Security, Authorisation and Authentication.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
The National Grid Service and OGSA-DAI Mike Mineter
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security Management.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Next Steps: becoming users of the NGS Mike Mineter
Next Steps.
Creating and running an application.
Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.
The National Grid Service Mike Mineter.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Using Certificate & Simple Job Submission Jinny Chien ASGC.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security, Authorisation and Authentication Mike Mineter,
Security in gLite Gergely Sipos MTA SZTAKI
Authentication, Authorisation and Security
Security and getting access to the training infrastructure
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Using SSL – Secure Socket Layer
Presentation transcript:

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

2 Policy for re-use This presentation can be re-used for academic purposes. However if you do so then please let training- know. We need to gather statistics of re-use: no. of events, number of people trained. Thank you!!training-

3 Security Overview Grid Security Infrastructure Authentication Encryption & Data Integrity Authorization Security

4 The Problems - 1 How does a user securely access the Resource without having an account on the machines in between or even on the Resource? How does the Resource know who a user is? How are rights and that they are allowed access? User Resource

5 The Problems -2: Reducing vulnerability Launch attacks to other sites –Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information –Massive distributed storage capacity ideal for example, for swapping movies. Damage caused by viruses, worms etc. –Highly connected infrastructure means worms spread faster than on the internet in general.

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 6 Basis of security & authentication Asymmetric encryption… …. and Digital signatures … –A hash derived from the message and encrypted with the signer’s private key –Signature is checked by decrypting with the signer’s public key Are used to build trust –That a user / site is who they say they are –And can be trusted to act in accord with agreed policies Encrypted text Private Key Public Key Clear text message

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 7 Public Key Algorithms Every user has two keys: one private and one public: –it is impossible to derive the private key from the public one; –a message encrypted by one key can be decrypted only by the other one. Public keys are exchanged The sender encrypts using his private key The receiver decrypts using senders public key; The number of keys is O(n) Paul’s keys public private PaulJohn ciao3$rciao3$r

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 8 Digital Signature Paul calculates the h hh hash of the message Paul encrypts the hash using his p pp private key: the encrypted hash is the d dd digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get A, using Paul’s p pp public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key John message Digital Signature Paul message Digital Signature message Digital Signature Hash A Paul’s keys publicprivate Hash B Hash A = ?

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 9 The Grid Security Infrastructure (GSI) every Grid transaction is mutually authenticated: 1. A sends his certificate; 2. B verifies signature in A’s certificate using CA public certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. 9. Repeat for A to verify B’s identity A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Based on X.509 PKI:

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 10 The Grid Security Infrastructure (GSI) - continued Default: message integrity checking –Not private – a test for tampering. For private communication: –Encrypt all the message (not just hash) - Slower After A and B authenticated each other, for A to send a message to B: A B Generate hash from message Message + Encrypted hash Decrypt with A’ s public key Compare with decrypted hash Encrypt hash with A’ s private key Further encrypt hash with B’ s public key Decrypt with B’ s private key Generate hash from message

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 11 Digital Certificates How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? –A third party certifies correspondence between the public key and Paul’s identity. –Both John and Paul trust this third party Certification Authority The “third party” is called a Certification Authority (CA).

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 12 X.509 Certificates An X.509 Certificate contains:  owner’s public key;  identity of the owner;  info on the CA;  time of validity;  Serial number;  Optional extensions –digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 13 Certification Authorities User’s identity has to be certified by one of the national Certification Authorities (CAs) Resources are also certified by CAs CAs are mutually recognized CAs each establish a number of people “registration authorities” RAs To find RAs in UK go to support.ac.uk/ca/ralist.htm support.ac.uk/ca/ralist.htm

14 Grid Security Infrastructure - proxies To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates –Short-lived certificates signed by the user’s certificate or a proxy –Reduces security risk, enables delegation

15 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate

16 “Compute element”: An LRMS queue “Worker nodes” Local resource management system: Condor / PBS / LSF master Globus gatekeeper Job request Info system Logging gridmapfile I.S. Logging

17 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

Enabling Grids for E-sciencE INFSO-RI EGEE Middleware, 14 March 2006 Dublin 18 AA Summary Authentication –User obtains certificate from Certificate Authority –Connects to UI by ssh UI is the user’s interface to Grid –Uploads certificate to UI –Single logon – to UI - create proxy –then Grid Security Infrastructure uses proxies Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by resource: Gridmapfile (or similar) maps user to local account UI CA VO mgr Annually VO database Gridmapfiles for grid services GSI VO service Daily update

19 Our setup Core NGS nodes Putty: ssh Tutorial room machines UI training-ui.nesc.ed.ac.uk. Internet

20 The Practical You should have been given an information sheet containing your username and password 1.Login to your workstation 2.Open a browser window and follow the link from Click on the “further information” for this practical. …. Find Putty on your PC 4.Open a new session on putty: 1.connect to training-ui.nesc.ed.ac.uk 2.Accept key when prompted by training-ui

21 The Practical You should have been given an information sheet containing your username and password 1.Login to your workstation 2.Open a browser window and follow the link from 3.Click on the “further information” for this practical. 4.Before you follow instructions to use the putty program set it up to use X11 (useful later on)…. Next slide

22 How to start putty to enable x11 1.Run exceed 2.Run putty 3.Set X11 before opening session 4.(kwrite editor available)

23 Open a new session on putty: connect to training-ui.nesc.ed.ac.uk Accept key when prompted by training-ui

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.