On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Private Key Protection. Whats it about Without the private key, the certificate is useless One of two main purposes of cert: –Prove possession of private.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Portals and Credentials David Groep Physics Data Processing group NIKHEF.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
NETWORK FILE ACCESS SECURITY Daniel Mattingly EKU, Dept. of Technology, CEN/CET.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
WP4 Security and AA(A) issues For WP4: David Groep
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Chapter 2 Securing Network Server and User Workstations.
Grid Canada Certificate Authority Darcy Quesnel
Hands-on security Angelines Alberto Morillas Ciemat.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Jens Jensen EU Grid PMA, Berlin Jan 2015
Tweaking the Certificate Lifecycle for the UK eScience CA
THE STEPS TO MANAGE THE GRID
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Presentation transcript:

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007

What is a Robot A long-lived user certificate –Whose private key is “unprotected” –i.e. not protected with a passphrase Identity –Not tied to a network identity –Tied to a specific user (owner)

Why Robots Solve certain tasks – encryption –Grid monitoring –Automated data replications or running jobs Different types (extensions) A 1SCP policy defines additional OID

Deployment UK first implementation… Now DutchGrid has one too! Meant to –be accepted by the community –gather real life robot experiences –become Robot HOWTO for others to use

UK Implementation Robots have names –Name after what they are, not what they do –“GridClient”, “MailCipher”,… What they do… –Depends on use and authorisation –Job sub, data rep, monitoring – GridClient

Robot Names Robot DN derived from owner’s DN –Owner DN + an additional CN –/CN=Robot:GridClient –‘:’ can be encoded as printableString –‘:’ does not occur in user or host CNs –Simple algo to find name of owner of robot

Robot Names Why use the DN? –DN is used for authorisation –DN is logged into log files –Can easily find user from Robot’s DN Allow disambiguation –/CN=User Name/CN=Robot:Type (314) –No semantics associated to disamb.

Robot extensions Must be documented for each type –Documentation can be external to CPS Allows for adding more types NO SERVER EXTENSIONS –MUST NOT be able to act as server –Does not contain network identity

How to recognise a robot …from quite a long way away. Check the DN… –Does it have an add’l CN with “Robot:” Check the policyIdentifier –Does it have any Robot 1SCP OID?

Security Issues MUST be authorised independently –of the user’s authorisation Private key is “unprotected” –i.e., not by passphrase – “always on” So UK policy requires: –Private key MUST be held on key token Can’t steal the key, physically held on machine

Security Issues Robot certificates MUST NOT be shared –Single person responsible for use of robot –CA decides what it is, owner what it does Each Robot has a unique DN –No two Robots share keys

Security Issues – RA Owner uses existing certificate/key to apply for a Robot RA op MUST verify that key is protected on key token –Slightly clumsy changes to procedure –Also true when rekeying –Stick with renewals? (+ check owner’s cert)

Open Questions Can anyone apply for a robot? –If not, how should it depend on the type? Distinguish simple from powerful robots –Other than by extns –How to enforce what it does (cf Globus services) Bit like object signing extensions –How does CA assert this? Are robots too tied to their owner’s name?

Conclusion Robots can simplify and securify Use cases – things otherwise run from proxies or host certs As usual an experimental science –Deployed now, learning from experience –Wider support for tokens improves takeup