Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Security on Grid Roberto Barbera Univ. of Catania and INFN
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Security Mechanisms The European DataGrid Project Team
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
Grid Computing Security Lê Thị Minh Châu Huỳnh Thị Khánh Duyên Trần Thị Thanh Thủy May 11, 2010.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Security, Authorisation and Authentication.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Authentication, Authorisation and Security
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License. See for the full text of this license.

Grid School 2004Security Overview2 Security Terminology l Authentication: Establishing identity l Authorization: Establishing rights l Message protection –Message integrity –Message confidentiality l Non-repudiation l Digital signature l Accounting l Delegation

Grid School 2004Security Overview3 Trust Mismatch Mechanism Mismatch Multi-Institution Issues Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust

Grid School 2004Security Overview4 Why Grid Security is Hard l Resources being used may be valuable & the problems being solved sensitive –Both users and resources need to be careful l Dynamic formation and management of virtual organizations (VOs) –Large, dynamic, unpredictable… l VO Resources and users are often located in distinct administrative domains –Can’t assume cross-organizational trust agreements –Different mechanisms & credentials >X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), >X.509 attribute certs vs SAML assertions

Grid School 2004Security Overview5 Why Grid Security is Hard… l Interactions are not just client/server, but service-to-service on behalf of the user –Requires delegation of rights by user to service –Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use l Implementation must be broadly available & applicable –Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined –Varying formats l Want to hide as much as possible from applications!

Grid School 2004Security Overview6 The Grid Trust solution l Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) set up trust at the user/resource level l Virtual Organizations (VOs) for multi-user collaborations –Federate through mutually trusted services –Local policy authorities rule l Users able to set up dynamic trust domains –Personal collection of resources working together based on trust of user

Grid School 2004Security Overview7 Grid Solution: Use Virtual Organization as Bridge Certification Domain A GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust

Grid School 2004Security Overview8 Effective Policy Governing Access Within A Collaboration

Grid School 2004Security Overview9 Use Delegation to Establish Dynamic Distributed System Compute Center VO Rights Compute Center Service

Grid School 2004Security Overview10 Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute X.509 AC SAML Attribute X.509 AC

Grid School 2004Security Overview11 Grid Security Infrastructure (GSI) l Use GSI as a standard mechanism for bridging disparate security mechanisms –Doesn’t solve trust problem, but now things talk same protocol and understand each other’s identity credentials –Basic support for delegation, policy distribution l Translate from other mechanisms to/from GSI as needed l Convert from GSI identity to local identity for authorization

Grid School 2004Security Overview12 GSI l GSI implements X.509 Proxy Certificates as extensions to these standards to support dynamic naming of services, delegation of rights and single sign-on l After authentication, GSI identity is mapped by administer configuration to a local identity for authorization. –Local identity controls access to local files, job startup rights, etc.

Grid School 2004Security Overview13 Grid Security Infrastructure (GSI) l Based on standard PKI technologies –SSL protocol for authentication, message protection –CAs allow one-way, light-weight trust relationships (not just site-to-site) l X.509 Certificates for asserting identity –for users, services, hosts, etc. l Proxy Certificates –GSI extension to X.509 certificates for delegation, single sign-on

Grid School 2004Security Overview14 Grid Security Infrastructure (GSI) l GSI is: PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-on

Grid School 2004Security Overview15 Grid Identity, Local Policy Local Policy Map to local name Grid Identity In current model, all Grid entities assigned a PKI identity. User is mapped to local identities to determine local policy..

Grid School 2004Security Overview16 Local Identity, Grid Identity, Local Policy Local Policy Map to local name Grid Identity Kerberos Site KCA SSLK5 KRB5 Resources

Grid School 2004Security Overview17 GSI Implementation Compute Center VO Rights VO Users Services (running on user’s behalf) Rights’’ Rights’ Access Local Policy on VO identity or attribute authority CAS or VOMS issuing SAML or X.509 ACs SSL/WS-Security with Proxy Certificates Authz Callout KCA MyProxy

Grid School 2004Security Overview18 Public Key Infrastructure (PKI) l PKI allows you to know that a given key belongs to a given user l PKI builds off of asymmetric encryption: –Each entity has two keys: public and private –Data encrypted with one key can only be decrypted with other. –The public key is public –The private key is known only to the entity l The public key is given to the world encapsulated in a X.509 certificate Owner

Grid School 2004Security Overview19 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates l Similar to passport or driver’s license: Identity signed by a trusted party Name Issuer Public Key Signature

Grid School 2004Security Overview20 Certificates l By checking the signature, one can determine that a public key belongs to a given user. Name Issuer Public Key Signature Hash =? Decrypt Public Key from Issuer

Grid School 2004Security Overview21 Certificate Authorities (CAs) l A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates l A Certificate Authority is an entity that exists only to sign user certificates l The CA signs it’s own certificate which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature

Grid School 2004Security Overview22 Certificate Authorities (CAs) l The public key from the CA certificate can then be used to verify other certificates Name Issuer: CA Public Key Signature Hash =? Decrypt Name: CA Issuer: CA CA’s Public Key CA’s Signature CA

Grid School 2004Security Overview23 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user.

Grid School 2004Security Overview24 X.509 Proxy Certificates l GSI Extension to X.509 Identity Certificates –RFC l Enables single sign-on l Allow user to dynamically assign identity and rights to service –Can name services created on the fly and give them rights (i.e. set policy) l What is effectively happening is the user is creating their own trust domain of services –Services trust each other with user acting as the trust root

Grid School 2004Security Overview25 Proxy Certificates Service CN=Jane Doe/9874 Rights: Can access file F1, Service S1, … CN=Jane Doe X.509 Proxy Delegation S1 F1 Use delegated rights to access resources. X.509 Id certificate X.509 Proxy certificate Create

Grid School 2004Security Overview26 Obtaining a Certificate l The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/: –usercert_request.pem: Unsigned certificate file –userkey.pem: Encrypted private key file >Must be readable only by the owner l Mail usercert_request.pem to l Receive a Globus-signed certificate Place in ~/.globus/usercert.pem l Other organizations use different approaches –NCSA, NPACI, NASA, etc. have their own CA

Grid School 2004Security Overview27 Certificate Information l To get cert information run grid-cert-info % grid-cert-info -subject /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster l Options for printing cert information -all-startdate -subject-enddate -issuer-help

Grid School 2004Security Overview28 “Logging on” to the Grid l To run programs, authenticate to Globus: % grid-proxy-init Enter PEM pass phrase: ****** l Creates a temporary, local, short-lived proxy credential for use by our computations l Options for grid-proxy-init: -hours -bits -help

Grid School 2004Security Overview29 grid-proxy-init Details l grid-proxy-init creates the local proxy file. l User enters pass phrase, which is used to decrypt private key. l Private key is used to sign a proxy certificate with its own, new public/private key pair. –User’s private key not exposed after proxy has been signed l Proxy placed in /tmp, read-only by user l NOTE: No network traffic! l grid-proxy-info displays proxy details

Grid School 2004Security Overview30 Grid Sign-On With grid-proxy-init User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file

Grid School 2004Security Overview31 Destroying Your Proxy (logout) l To destroy your local proxy that was created by grid-proxy-init: % grid-proxy-destroy l This does NOT destroy any proxies that were delegated from this proxy. –You cannot revoke a remote proxy –Usually create proxies with short lifetimes

Grid School 2004Security Overview32 Proxy Information l To get proxy information run grid-proxy-info % grid-proxy-info -subject /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster l Options for printing proxy information -subject-issuer -type-timeleft -strength-help l Options for scripting proxy queries -exists -hours -exists -bits –Returns 0 status for true, 1 for false:

Grid School 2004Security Overview33 Delegation l Delegation = remote creation of a (second level) proxy credential –New key pair generated remotely on server –Proxy cert and public key sent to client –Clients signs proxy cert and returns it –Server (usually) puts proxy in /tmp l Allows remote process to authenticate on behalf of the user –Remote process “impersonates” the user

Grid School 2004Security Overview34 Limited Proxy l During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy –GRAM (job submission) client does this l Each service decides whether it will allow authentication with a limited proxy –Job manager service requires a full proxy –GridFTP server allows either full or limited proxy to be used

Grid School 2004Security Overview35 Secure Services l On most unix machines, inetd listens for incoming service connections and passes connections to daemons for processing. l On Grid servers, the gatekeeper securely performs the same function for many services –It handles mutual authentication using files in /etc/grid-security –It maps to local users via the gridmap file

Grid School 2004Security Overview36 Sample Gridmap File # Distinguished name Local # username "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost "/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543 "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf l Gridmap file maintained by Globus administrator l Entry maps Grid-id into local user name(s)

Grid School 2004Security Overview37 Authorization l GSI handles authentication, but authorization is a separate issue l Authorization issues: –Management of authorization on a multi-organization grid is still an interesting problem. –The grid-mapfile doesn’t scale well, and works only at the resource level, not the collective level. –Large communities that share resources exacerbates authorization issues, which has led us to CAS…

Grid School 2004Security Overview38 Security Summary l Programs for credential management –grid-cert-info, grid-proxy-init, grid-proxy- destroy, grid-proxy-info l GSS-API: The Globus Toolkit Grid Security Infrastructure (GSI) uses this API, which allows programs to easily add security l globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use