Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester.

Slides:



Advertisements
Similar presentations
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Digital Signatures. Anononymity and the Internet.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The GridSite Security Framework Andrew McNab University of Manchester.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Cryptographic Technologies
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Computer Science Public Key Management Lecture 5.
Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
What is Digital Signature Building confidentiality and trust into networked transactions. Kishankant Yadav
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Stephen Burke – Data Management - 3/9/02 Partner Logo Data Management Stephen Burke, PPARC/RAL Jeff Templon, NIKHEF.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Security Middleware Andrew McNab University of Manchester.
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester
GridSite status Andrew McNab University of Manchester.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Digital Signatures.
Authentication, Authorisation and Security
Uses Uses of cryptography Lab today on RSA
Fundamental Concepts in Security and its Application Cloud Computing
Update on EDG Security (VOMS)
Chapter 3 - Public-Key Cryptography & Authentication
Presentation transcript:

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 2 Overview Public Key Cryptography Encrypting and Signing with a public key Proving its MY public key - CAs Connecting with a key - ssh Connecting with a certificate - https Delegating - Globus proxies Passports vs Visas Access control lists - GGF Putting the grid into the OS - SlashGrid Extending HTTPS - G-HTTPS

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 3 Public Key Cryptography This is one of the most interesting and downright useful areas of applied maths Invented twice thanks to Official Secrets Act –by people at GCHQ (published 1998) –again by Diffie and Hellman at Stanford, 1976 Various algorithms exist –Most common is RSA, invented by Rivest, Shamir and Adelman in 1977 –Initially patented (expired in 2000) –Also subject to US export legislation, despite being simple enough to put on a T-Shirt!

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 4 RSA algorithm (simplified a bit) Say have public key n = pq, p and q are prime. Private key d, 3d = 1 (mod [[p-1][q-1]]) Encrypt message M (< n) as C = (M^3) mod n Decrypt message M = (C^d) mod n For example, n = 5 x 3 = 15, M=12 –d = 3 –C = 12^3 mod 15 = 3 –M’ = 3^3 mod 15 = 12 !! However, if I don’t know p and q, I can’t get d. If n=pq is very big, I can’t easily find prime numbers such that p q = n

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 5 Encrypting with public key I can generate public and private keys I publish my public key You can turn a message into a number and encrypt it Only I, who also know the private key, can decrypt it This solves one of the ancient problems of cryptography, going back to Greeks etc –how to first get the encryption “secret” from the recipient to the sender in a secure way

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 6 Simple application: secret s Internet is pretty insecure Anyone who can listen on the network can see what’s in the s as they go past But using public and private keys, people can encrypt a message and include it in an Keys and messages are base64-encoded blobs of text like this: -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAOd5Zstqe+PGkfg4T8e3tDAr3ykv79ErTvERwFlO64/6IA5KkpMK FizFR3hZmnC8lrS+5DItxdGkUo7y03mMMUsCAwEAAQJBAKQv0qA62cHJGcTtfHl3 bpI0rEg0vnCpvYb1RnCSsDggo4Banb7/ak2a/QrvfWoyt4Y60PE/6ypGvgiy6eqM d+ECIQD8+88SCzXjDoNHxfjceTdeS2ZcA2xHdoL9179guWUM0wIhAOo78FEVh45/ DagJRqXWNo81Sp1fk5LaIkmVXx2akh6pAiEAj2PCeH22K14cdt/1MDHceivOdrTR +Kdpk6tno9ExP1UCIQChLwHeKjyP+CpDma596/y7a2afCOgaQ/UYQaukSXuHkQIg ZQFJimvH4ZZjErleQ+KsmyI2NuTk2/EDQxbnpyN35+g= -----END RSA PRIVATE KEY-----

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 7 Signing s This technology doesn’t only allow us to encrypt messages –I can use my private key to generate a digital “signature” –Using my public key, you can verify that only I could have generated it –This gives both simple signing (you can verify the source) and non-repudiation (you can prove the same key signed a group of messages and I can’t deny it) Signature is another block of text at the end of the original message in plaintext

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 8 Proving it’s MY public key However, other people still have to verify it really is MY public key they are using –What if I can’t physically give you the key? Certificate Authorities (CAs) / Trusted 3rd Parties resolve this They sign other people’s public keys, along with a unique name -> “a certificate” –You still have to get the CA public key somehow So: I can get my public key signed, put it on my webpage and you can verify it’s really mine –it’s hasn’t been replaced by a hacker, say

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 9 Certificate Authority namespaces CA needs to have some unique naming for individuals Could use Name + Postal Address, or Address. In practice, use an X500 hierarchy: –/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab We use the UK HEP CA and now also the general e-Science CA at RAL –We are now directly responsible for names under /C=UK/O=eScience/OU=Manchester/L=HEP/… –New CA requires us to check some photo ID

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 10 Connecting with a key ssh uses RSA and similar algorithms Server generates a key pair to identify itself Users can generate key pairs to use instead of passwords –At CERN, SLAC etc, put your public key in ~/.ssh/authorized_keys When you connect, ssh checks if server key pair is the same as last time –but, the first time, it has to take it on trust –would be better to use a signed certificate, rather than just a public key

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 11 Connecting with a certificate You’re probably familiar with https websites –eg for credit card orders from Easyjet These use RSA etc to secure the connection Hosts have certificates rather than just public keys –in cert name have …/CN= So web browser can verify you’re really giving your credit card number to Easyjet Also, if you put a user certificate into the browser, webserver can verify who you are

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 12 GridSite GridSite system has user authentification –Written here and used for Maintains lists of users in different groups Each directory has a list of groups who can modify its webpages Tools on website allow you to upload files, edit pages Group admins can modify the membership of their group too Devolves the work of maintaining the site down to each subgroup

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 13 Other services using certificates Globus’s grid services use the same idea: –GridFTP for bulk file transfers –GRAM for job submission –GSI-ssh: normal ssh modified to use server and user certificates rather than just key pairs Since both Globus and https use the same, X509 format certificates, Grid/Web can be integrated Only need to get 1 user certificate, both for purely Grid and https Web sites.

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 14 Globus Delegation In normal https, I can prove who I am to the website, but that’s it –Globus extended this idea with delegation When I contact a remote host, it also makes a new, temporary key pair with my name –I agree to sign the public key, like a CA does My programs on the host can then contact other hosts with the “proxy” = chain of certs A 2nd remote host can check I authorised all this, by checking the chain of certs one by one –no need to take 1st host’s word for it!

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 15 “Single sign-on” Delegation allows you to just sign on once Do grid-proxy-init command once each day –locally delegates proxy as /tmp/x509up_uXX Each Globus program looks for this when connecting: –globus-job-run for job submission –globus-url-copy for file copying –gsi-ssh for getting a remote command line EU DataGrid programs built with this do too: –dg-job-submit –dg-job-get-output

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 16 Delegation in jobs As the Grid becomes more complex, delegation becomes vital User at Site A submits a job –Job goes to Resource Broker at Site B –RB sends job to Site C which has spare CPUs –Job running at C reads data catalog at Site D –Job at C reads closest data replica from Site E –Job finishes hours later and sends output to file server back at Site A Delegation means not having to take other sites’ “word for it” - which wouldn’t scale up

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 17 Passports vs Visas Globus uses grid-mapfile - lists mapping of certificate name to local unix user ID –if you’re “on the list” then you are in This is equivalent to a Passport + a Ban / Invitation List New systems being built with a Visa model –when I make my initial proxy, I also include a signed statement from my organisation –this “attribute cert” proves my membership –since I can’t forge the Atlas signature, each site doesn’t need the list of “all Atlas Users”

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 18 Grid Access Control Lists Our GACL format provides a way of writing ACLs using Grid credentials –user certificate names, group certificates etc GridSite uses this format already Other projects (eg EDG Storage Element) taking it up Now part of the authorisation work in Global Grid Forum (GGF) –GGF: world wide standards body for Grids –I co-chair the Authorisation Working Group

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 19 SlashGrid: Grid filesystems Almost all EDG sites use Manchester’s pool accounts system –get a temporary Unix UID when you run a job SlashGrid adds to this by controlling disk access and file ownership –use GACL access control lists to say who owns each directory –enforced at kernel level so all programs see it Unix ID doesn’t matter: Grid ID does Also provides a remote filesystem using https –Like AFS, but Grid credentials and web servers

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 20 Extending HTTPS - G-HTTPS Normal HTTPS is already very Grid-like Work now underway to add more Grid features –need to avoid breaking existing HTTPS –our G-HTTPS proposal designed to do this Delegation from client to server –so get all the benefits discussed already Servers can return the ACL along with the file –so if I cache a copy locally, I know who I can share the copy with Relevant EDG groups involved; taking it to GGF

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 21 fileGridSite fileGridSite is a cut down version of GridSite –just does plain text/binary files –group/webpage management features removed A testbed for new HTTPS extensions Made possible by Mike Jones’ mod_ssl-GSI –this makes web servers understand Globus delegated proxies G-HTTPS lets the server get a delegated proxy itself fileGridSite aims to offer the same functions as a GridFTP server, but with HTTP/HTTPS

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 22 Summary Public key cryptography provides privacy and authentification Certificate Authority infrastructure makes it scalable Lots of Web and now Grid tools have been built to use it Delegation makes Grids practical New tools for group membership, and disk/web access control being developed –much of it here at Manchester All this feeding into new Grid-wide standards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.