An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Introduction of Grid Security

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Grid Security. Typical Grid Scenario Users Resources.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug

Chapter 31 Network Security

Galileo - Knowledge Testing Service e-MSoft Artur Majuch.

Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Unit 1: Protection and Security for Grid Computing Part 2

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Certificate Requests to HIP Jani Pellikka 80 th IETF Mar 27 th – Apr 1 st 2011 Prague, Czech Republic.

Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Installing a SSL Server. Creating a key Before you can create a digital signature/certificate. You need first to create a private key. To do this process.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.

GRID-FR French CA Alice de Bignicourt.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.

Authentication, Authorisation and Security

Cryptography and Network Security

Security, Authorisation and Authentication

Grid Security Jinny Chien Academia Sinica Grid Computing.

Update on EDG Security (VOMS)

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

The New Virtual Organization Membership Service (VOMS)

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Grid Security Infrastructure

Presentation transcript:

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc. Mikko Pitkänen Place: 3 months in CERN, Geneva and other time in HIP, Espoo

Agenda  Background  Objectives and Methodology  Grid Introduction  Grid Security  VOMS  Conclusion  Future Study

Background  CERN- European Laboratory for Particle Physics Built in 1954, research area is widely ranged World Wide Web is developed from CERN Large Hardron Collider (LHC) Project: Powerful particle accelerator brings protons and ions into head-on collisions. LHC will need a lot of computing power as it can produce 40 million collisions per second, and will be 10 petabytes per year. Requirement for computing power equivalent to 100,000 of today’s fastest PC processors. LHC Computing Grid Project in CERN- LCG  HIP- Helsinki Institute of Physics  EGEE project Largest European Grid project is coordinated at CERN

Objective and Methodology  Objective The objective is to study the Grid security systems, expecially focusing on Grid Authorization System VOMS- Vitual Organziation Membership Service  Methodology Literature survey over alternative solutions and architectures Studying current design architecture Studying current implementation by looking into source code repositories

Grid Introduction  Grid is emerged as a new field of distributed computing, which focuses on the resource sharing securely among dynamic number of people and organizations.  Grid can be a resource sharing infrastructure,a computing infrastructure or the next generation Internet.

Grid Security  Grid Security is a critical aspect of Grid service.  Security: Authentication and Authorization Authentication: ID of the person Authorization: User’s ability to perform operations  Grid Security Techniques Grid Security Infrastructures (GSI) EDG Java Security

Security Basics(1)  Cryptography and Public Key Infrastructure (PKI) Symmetric-key encryption Asymmetric-key encryption

Security Basics(2)--Certificates  X509v3 Certificate –driving license Most commonly used PKI standard. Certificate Authority (CA) Certificate contains public key information that is signed by the CA. Attribute Certificate, like Visa, binds a set of attributes of the user or other authorization information for the user.

Grid Security Infrastructure (GSI)  Provides fundamentals services for Grid Security.  Authentication: Makes use of Certificates User Certificate Server Certificate Mutual communications, the client and server exchange its certificate to make the authentication.

An Example of User Certificate  Certificate:  Data:  Version: 1 (0x0)  Serial Number: 150 (0x96)  Signature Algorithm: md5WithRSAEncryption  Issuer: C=CH, O=HIP, OU=TECH, CN=112 Test CA  Validity  Not Before: Jul 16 08:51: GMT  Not After: Jul 23 08:51: GMT  Subject: C=CH, O=HIP, OU=TECH, CN=Xiao  Subject Public Key Info:  Public Key Algorithm: rsaEncryption  RSA Public Key: (512 bit)  Modulus (512 bit):  00:c1:da:2e:5c:01:00:67:86:7c:b6:d0:69:43:f9:  0c:06:7b:83:85:35:19:6c:ea:ad:0c:ff:c5:4e:f3:  09:83:e4:39:08:63:df:4c:ab:43:4b:50:35:26:a4:  1b:42:f8:db:97:0c:4e:f1:55:93:10:d4:28:d7:eb:  86:58:3f:7c:6b  Exponent: (0x10001)  Signature Algorithm: md5WithRSAEncryption  59:86:1c:fc:ab:38:3c:bb:6c:06:02:e9:50:7a:00:35:c7:0f:  25:3b:f8:b1:f9:fa:5b:4a:95:99:03:a5:56:19:c0:5e:b7:a0:  fb:5f:df:e7:26:50:d2:b1:b1:c5:1a:c4:d9:be:05:68:71:24:  0e:42:12:59:b6:c4:90:a0:ef:8d:8e:bc:46:31:8c:c1:f7:65:  1b:d7:dc:cb:51:07:3d:bb:a2:39:5b:5f:82:7c:06:64:82:e1:  14:2d:d9:75:bd:bf:ee:2d:38:3a:ac:11:fb:91:12:79:f5:d4:  a8:dd:0a:15:7f:e2:04:45:9b:5f:c4:dc:dd:ef:2c:a9:ae:6b:  23:8c

Authorization in GSI  Makes use of Grid-mapfile  Maps the user to a local unix account

VOMS  Short for Virtual Organization Member Service  A centralized service that is used to manage the authorization in Virtual Organization(VO) scope.  Developed by EGEE  Problem with Current grid-mapfile, not scalable as the number of users increase. Thus strong requirement for VOMS.

Overview on Glite VOMS Environment

VOMS architecture  User Server  User Client  Administration Client  Administration Server

Use Case 1. The client (user) and the VOMS server authenticate each other by using the normal Grid certificates. 2. The client sends the request to the VOMS server. 3. The Server checks the user certificate and the request. 4. The Server signs the information that is retrieved from VOMS database based on the user request and sends the signed information back to the client. Here the VOMS server signature is used to verify that a trusted VOMS service has provided the authorization information that will be attached to the user’s proxy. 5. The client then checks the information received from the server. 6. The client application creates a proxy certificate on behalf of the user containing the information received from the VOMS server added as an extension to the user’s X509 certificate.

Conclusions 1. Java solution for VOMS 2. Shibboleth based AAI combined with VOMS and Grid

Future Studies 1. Secure Resource Sharing techniques, scalablility and reliability for the system 2. Usability of Grid Thank You!