Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Issues Relevant To Distributed Security CSC 8320 Nidhi Gahlot.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.
Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Condor Project Computer Sciences Department University of Wisconsin-Madison Grids and Condor Barcelona,
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Hands-on security Angelines Alberto Morillas Ciemat.
Grid technology Security issues Andrey Nifatov A hacker.
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
©Richard L. Goldman Public Key Policies for Windows 2000 ©Richard Goldman December 5, 2001.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Authentication, Authorisation and Security
Grid Security.
THE STEPS TO MANAGE THE GRID
Chapter 14: Representing Identity
The New Virtual Organization Membership Service (VOMS)
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology Department of Computer Engineering

Military Technical Academy Bucharest, 2004  Authentication and Authorization  Delegation mechanism

Military Technical Academy Bucharest, 2004 Authentication and Authorization

Military Technical Academy Bucharest, 2004 Authentication & Authorization In Grid environments, your host will become a client in some cases, and a server in other cases. => Therefore, your host might be required: to authenticate another host andto authenticate another host and be authenticated by the host at the same time.be authenticated by the host at the same time. The mutual Authentication function of GSI: It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure.It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure. Briefly speaking: Authentication is the process of sharing public keys securely with each otherAuthentication is the process of sharing public keys securely with each other Authorization is the process that MAPS your DN to a local user/group of a remote host.Authorization is the process that MAPS your DN to a local user/group of a remote host.

Military Technical Academy Bucharest, 2004 Mutual Authentication procedure

Military Technical Academy Bucharest, 2004 Delegation mechanism

Military Technical Academy Bucharest, 2004 Delegation mechanism  Remote delegation: where a user creates a proxy certificate at a REMOTE machine  Local delegation: where a user creates a proxy certificate at the LOCAL machine

Military Technical Academy Bucharest, 2004 REMOTE DELEGATION When you make a proxy to a remote machine, the proxy's private key is on the remote machine => The super-user of that machine can access your proxy's private key and conduct business under your name. This delegated credential can be vulnerable to attacks.This delegated credential can be vulnerable to attacks. In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example.In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example. (The standardization of this proxy restriction is now going on under GSI Working Group of Grid Forum Security)  To distribute jobs to remote grid machines, and  Let them distribute their child jobs to other machines under your security policy. => The DELEGATION function of GSI can be used.

Military Technical Academy Bucharest, 2004 Delegation procedure of user’s proxy

Military Technical Academy Bucharest, 2004 If you are on the side of host A, => you can create your proxy at host B => to delegate your authority  This proxy acts as yourself, and submits a request to host C on your behalf. The next steps: the procedure to create your proxythe procedure to create your proxy (proxy creation) at a remote machine, and the procedure to submit a request to the other remote host on your behalf (proxy action)the procedure to submit a request to the other remote host on your behalf (proxy action)

Military Technical Academy Bucharest, 2004 Proxy creation 1. A trusted communication is created between host A and host B. 2. You request host B to create a proxy that delegates your authority. 3. Host B creates the request for your proxy certificate, and send it back to host A. 4. Host A signs the request to create your proxy certificate using your private key and sends it back to host B. 5. Host A sends your certificate to host B.

Military Technical Academy Bucharest, 2004 Proxy action 1. Your proxy sends your certificate and the certificate of your proxy to host C. 2. Host C gets your proxy's public key through the path validation procedure: a.Host C gets your subject and your public key from your certificate using CA's public key. b. Host C gets the proxy's subject and your proxy's public key from your proxy's certificate using your public key. c. The subject is a Distinguished Name similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name" The subject of proxy certificate is similar to its owner's (your) subject and is similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name/CN=proxy"

Military Technical Academy Bucharest, 2004 So in order to validate the proxy certificate, Host C just has to check that the words that eliminate the words "/CN=proxy" from the proxy's subject is just the same as your subject. => If it is validated, your proxy is authenticated by host C and able to act on your behalf. 3. The proxy encrypts a request message using its private key and sends it to Host C. 4. Host C decrypts the encrypted message using the proxy's public key and gets the request. 5. Host C runs the request under the authority of a local user. The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).

Military Technical Academy Bucharest, 2004

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.