, Authorisation and Authentication Mike Mineter,
Security in gLite Gergely Sipos MTA SZTAKI
Digital Signatures.
Security on gLite middleware
Grid Security.
Authorization and Authentication in gLite
Security and getting access to the training infrastructure
Security, Authorisation and Authentication
ESRIN Grid Workshop Tutorial
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Security in gLite Valeria Ardizzone INFN EGEE User Tutorial
Grid School Module 4: Grid Security
The Secure Sockets Layer (SSL) Protocol
Chapter 4 Cryptography / Encryption
Grid Security Overview
Grid Security Infrastructure
National Trust Platform
Presentation transcript:

Authentication, Authorisation and Security Shih-Chun Chiu Academia Sinica Grid Computing

Grid Security Infrastructure Encryption & Data Integrity Security in gLite Security Authentication Grid Security Infrastructure Encryption & Data Integrity Authorization Authentication, Authorisation and Security

Basis of security & authentication Symmetric encryption Asymmetric encryption…(Public Key Infrastructure) Private key and public key are in pair. it is impossible to derive one key from another key. a message encrypted by one key can be decrypted only by another one. Examples of public key algorithms: Diffie-Helmann (1977) RSA (1978) Encrypted text Private Key Public Key plain text Authentication, Authorisation and Security

An Example of Asymmetric Encryption Public keys are exchanged Paul gets John’s public key.. Paul ciphers using the public key of John John decrypts using his private key; Public key algorithm: Make sure of data confidentiality John’s keys private public Paul John ciao 3$r Authentication, Authorisation and Security

Digital Signature Paul calculates the hash of the message Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get Hash A, using Paul’s public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key (Paul encrypted it) Paul message Digital Signature message Hash A Digital Signature John Paul’s keys message Digital Signature Hash B = ? Hash A public private Authentication, Authorisation and Security

CA’s Digital Signature Certificate Certificate It is based on Digital Signature mechanism. Grid authenticates users or resources by verifying their certificate. Certificate is issued by one of the national Certification Authorities. certificate Public Key User’s Information CA's information Time of validity CA’s Digital Signature Sign Certification Authorities. CA private key Authentication, Authorisation and Security

X.509 Certificates An X.509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; Optional extensions digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature Authentication, Authorisation and Security

Example: X.509 Certificates Authentication, Authorisation and Security

sign Proxy certificate information information user’s signature user key user cert CA’s signature information information sign user’s signature proxy certificate proxy key Authentication, Authorisation and Security

sign Proxy delegation information information proxy1’s signature proxy2 key proxy2 cert proxy1 key proxy1 cert user’s signature information sign Authentication, Authorisation and Security

Proxy delegation chain Every proxy can represent the user Proxy certificates Short-lived certificates signed by the user’s certificate or a proxy It reduces the effort for the user to repeatedly show their identity when he or her want to access different resources. “Single sign on” can be attained. proxy2 key proxy2 cert proxy1’s signature information proxy1 key proxy1 cert user’s signature proxy3 key proxy3 cert proxy2’s signature proxy N key proxyN cert Proxy N-1r’s signature … Sign Authentication, Authorisation and Security

Evolution of VO management VOMS VO Administration : check which VO the user belongs to Add VO information on user’s proxy certificate. voms-proxy-init a gLite command to Contact the VOMS with user’s proxy certificate Retrieve the certificate that contains VO information on it. information User’s Digital Signature VO: TWGrid proxy certificate Authentication, Authorisation and Security

Summary of AA - 1 Authentication based on X.509 PKI infrastructure Trust between Certificate Authorities (CA) and sites, CAs and users is established (offline) CAs issue (long lived) certificates identifying sites and individuals (much like a passport) Commonly used in web browsers to authenticate to sites In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates Proxies can Be delegated to a service such that it can act on the user’s behalf Include additional attributes (like VO information via the VO Membership Service VOMS) Be stored in an external proxy store (MyProxy) Be renewed (in case they are about to expire) Authentication, Authorisation and Security

Summary of AA - 2 VO service Daily update Authentication User obtains certificate from Certificate Authority Connects to UI by ssh (UI is the user’s interface to Grid) Uploads certificate to UI Single logon – to UI - create proxy Grid Security Infrastructure Annually CA VO mgr UI VO service Authorisation User joins Virtual Organisation VO negotiates access to Grid nodes and resources Authorisation tested by resource: Credentials in proxy determine user’s rights VO database GSI Daily update Mapping to access rights Authentication, Authorisation and Security

User Responsibilities Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. Authentication, Authorisation and Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.