Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.

Published byAnastasia Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione."— Presentation transcript:

1 www.ccr.infn.it http://grid.infn.it/ Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione di Catania II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 Novembre 2008

2 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 2 Glossary Encryption –Symmetric algorithms –Asymmetric algorithms: PKI Certification Authorities –Digital Signatures –X509 certificates Grid Security –Basic concepts –Grid Security Infrastructure –Proxy certificates –Commands used in UI Virtual Organization –Concept of VO and authorization –VOMS, LCAS, LCMAPS References Outline

3 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 3 Principal –An entity: a user, a program, or a machine Credentials –Some data providing a proof of identity Authentication –Verification of the identity for an end-entity Authorization –Map an entity to some set of privileges Confidentiality –Encrypt the message so that only the recipient can understand it Integrity –Ensure that the message has not been altered during the transmission Non-repudiation –Impossibility of denying the authenticity of a digital signature Glossary

4 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 4 To implement the security infrastructure, cryptography uses mathematical algorithms that provide important building blocks. Corresponding definitions for the above symbols: –Plaintext: M –Cyphertext: C –Encryption with key K 1 : E K 1 (M) = C –Decryption with key K 2 : D K 2 (C) = M Algorithms –Symmetric –Symmetric: K 1 = K 2 –Asymmetric –Asymmetric: K 1 ≠ K 2 K2K2 K1K1 Encryption Decryption MCM Cryptography

5 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 5 The same key is used for encryption and decryption (no public key, only secret keys available.) Advantages: –Fast Disadvantages: –Exchange of secret keys needed:  how to distribute the keys? –the number of keys is O(n 2 ) Examples: –DES –3DES –AES JohnPeter Hi!3$rHi! JohnPeter Hi!3$rHi!3$r Symmetric Algorithms

6 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 6 Every user has two keys: one private (secret) and one public: –it is impossible to derive the private key from the public one; –a message encrypted by one key can be decrypted only by the other one. No exchange of private key is needed. –the sender cyphers using the public key of the receiver; –the receiver decrypts using his own private key; –the number of keys is O(n). Examples: –RSA (1978) Peterkeys public private John keys publicprivate JohnPeter Hi!3$rHi! JohnPeter Hi!cy7Hi! 3$r cy7 Public Key Algorithms (Asymmetric)

7 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 7 John calculates the h hh hash of the message (with a one-way hash function) John encrypts the hash using his private key: the encrypted hash is the d dd digital signature. John sends the signed message to Peter. Peter calculates the hash of the message and v vv verifies it with A, decyphered with Peter’s p pp public key. If two hashes equal: message wasn’t modified; John cannot repudiate it. Peter This is some message Digital Signature John This is some message Digital Signature This is some message Digital Signature Hash(A) John keys publicprivate Hash(B) Hash(A) = ? Digital Signature

8 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 8 John’s digital signature is safe if: 1. John’s private key is not compromised 2. Peter knows John’s public key How can Peter be sure that John’s public key is really John’s public key and not someone else’s? –A third party guarantees the correspondence between public key and owner’s identity. –Both John and Peter must trust this third party Two models proposed to build trust: used in Grid –X.509: hierarchical organization ( used in Grid ) –PGP: “web of trust”. (person to person) Digital Certificate

9 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 9 X.509 and Certification Authorities Certification Authority The “third party” is called Certification Authority (CA). Responsibilities of CA: Digital CertificatesIssue Digital Certificates (containing public key and owner’s identity) for users, programs and machines Check identity and the personal data of the requestor –Registration Authorities (RAs) do the actual validation Revoke certificates in case of a compromise Renew certificates in case of expiration Periodically publish a list of revoked certificates through web repository –Certificate Revocation Lists (CRL): contain all the revoked certificates CA certificates are self-signed

10 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 10 An X.509 Certificate contains: –o–owner’s public key; –i–identity of the owner (DN); –i–info on the CA; –t–time of validity; –S–Serial number; –d–digital signature of the CA Public key Subject:C=TR, O=TRGrid, OU=ODTU, CN=Cevat Sener Issuer: C=TR, O=TRGrid, CN=TR- Grid CA Not before: Apr 6 14:08:33 2006 GMT Not after: Apr 6 14:08:33 2007 GMT Serial number: 95 (0 x 5F) CA Digital signature Structure of a X.509 certificate X.509 Certificates

11 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 11 Large and dynamic population Different accounts at different sites Personal and confidential data Heterogeneous privileges (roles) Desire Single Sign-On Users “Group” data Access Patterns Membership “Groups” Sites Heterogeneous Resources Access Patterns Local policies Membership Grid GRID Security: Components

12 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 12 every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CA’s; every Grid transaction is mutually authenticated: 1. John sends his certificate; 2. Peter verifies signature in John’s certificate; 3. Peter sends John a challenge string; 4. John encrypts the challenge string with his private key; 5. John sends encrypted challenge to Peter 6. Peter uses John’s public key to decrypt the challenge. 7. Peter compares the decrypted string with the original challenge 8. If they match, Peter verifies John’s identity and John can not repudiate it. John Peter John’s certificate Verify CA signature Random phrase Encrypt with John’s private key Encrypted phrase Decrypt with John’ s public key Compare with original phrase Based on X.509 PKI: VERY IMPORTANT Private keys Private keys must be stored only by owners: protected in protected placesAND encrypted in encrypted form The Grid Security Infrastructure (GSI)

13 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 13 Certificate management Import your certificate in your browser –If you receive a.pem certificate you need to convert it to PKCS12 –Use openssl command line (available in each egee/LCG UI)  openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ GILDA (and other VOs): –If you receive already a PKCS12 certificate, you can import it directly into the web browser. –For future use, you will need usercert.pem and userkey.pem in a directory ~/.globus on your UI –Export the PKCS12 cert to a local dir on UI and use again openssl:  openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem  openssl pkcs12 -clcerts -nokeys -in my_cert.p12 -out usercert.pem

14 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 14 X.509 Proxy Certificate Proxy: GSI extension to X.509 Identity Certificates –signed by the normal end entity cert (or by another proxy). It enables single sign-on. It supports some important features: –Delegation –Mutual authentication It has a limited lifetime (minimized risk of “compromised credentials”) It is created by the grid-proxy-init command: % grid-proxy-init Enter PEM pass phrase: ****** –Options for grid-proxy-init:  -hours  -bits  -help

15 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 15 User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. –User’s private key not exposed after proxy has been signed User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file Proxy placed in /tmp –the private key of the Proxy is not encrypted: –stored in local file: must be readable only by the owner; –proxy lifetime is short (typically 12 h) to minimize security risks. NOTE: No network traffic! grid-proxy-init

16 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 16 grid-proxy-init ≡ “login to the Grid” To “logout” you have to destroy your proxy: – grid-proxy-destroy –This does NOT destroy any proxies that were delegated from this proxy. –You cannot revoke a remote proxy To gather information about your proxy: – grid-proxy-info –Options for grid-proxy-info: -subject-issuer -type-timeleft -strength-help Still Proxy …

17 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 17 Delegation = remote creation of a (second level) proxy credential –New key pair generated remotely on server –Client signs proxy cert and returns it Allows remote process to authenticate on behalf of the user –Remote process “impersonates” the user Delegation

18 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 18 Long term proxy --> Myproxy Proxy has limited lifetime (default is 12 h) –Bad idea to have longer proxy However, a grid task might need to use a proxy for much longer time –Grid jobs in HEP on LCG last up to 2 days myproxy server: –Allows to create and store a long term proxy certificate: –myproxy-init -s --voms  -s: specifies the hostname of the myproxy server –myproxy-info  Get information about stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy –Check out the myproxy-xxx --help option for more information A dedicated service on the RB can renew automatically the proxy File transfer services in gLite validates user request and eventually renew proxies –contacting myproxy server

19 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 19 Grid users MUST belong to virtual organizations –It was called “groups” previously. –It defines sets of users belonging to a collaboration –User must sign the usage guidelines for the VO –You will be registered in the VO-LDAP server (wait for notification) –List of supported VOs:  https://lcg-registrar.cern.ch/virtual_organization.html https://lcg-registrar.cern.ch/virtual_organization.html VOs maintain a list of their members on a LDAP Server –The list is downloaded by grid machines to map user certificate subjects to local “pool” accounts –Sites decide which VOs to support  /etc/grid-security/grid-mapfile "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Birsen Omay".seegrid "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Hakan Bayindir".trgridb "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Onur Temizsoylu".dteam VOs and authorization

20 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 20 Virtual Organization Membership Service –Extends the proxy with info on VO membership, group, roles –Fully compatible with Globus Toolkit –Each VO has a database containing group membership, roles and capabilities information for each user –User contacts voms server requesting his authorization info –Server sends authorization info to the client, which includes them in a proxy certificate asli@levrek:~$ voms-proxy-init --voms trgrida Your identity: /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin Enter GRID pass phrase: Creating temporary proxy................................... Done Contacting voms.ulakbim.gov.tr:15051 [/C=TR/O=TRGrid/OU=TUBITAK- ULAKBIM/CN=voms.ulakbim.gov.tr] "trgrida" Done Creating proxy................................... Done Your proxy is valid until Sat Jul 1 04:02:30 2006 VOMS concepts

21 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 21 short for Fully Qualified Attribute Name, is what VOMS uses to express membership and other authorization info Groups membership, roles and capabilities may be expressed in a format that bounds them together /Role=[ ][/Capability= ] FQAN are included in an Attribute Certificate Attribute Certificates are used to bind a set of attributes (like membership, roles, authorization info etc) with an identity ACs are digitally signed VOMS uses AC to include the attributes of a user in a proxy certificate asli@levrek:~$ voms-proxy-info -fqan /trgrida/Role=NULL/Capability=NULL FQAN and AC

22 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 22 Server creates and signs an AC containing the FQAN requested by the user, if applicable AC is included by the client in a well-defined, non critical, extension assuring compatibility with GT-based mechanism asli@levrek:~$ voms-proxy-info -all subject : /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin/CN=proxy issuer : /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin identity : /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin type : proxy strength : 512 bits path : /tmp/x509up_u1134 timeleft : 11:58:08 VO : trgrida subject : /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Asli Zengin issuer : /C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=voms.ulakbim.gov.tr attribute : /trgrida/Role=NULL/Capability=NULL timeleft : 11:58:08 VOMS and AC

23 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 23 At resources level, authorization info is extracted from the proxy and processed by LCAS and LCMAPS Local Centre Authorization Service (LCAS) –Checks if the user is authorized (currently using the grid-mapfile) –Checks if the user is banned at the site –Checks if at that time the site accepts jobs Local Credential Mapping Service (LCMAPS) –Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.) –Map also VOMS group and roles (full support of FQAN) "/VO=dteam/GROUP=/dteam" dteam "/VO=eumed/GROUP=/eumed/ROLE=SoftwareManager" eumed "/VO=eumed/GROUP=/eumed" eumed LCAS & LCMAPS

24 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 24 GSI environment variables User certificate files: –Certificate:X509_USER_CERT (default: $HOME/.globus/usercert.pem ) –Private key: X509_USER_KEY (default: $HOME/.globus/userkey.pem ) –Proxy: X509_USER_PROXY (default: /tmp/x509up_u ) Host certificate files: –Certificate: X509_HOST_CERT (default: /etc/grid-security/hostcert.pem ) –Private key: X509_HOST_KEY (default: /etc/grid-security/hostkey.pem )

25 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 25 GSI environment variables Trusted certification authority certificates: – X509_CERT_DIR (default: /etc/grid-security/certificates ) Voms server public keys –X509_VOMS_DIR (default: /etc/grid-security/vomsdir )

26 www.ccr.infn.it http://grid.infn.it/ II Corso di formazione INFN per amministratori di siti Grid ICTP, Trieste 24-28 November 2008 - 26 GridGrid –LCG Security: http://proj-lcg-security.web.cern.ch/proj-lcg-security/ –LCG Registration: http://lcg-registrar.cern.ch/http://lcg-registrar.cern.ch/ –Globus Security: http://www.globus.org/security/ –VOMS: http://infnforge.cnaf.infn.it/projects/voms –IGTF for trusted CAs: http://www.gridpma.org/ BackgroundBackground –GGF Security: http://www.gridforum.org/security/ –IETF PKIX charter: http://www.ietf.org/html.charters/pkix-charter.html –PKCS: http://www.rsasecurity.com/rsalabs/pkcs/index.html References

Download ppt "Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Security Management.

Security Management.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

Similar presentations

Ads by Google