Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Security on Grid: Simone Campana LCG Experiment Integration and Support CERN-IT / INFN-CNAF.

Volkert 1 Parallel Systems Special Chapter: Foundations of Grid Computing Grid Computing Part 2: Security Jens Volkert Dieter Kranzlmüller.

Security on Grid Roberto Barbera Univ. of Catania and INFN

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Cryptography 101 Frank Hecker

CSCI 6962: Server-side Design and Programming

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Secure Electronic Transaction (SET)

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Unit 1: Protection and Security for Grid Computing Part 2

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Security, Authorisation and Authentication.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Enabling Grids for E-sciencE Authentication & Authorization Assaf Gottlieb Material from: Andrea Sciabà Åke Edlund, JRA3 Manager, KTH David.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.

Security on Grid: User Interface, Internals and APIs Simone Campana LCG Experiment Integration and Support CERN IT.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il

EGEE is a project funded by the European Union under contract IST Authentication and Authorization in LCG-2 Flavia Donno Section Leader for.

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Singapore, 1st South East Asia Forum -- EGEE.

Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.

Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.

Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.

GRID-FR French CA Alice de Bignicourt.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Security, Authorisation and Authentication Mike Mineter,

Authentication, Authorisation and Security

Authorization and Authentication in gLite

Security, Authorisation and Authentication

Grid Security Jinny Chien Academia Sinica Grid Computing.

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Security in gLite Valeria Ardizzone INFN EGEE User Tutorial

Presentation transcript:

Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT

EGEE Usage and Programming Introduction – October 6, Overview Basic security concepts Certificates Virtual Organisations Command line interface C/C++ interfaces (GSS-API, GSS Assist) Java interfaces (CoG) Other interfaces Hands-on exercise

EGEE Usage and Programming Introduction – October 6, Basic security concepts Principal An entity: a user, a program, or a machine Credentials Some data providing a proof of identity Authentication Verify the identity of the peer Authorization Map an entity to some set of privileges Confidentiality Encrypt the message so that only the recipient can understand it Integrity Ensure that the message has not be altered in the transmission Non-repudiation Impossibility of denying the authenticity of a digital signature

EGEE Usage and Programming Introduction – October 6, Encryption Symmetric encryption: same key (“secret”) used for encryption and decryption Kerberos, DES / 3DES, IDEA Asymmetric encryption: different keys used for encryption and decryption RSA, DSA Clear text message Encrypted text Clear text message Encryption Decryption Shared key Clear text message Encrypted text Clear text message Encryption Decryption Key A Key B

EGEE Usage and Programming Introduction – October 6, Public Key Infrastructure Provides authentication, integrity, confidentiality, non-repudiation Asymmetric encryption Digital signatures A hash derived from the message and encrypted with the signer’s private key Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust mode Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal Certificate Public key + principal information + CA signature X.509 format most used PKI used by SSL, PGP, WS security, S/MIME, etc. Encrypted text Private Key Public Key Clear text message

EGEE Usage and Programming Introduction – October 6, X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

EGEE Usage and Programming Introduction – October 6, Certification Authorities Issue certificates for users, programs and machines Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire CA certificates are self-signed LCG-2 recognizes a given set of CAs

EGEE Usage and Programming Introduction – October 6, Globus Grid Security Infrastructure (GSI) de facto standard for Grid middleware Based on PKI Implements some important features Single sign-on Delegation Mutual authentication Introduces proxy certificates Short-lived certificates including the private key and signed with the user’s certificate

EGEE Usage and Programming Introduction – October 6, More on proxy certificates and delegation Delegation Allowing something else (eg. a file transfer service) to use my credentials Proxies can be moved over a network Subject identifies the user: User subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968 Proxy subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968/CN=proxy Full proxy A proxy created from a user certificate or another full proxy with normal delegation Limited proxy A proxy created from a proxy with limited delegation Entities can decide to accept only full proxies. Examples: GridFTP accepts all proxies Globus gatekeeper accepts only full proxies

EGEE Usage and Programming Introduction – October 6, Virtual Organizations and authorization LCG-2 users MUST belong to Virtual Organizations Sets of users belonging to a collaboration Each VO user has the same access privileges to Grid resources List of supported VOs: VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts Sites decide which VOs to accept... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice... grid-mapfile

EGEE Usage and Programming Introduction – October 6, VOMS, LCAS, LCMAPS Virtual Organization Membership Service Extends the proxy info with VO membership, group, role and capabilities Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the site Checks if at that time the site accepts jobs Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.) Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and roles "/VO=cms/GROUP=/cms".cms "/VO=cms/GROUP=/cms/prod".cmsprod "/VO=cms/GROUP=/cms/prod/ROLE=manager".cmsprodman

EGEE Usage and Programming Introduction – October 6, GSI environment variables User certificate files: Certificate:X509_USER_CERT (default: $HOME/.globus/usercert.pem ) Private key:X509_USER_KEY (default: $HOME/.globus/userkey.pem ) Proxy:X509_USER_PROXY (default: /tmp/x509up_u ) Host certificate files: Certificate:X509_USER_CERT (default: /etc/grid-security/hostcert.pem ) Private key:X509_USER_KEY (default: /etc/grid-security/hostkey.pem ) Trusted certification authority certificates: X509_CERT_DIR(default: /etc/grid-security/certificates )

EGEE Usage and Programming Introduction – October 6, Command line interface: certificate and proxy management Get information on a user certificate grid-cert-info[-help] [-file certfile] [OPTION]... -all whole certificate -subject | -s subject string -issuer | -I Issuer -startdate | -sd Start of validity -enddate | -ed End of validity Create a proxy certificate grid-proxy-init Destroy a proxy certificate grid-proxy-destroy Get information on a proxy certificate grid-proxy-info

EGEE Usage and Programming Introduction – October 6, Security APIs in LCG-2 Currently, there are no API developed specifically by LCG The existing API come from other projects Authentication Globus GSS-API, GSS Assist, COG Kits Authorization LCAS plugins LCMAPS plugins VOMS API The documentation is generally poor

EGEE Usage and Programming Introduction – October 6, API: GSS-API and GSS Assist GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-2743, 2744) Traditionally, interfaces to Kerberos Globus interfaced it to GSI Communication is kept separate Unfortunately, rather complicated to use GSS-API as user interface to GSI C API Java API (see later) The Globus GSS Assist routines are designed to simplify the use of the GSSAPI

EGEE Usage and Programming Introduction – October 6, GSS-API 1.The client initiates a context and prepares a token for the server 2.The token is sent to the server 3.The server interprets the token and prepares a new one to be sent to the client 4.The token is sent to the client 5. Iterate process until authentication process succeeds or fails 1.The client wraps a message for the server and sends it 2.The server receives the message and unwraps it 3. The server sends a confirmation message to the client (MIC) 4.The client verifies the MIC

EGEE Usage and Programming Introduction – October 6, GSS-API data types Integers OM_uint32 Strings typedef struct gss_buffer_struct { size_tlength; void*value; } gss_buffer_desc *gss_buffer_t Names gss_name_t

EGEE Usage and Programming Introduction – October 6, ) Client can use default credentials or obtain new ones with: OM_uint32 gss_acquire_cred ( OM_uint32 *minor_status, const gss_name_t desired_name, #name of the principal OM_uint32 time_req, #time validity of credential const gss_OID_set desired_mechs,#...suggest: to use default gss_cred_usage_t cred_usage,#how cred should be used gss_cred_id_t *output_cred_handle, #handler for generated cred. gss_OID_set *actual_mechs,#...suggest: use default OM_uint32 *time_rec) 2) Import the name of the server into GSS-API internal format with: OM_uint32 gss_import_name ( OM_uint32 *minor_status, const gss_buffer_t input_name_buffer,#name to be imported const gss_OID input_name_type,#format of input buffer gss_name_t *output_name) #imported name Client GSS-API