Grid Security Infrastructure

Slides:

Advertisements

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Advertisements

Introduction of Grid Security

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Module 9: Fundamentals of Securing Network Communication.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Security, Authorisation and Authentication.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.

1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Security, Authorisation and Authentication Mike Mineter,

The Secure Sockets Layer (SSL) Protocol

Public Key Infrastructure (PKI)

Authentication, Authorisation and Security

Authorization and Authentication in gLite

Grid Security Jinny Chien Academia Sinica Grid Computing.

Organized by governmental sector (National Institute　of information )

Certificate management Miroslav Dobrucký Institute of Informatics SAS

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

CompTIA Security+ Study Guide (SY0-501)

Security in ebXML Messaging

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Grid School Module 4: Grid Security

The Secure Sockets Layer (SSL) Protocol

A Programmer’s Guide to Secure Connections

Grid Security Overview

Install AD Certificate Services

Unit 8 Network Security.

National Trust Platform

Presentation transcript:

Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute http://www.globus.org/ Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License. See http://www.globus.org/toolkit/download/license.html for the full text of this license.

Grid Security Infrastructure (GSI) GSI is: Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation PKI (CAs and Certificates) SSL/ TLS SSL for Authentication And message protection PKI for credentials April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Public Key Infrastructure (PKI) PKI allows you to know that a given public key belongs to a given user PKI builds off of asymmetric encryption: Each entity has two keys: public and private Data encrypted with one key can only be decrypted with other. The private key is known only to the entity The public key is given to the world encapsulated in a X.509 certificate Owner April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Globus Toolkit™ Developer Tutorial: Security Certificates A X.509 certificate binds a public key to a name It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer) Name Issuer Public Key Signature April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Certificate Authorities (CAs) A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates The CA signs it’s own certificate which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Secure Socket Layer (SSL) Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide a secured connection Authentication of one or both parties using the certificates Message protection Confidentiality (encryption) Integrity SSL/TLS Certificates TCP Sockets April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Globus Toolkit™ Developer Tutorial: Security Important Files /etc/grid-security hostcert.pem: certificate used by the server in mutual authentication hostkey.pem: private key corresponding to the server’s certificate (read-only by root) grid-mapfile: maps grid subject names to local user accounts (really part of gatekeeper) /etc/grid-security/certificates CA certificates: certs that are trusted when validating certs, and thus needn’t be verified ca-signing-policy.conf: defines the subject names that can be signed by each CA April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Globus Toolkit™ Developer Tutorial: Security Important Files $HOME/.globus usercert.pem: User’s certificate (subject name, public key, CA signature) userkey.pem: User’s private key (encrypted using the user’s pass phrase) /tmp Proxy file(s): Temporary file(s) containing unencrypted proxy private key and certificate (readable only by user’s account) Same approach Kerberos uses for protecting tickets April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Globus Toolkit™ Developer Tutorial: Security Secure Services On most unix machines, inetd listens for incoming service connections and passes connections to daemons for processing. On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files in /etc/grid-security It maps to local users via the gridmap file April 25, 2019 Globus Toolkit™ Developer Tutorial: Security

Globus Toolkit™ Developer Tutorial: Security Sample Gridmap File Gridmap file maintained by Globus administrator Entry maps Grid-id into local user name(s) # Distinguished name Local # username "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost "/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543 "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf April 25, 2019 Globus Toolkit™ Developer Tutorial: Security