Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Secure Sockets Layer. SSL SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Cryptography in e-Business Guest Lecture, November 13, 2006, Olin College Steven R. Gordon Prof. of Info Tech Management Babson College.
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Security Management.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
CSCI 6962: Server-side Design and Programming
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Unit 1: Protection and Security for Grid Computing Part 2
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
Module 9: Fundamentals of Securing Network Communication.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.
Authentication 3: On The Internet. 2 Readings URL attacks
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Computer and Network Security - Message Digests, Kerberos, PKI –
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Setting and Upload Products
Unit 3 Section 6.4: Internet Security
Authentication, Authorisation and Security
SSL Certificates for Secure Websites
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Using SSL – Secure Socket Layer
Public Key Infrastructure
Information Security message M one-way hash fingerprint f = H(M)
Lecture 4 - Cryptography
Grid Security Infrastructure
Presentation transcript:

Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Authentication Identification of user Kerberos is Fermilab’s chosen authentication service Certificates provide authentication services for Grid and Web Authorization is permission to access and utilize a resource after authentication

X.509 Standard for Public Key Certificates –CCITT Recommendation X.509 Coupled with X500 Naming Conventions Part of Public Key Infrastructure (PKI) Uses Asymmetric Encryption Digital signatures Expiration and Revocation Lists

Components of a Certificate Distinguished Names of Issuer and Subject –/DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy –/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 Serial Number Validity Interval (start and end dates) Extensions – address, Subject type, Policy Information, etc. Public key of the Subject Signature to make tamper-evident

Encryption Symmetric encryption uses same shared key to encrypt and decrypt Alice’s problem is securely getting her key to Bill before sending him any messages Asymmetric encryption uses two keys –User keeps private key secret –User publishes public key

Public Key Encryption Alice has published her public key and Bill has a copy. Alice encrypts message with her private key, Bill (or anyone) can decrypt message with her public key –This message can be a digital signature that identifies the rest of the message as from Alice Bill encrypts message with Alice’s public key but only Alice can decrypt with her private key. Computationally Intensive, often used to securely exchange Symmetric key for use in the remainder of the communication session

Digital Signature Use to sign messages –Identify sender –Make message tamper-evident Take hash function or checksum of message text Encrypt the hash with private key and send with message Receiver decrypts signature with public key and compares to his hash of message text

Certificate Authority Certificates are issued by a Certificate Authority (CA) Trust Chains Root Certificates Update is sometimes seen when doing Windows Update is getting new CA certificates that establish this trust chain for well known root CAs Publish Certificate Revocation List (CRL) –Serial numbers of revoked certificates

Trust Chain and Root CA...

Fermilab Kerberos CA (KCA) Get a certificate based on having a Kerberos principal With a Kerberos ticket, KCA issues a certificate to the user valid for the maximum lifetime (7 days) of the Kerberos ticket Use kinit followed by kx509 under Linux then typically import certificate into browser Use Get-Cert.bat under Windows which automatically loads certificate into browser

Typical KCA Certificate Uses Nessus scanner Import into browser to access some Fermilab Web sites Use to access Grid resources Not generally useful for signing due to limited lifetime of the certificate

DOEGrids CA Can issue personal or host/service certificates good for 1 year. Home site is ttp://ww.doegrids.org for instructions and other informationttp://ww.doegrids.org Request via their Web site –ttps://pki1.doegrids.org/ttps://pki1.doegrids.org/ –As Fermilab employee or visitor use FNAL as the affiliation on the request form –Keep your private key secret! Keep it offline!

What is the Grid? Internet Grid Computing Resource Certificate Gatekeeper Jane User

Certificates and the Grid Pass your personal certificate to Grid resource gatekeeper Authenticates you to access this resource Kerberos users (KCA certificates) can get full access to Fermilab Grid resources Non-KCA certificates get limited access to Fermilab Grid resources

Load your personal certificate into your E- mail program to add digital signature to your Can also be used to encrypt messages KCA certificates are NOT useful with due to very limited lifetime, instead use DOEGrids certificates (or ones from other CAs). Certificates and

Certificates and the Web Web servers send a server certificate to your browser to establish secure communications –Secure Sockets Layer (SSL) –https: instead of http: in the URL –Remember those Root CA Certificates Brower is authenticating the server in this case Note: SSL only secures internet link, not data resident at E-commerce site!

Certificates and the Web Personal certificate (or KCA certificate) can be loaded into browser and used to authenticate the user for access to some sites. Some Fermilab Web sites use KCA certificates in this manner

Host/Service Certificates Fermilab system administrators can get host or service certificates from DOEGrids for Grid resources or Web servers. –ttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.htmlttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.html You will need OpenSSH utility (see above web page) Get KCA CA Certificates to authenticate KCA user certificates –ttp://omputing.fnal.gov/security/pki/index.htmlttp://omputing.fnal.gov/security/pki/index.html

More Information Much of this information will appear in greater detail and with hyperlinks and examples on web pages off the Fermilab Computer Security web page. These web pages are in conceptual development at this time, watch for their appearance in the future. Some information is currently available there, more is in development.

References Planning for PKI –By Russ Housley and Tim Polk, pub by Wiley What is a Digital Signature? – OpenSSL Certificate Cookbook – The PKI Page (lots of links) – The NIST PKI Program –