1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Configuring Directory Certificate Services Lesson 13.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Chapter 21 Distributed System Security Copyright © 2008.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Creating and Managing Digital Certificates Chapter Eleven.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
Authentication, Authorisation and Security
Grid Security.
IS3230 Access Security Unit 9 PKI and Encryption
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

1 Grid School Module 4: Grid Security

2 Typical Grid Scenario Users Resources

3 What do we need ? l Identity l Authentication l Message Protection l Authorization l Single Sign On

4 Identity & Authentication l Each entity should have an identity l Authenticate: Establish identity –Is the entity who he claims he is ? –Examples: >Driving License >Username/password l Stops masquerading imposters

5 Message Protection: Privacy Medical Record Patient no: 3456

6 Message Protection: Integrity Run myHome/whoami Run myHome/rm –f *

7 Authorization l Establishing rights l What can a said identity do ? Examples: –Are you allowed to be on this flight ? >Passenger ? >Pilot ? –Unix read/write/execute permissions l Must authenticate first

8 Grid Security: Single Sign On Authenticate Once

9 Grid Security: Single Sign On Delegation

10 Single Sign-on l Important for complex applications that need to use Grid resources –Enables easy coordination of varied resources –Enables automation of process –Allows remote processes and resources to act on user’s behalf –Authentication and Delegation

11 Solutions

12 Cryptography for Message Protection l Enciphering and deciphering of messages in secret code l Key –Collection of bits –Building block of cryptography –More bits, the stronger the key

13 Encryption l Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out l Encrypted data is, in principal, unreadable unless decrypted Encryption Function

14 Decryption l Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data –Encryption and decryption functions are linked Decryption Function

15 Asymmetric Encryption l Encryption and decryption functions that use a key pair are called asymmetric –Keys are mathematically linked

16 Public and Private Keys l With asymmetric encryption each user can be assigned a key pair: a private and public key Private key is known only to owner Public key is given away to the world l Encrypt with public key, can decrypt with only private key l Message Privacy

17 Digital Signatures l Digital signatures allow the world to –determine if the data has been tampered –verify who created a chunk of data l Sign with private key, verify with public key l Message Integrity

18 Public Key Infrastructure (PKI) l PKI allows you to know that a given public key belongs to a given user l PKI builds off of asymmetric encryption: –Each entity has two keys: public and private –The private key is known only to the entity l The public key is given to the world encapsulated in a X.509 certificate Owner

19 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates l X509 Certificate binds a public key to a name. l Similar to passport or driver’s license Name Issuer Public Key Validity Signature Valid Till:

20 Certification Authorities (CAs) l A Certification Authority is an entity that exists only to sign user certificates l The CA signs it’s own certificate which is distributed in a trusted manner l Verify CA certificate, then verify issued certificate Name: CA Issuer: CA CA’s Public Key Validity CA’s Signature

21 Certificate Policy (CP) l Each CA has a Certificate Policy (CP) which states –who it will issue certificates to –how it identifies people to issue certificates to l Lenient CAs don’t pose security threat, since resources determine the CAs they trust.

22 Certificate Issuance l User generates public key and private key l CA vets user identity using CA Policy l Public key is sent to CA – –Browser upload –Implied l Signs user’s public key as X509 Certificate l User private key is never seen by anyone, including the CA

23 Certificate Revocation l CA can revoke any user certificate –Private key compromised –Malicious user l Certificate Revocation List (CRL) –List of X509 Certificates revoked –Published, typically on CA web site. l Before accepting certificate, resource must check CRLs

24 Authorization l Establishing rights of an identity l Chaining authorization schemes –Client must be User Green and have a candle stick and be in the library! l Types: –Server side authorization –Client side authorization

25 Gridmap Authorization l Commonly used in Globus for server side l Gridmap is a list of mappings from allowed DNs to user name l ACL + some attribute l Controlled by administrator l Open read access "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde

26 Globus Security: The Grid Security Infrastructure l The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. l Based on PKI l Uses Secure Socket Layer for authentication and message protection –Encryption –Signature l Adds features needed for Single-Sign on –Proxy Credentials –Delegation

27 GSI: Credentials l In the GSI system each user has a set of credentials they use to prove their identity on the grid –Consists of a X509 certificate and private key l Long-term private key is kept encrypted with a pass phrase –Good for security, inconvenient for repeated usage

28 GSI: Proxy Credentials l Proxy credentials are short-lived credentials created by user –Proxy signed by certificate private key l Short term binding of user’s identity to alternate private key l Same effective identity as certificate SIGN

29 GSI: Proxy Credentials l Stored unencrypted for easy repeated access l Chain of trust –Trust CA -> Trust User Certificate -> Trust Proxy l Key aspects: –Generate proxies with short lifetime –Set appropriate permissions on proxy file –Destroy when done

30 GSI Delegation l Enabling another entity to run as you l Provide the other entity with a proxy l Ensure –Limited lifetime –Limited capability

31 Grid Security At Work l Get certificate from relevant CA l Request to be authorized for resources l Generate proxy as needed l Run clients –Authenticate –Authorize –Delegate as required Numerous resource, different CAs, numerous credentials

32 MyProxy l Developed at NCSA l Credential Repository with different access mechanism (e.g username/pass phrase) l Can act as a credential translator from username/pass phrase to GSI l Online CA l Supports various authentication schemes –Passphrase, Certificate, Kerberos

33 MyProxy: Use Cases l Credential need not be stored in every machine l Used by services that can only handle username and pass phrases to authenticate to Grid. E.g. web portals l Handles credential renewal for long- running tasks l Can delegate to other services

34 Lab Session l Focus on tools –Certificates –Proxies –Gridmap Authorization –Delegation –MyProxy

35 Grid School Module 2: Grid Security Prepared by: Rachana Ananthakrishnan Argonne National Laboratory With contributions by Von Welch, Frank Siebenlist, Ben Clifford

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.