INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates
Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Computer Science Public Key Management Lecture 5.
GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.
Security, Authorisation and Authentication.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il
Grid technology Security issues Andrey Nifatov A hacker.
Computer and Network Security - Message Digests, Kerberos, PKI –
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading Room.
INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security, Authorisation and Authentication Mike Mineter,
Authentication, Authorisation and Security
Grid Security.
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC and the NGS NeSC, 8th December 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 2 Acknowledgements Some of the slides in this presentation are based on / motivated by: The presentation given by Carl Kesselman at the GGF Summer School This presentation may be found at – curriculum.htm Lectures given by Richard Sinott and John Watt at the University of Glasgow. These lectures may be found at – The presentation given by Simone Campana of CERN at First Latinamerican Grid Workshop, Merida, Venezuela. This presentation may be found at –

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 3 Approaches to Security: 1 The Poor Security House

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 4 Approaches to Security: 2 The Paranoid Security House

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 5 Approaches to Security: 3 The Realistic Security House

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 6 Approaches to Grid Security The Poor Security Approach: –Use unencrypted communications. –No or poor (easily guessed) identification means. –Private identification (key) left in publicly available location. The Paranoid Security Approach: –Don’t use any communications (no network at all). –Don’t leave computer unattended. The Realistic Security Approach: –Encrypt all sensitive communications –Use difficult to break identification means. –Keep identification secure at all times (e.g. encrypted on a memory stick). –Only allow access to trusted users.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 7 The Risks of Poor User Security Launch attacks to other sites –Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information –Massive distributed storage capacity ideal for example, for swapping movies. Damage caused by viruses, worms etc. –Highly connected infrastructure means worms spread faster than on the internet in general.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 8 Authentication and Authorization Authentication –Are you who you claim to be? Authorisation –Do you have access to the resource you are connecting to? John Doe 755 E. Woodlawn Urbana IL Jane

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December 04 9 Aspects of Grid Security Resources being used may be valuable & the problems being solved sensitive Dynamic formation and management of virtual organizations (VOs) –Large, dynamic, unpredictable… VO Resources and users are often located in distinct administrative domains –Can’t assume cross-organizational trust agreements –Different mechanisms & credentials Interactions are not just client/server, but service-to- service on behalf of the user –Requires delegation of rights by user to service –Services may be dynamically instantiated slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Grid Security Infrastructure (GSI) Developed by Globus. All elements of the Globus Toolkit are built on top of this basic infrastructure. A toolkit for the purposes of –Secure communication –Security across organizational boundaries, thus prohibiting a centrally-managed security system. –Supporting "single sign-on" for Grid users, including delegation of credentials. Introduces X.509 Proxy Certificates (an extended X.509 certificate) –every user/host/service has a certificate. –certificates are signed by trusted (by the local sites) certificate authorities. –every Grid transaction is mutually authenticated.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December The Trust Model Certification Domain A Server XServer Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Delegation A Site delegates responsibility for the users that may access its resources to the managers/management system of a VO. A VO delegates its rights to a user. A user delegates their authentication to a service to allow programs to run on remote sites. Delegation : The act of giving an organisation, person or service the right to act on your behalf.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December INSECURE SECURE Public Private Key Life Savings Alice Bob Life Savings Private KeyMessage Public Key

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Public Key Infrastructure (PKI) PKI allows you to know that a given key belongs to a given user. PKI builds off of asymmetric encryption: –Each entity has two keys: public and private. –Data encrypted with one key can only be decrypted with other. –The public key is public. –The private key is known only to the entity. The public key is given to the world encapsulated in a X.509 certificate. slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December An illustration of how PKI works Assume our message can be converted to a number in the range 1-9 (a 0 value represents an empty message): –For this example use the value 4 Encrypt the message by multiplying by 3 and working in modulo 10 –4 x 3 = 12 = 2 mod 10 To decrypt we can’t divide by 3 because working modulo 10 only supports the integers 0-9. Instead to decrypt the message multiply by 7 while working modulo 10 –2 x 7 = 14 = 4 mod 10 Why Does this work? –3 x 7 = 21 = 1 mod 10, hence, 1/3 ≡ 7 mod 10

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Certificates Similar to passport or driver’s license: Identity signed by a trusted party Name Issuer Public Key Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Certificate Authorities A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates Users authenticate themselves to CA, for example by use of their Passport or Identity Card. The CA signs it’s own certificate which is distributed in a secure manner. EGEE recognizes a given set of CA’s: Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Certificate Request Private Key encrypted on local disk Certificate Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Public

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Inside the Certificate Standard (X.509) defined format. User identification (e.g. full name). Users Public key. A “signature” from a CA created by encoding a unique string (a hash) generated from the users identification, users public key and the name of the CA. The signature is encoded using the CA’s private key. This has the effect of: –Proving that the certificate came from the CA. –Vouching for the users identification. –Vouching for the binding of the users public key to their identification.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Stage1: Low Frequency Stage2: Medium Frequency Stage3: High Frequency Certificates and Delegation ServiceCA Certificate Signs own User Certificate signs Proxy Certificate signs

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Mutual Authentication Pt1 Two parties, lets call them A and B, have certificates and they both trust the CA’s that signed them. Mutual Authentication is the process by which they prove to each other that they are who they say they are. The process is –B establishes A’s identity. –A establishes B’s identity. –A can trust B and B can trust A.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Mutual Authentication Pt2 1. A sends their certificate; 2. B verifies signature in A’s certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Authorisation Requirements Detailed user rights centrally managed and assigned: –User can have certain group membership and roles Involved parties: –Resource providers.  Keep full control on access rights. –The users Virtual Organisation.  Member of a certain group should have same access rights independent of resource. Resource provider and VO must agree on authorisation: –Resource providers evaluate authorisation granted by VO to a user and map into local credentials to access resources

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

Enabling Grids for E-sciencE INFSO-RI EGEE Security Basics for the User, NeSC, 8 th December Summary via Certificates and Delegated Services Authentication Authorisation delegated to VO. Resource User