Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Authentication Identification of user Kerberos is Fermilab’s chosen authentication service Certificates provide authentication services for Grid and Web Authorization is permission to access and utilize a resource after authentication
X.509 Standard for Public Key Certificates –CCITT Recommendation X.509 Coupled with X500 Naming Conventions Part of Public Key Infrastructure (PKI) Uses Asymmetric Encryption Digital signatures Expiration and Revocation Lists
Components of a Certificate Distinguished Names of Issuer and Subject –/DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy –/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 Serial Number Validity Interval (start and end dates) Extensions – address, Subject type, Policy Information, etc. Public key of the Subject Signature to make tamper-evident
Encryption Symmetric encryption uses same shared key to encrypt and decrypt Alice’s problem is securely getting her key to Bill before sending him any messages Asymmetric encryption uses two keys –User keeps private key secret –User publishes public key
Public Key Encryption Alice has published her public key and Bill has a copy. Alice encrypts message with her private key, Bill (or anyone) can decrypt message with her public key –This message can be a digital signature that identifies the rest of the message as from Alice Bill encrypts message with Alice’s public key but only Alice can decrypt with her private key. Computationally Intensive, often used to securely exchange Symmetric key for use in the remainder of the communication session
Digital Signature Use to sign messages –Identify sender –Make message tamper-evident Take hash function or checksum of message text Encrypt the hash with private key and send with message Receiver decrypts signature with public key and compares to his hash of message text
Certificate Authority Certificates are issued by a Certificate Authority (CA) Trust Chains Root Certificates Update is sometimes seen when doing Windows Update is getting new CA certificates that establish this trust chain for well known root CAs Publish Certificate Revocation List (CRL) –Serial numbers of revoked certificates
Trust Chain and Root CA...
Fermilab Kerberos CA (KCA) Get a certificate based on having a Kerberos principal With a Kerberos ticket, KCA issues a certificate to the user valid for the maximum lifetime (7 days) of the Kerberos ticket Use kinit followed by kx509 under Linux then typically import certificate into browser Use Get-Cert.bat under Windows which automatically loads certificate into browser
Typical KCA Certificate Uses Nessus scanner Import into browser to access some Fermilab Web sites Use to access Grid resources Not generally useful for signing due to limited lifetime of the certificate
DOEGrids CA Can issue personal or host/service certificates good for 1 year. Home site is ttp://ww.doegrids.org for instructions and other informationttp://ww.doegrids.org Request via their Web site –ttps://pki1.doegrids.org/ttps://pki1.doegrids.org/ –As Fermilab employee or visitor use FNAL as the affiliation on the request form –Keep your private key secret! Keep it offline!
What is the Grid? Internet Grid Computing Resource Certificate Gatekeeper Jane User
Certificates and the Grid Pass your personal certificate to Grid resource gatekeeper Authenticates you to access this resource Kerberos users (KCA certificates) can get full access to Fermilab Grid resources Non-KCA certificates get limited access to Fermilab Grid resources
Load your personal certificate into your E- mail program to add digital signature to your Can also be used to encrypt messages KCA certificates are NOT useful with due to very limited lifetime, instead use DOEGrids certificates (or ones from other CAs). Certificates and
Certificates and the Web Web servers send a server certificate to your browser to establish secure communications –Secure Sockets Layer (SSL) –https: instead of http: in the URL –Remember those Root CA Certificates Brower is authenticating the server in this case Note: SSL only secures internet link, not data resident at E-commerce site!
Certificates and the Web Personal certificate (or KCA certificate) can be loaded into browser and used to authenticate the user for access to some sites. Some Fermilab Web sites use KCA certificates in this manner
Host/Service Certificates Fermilab system administrators can get host or service certificates from DOEGrids for Grid resources or Web servers. –ttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.htmlttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.html You will need OpenSSH utility (see above web page) Get KCA CA Certificates to authenticate KCA user certificates –ttp://omputing.fnal.gov/security/pki/index.htmlttp://omputing.fnal.gov/security/pki/index.html
More Information Much of this information will appear in greater detail and with hyperlinks and examples on web pages off the Fermilab Computer Security web page. These web pages are in conceptual development at this time, watch for their appearance in the future. Some information is currently available there, more is in development.
References Planning for PKI –By Russ Housley and Tim Polk, pub by Wiley What is a Digital Signature? – OpenSSL Certificate Cookbook – The PKI Page (lots of links) – The NIST PKI Program –