Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4.

Published bySolomon Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4."— Presentation transcript:

1 1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4 and G. La Rocca 1 (1) National Institute of Nuclear Physics, Division of Catania, Italy (2) Department of Physics and Astronomy of the University of Catania, Italy (3) National Institute of Nuclear Physics, Division of Bologna, Italy (4) Nice srl, Italy International Workshop on Science Gateways (IWSG10) 20-21 Sept. 2010, Acicastello, Italy

2 2 Grid Security: the current state-of-the-art; Introduction to smart card; –Why do we use smart card in Grid ? –Installation and Configuration; –The Aladdin eToken PRO smart card; –The NIKHEF solution; –The extended XML/Java EnginFrame framework. The “lightweight” crypto library; –Browsing the smart card; –Creating a VOMS proxy certificate; –Video. Summary and Conclusions; References. Outline

3 3 The existing Grid middleware, and in particular gLite, rely on the adoption of a Public Key Infrastructure (PKI); –User’s credentials (public and private keys) must be available on each User Interface server which is used to access the Grid infrastructure (e.g.: under $HOME/.globus/ ). Exposing the certificate’s private key on multiple UIs is considered a security weakness; –Non-authorized users may be subjected to possible fraudulent use (e.g.: the system administrator). There is a total lack of support for other authentication mechanisms; –Smart cards with their hardware characteristics can improve the security and avoid abuse. The current state-of-the-art

4 4 Smart cards are usually tamper-resistant devices that can be easily connected to a laptop and used to store private keys. –They have been introduced to protect the private credentials. In order to access private objects stored into the smart card, a user PIN is requested. –An additional protection is given to private keys and secret keys which are marked as ” sensitive ” or ” non- extractable ”. Sensitive keys cannot be revealed in plain text off the token; Non-extractable keys cannot be revealed off the token when encrypted. Smart Cards

5 5 In this work the features of the Aladdin eToken PRO 32Kb smart cards has been exploited. Smart Cards and Grid Since 2008, INFN CA uses this kind of smart cards to store grid certificates (in particular robot certificates ). The Aladdin eToken smart card can support several certificates: –A first prototype of the GENIUS Grid Portal (https://glite-tutor1.ct.infn.it) using certificate to generate an user’s proxy and track what the user is doing in grid resources has been successfully designed ( See: A Grid Portal with Robot Certificates for Bioinformatics Phylogenetic Analyses – Concurrency and Computation: Practice and Experience, Special Issue IWPLS’09 )https://glite-tutor1.ct.infn.it

6 6 Robot certificates in a nutshell Robot certificates have been introduced to allow users, who are not familiar with deal personal certificates and don’t belong to any VOs, to experience the Grid paradigm for research activity and reduce the initial barriers. –They are extremely useful, for instance, to automate grid service monitoring, data processing production, distributed data collection systems, etc.; –Basically, these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server.

7 7 The extended XML/Java EnginFrame framework 1. ask for a service 2. create a proxy with the robot certificate User 5. get the results 3. execute action 2’,3’. track user Admin 6/7. query for accounting data L&B 4. get output

8 8 The User Tracking System (1/2)

9 9 The User Tracking System (2/2)

10 10 Installation & Configuration (1/3) Before installing PKI Client 4.55, PCSC-lite, PCSC-lite-lib and CCID packages must be installed in your system –Maybe you can find these packages in your repo. These packages have dependencies between each other. –Start the daemon: /etc/init.d/pcscd start The eToken PKI Client includes all the necessary files and drivers to support eToken management. –It also includes the eToken Properties configuration tool, which enables easy user management of the eToken password and name. –Install: rpm –ivh pkiclient-full-4.55-34.i386.rpm

11 11 Installation & Configuration (2/3) The Mkproxy-rhel4.tar.gz tarball contains all the required binaries for RHEL4 compatible platforms. Mkproxy-rhel4.tar.gz After unpacking the tarball, copy over the files to their respective locations: cp -rp etoken/bin/* /usr/local/bin cp -rp etoken/lib/* /usr/local/lib cp -rp etoken/etc/openssl.cnf /usr/local/etc

12 12 Installation & Configuration (3/3) Edit the /usr/local/mkproxy script and change the PKCS11_MOD enviroment variable The mkproxy script has been tested on: mkproxy –Windows XP (using cygwin) / Vista / 7 –Linux Fedora Core 5, 8, 9, 11, 12 –Linux CentOS 4, 5 –Scientific Linux 4 and 5 –Linux OpenSuse 10.1, 11.0, 11.1 –MacOS X 10.5 and higher

13 13 Administrating your eToken Before to start initialize your token, set the administrator password and upload your certificate To access the graphics Quick Function Menu right-click the eToken icon in the system tray or from Start -> Programs -> eToken -> eToken Properties

14 14 Browsing the smart card $ pkcs11-tool --module=/usr/lib/libeTPkcs11.so -L Available slots: Slot 0 AKS ifdh 00 00 token label: eToken token manuf: Aladdin Ltd. token model: eToken token flags: rng, login required, PIN initialized, token initialized, other flags=0x200 serial num : 001c33f9 Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) [..] Slot 16 (empty)

15 15 If you have installed a single grid certificate on your eToken you can now generate a grid proxy by issuing the command mkproxy --label=”Robot:MrBayes” Starting Aladdin eToken PRO proxy generation Found X.509 certificate on eToken: label: (eTCAPI) Robot:MrBayes – Giuseppe La Rocca's GILDA ID id: 39453945373335312d333545442d343031612d384637302d32384636363930363630423 Your identity: /C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca Generating a 512 bit RSA private key..........++++++++++++......++++++++++++ writing new private key to 'proxykey.D17633' ----- engine "pkcs11" set. Signature ok subject=/C=IT/O=GILDA/L=INFN Catania/CN=Robot:Genius – Giuseppe La Rocca/CN=proxy Getting CA Private Key PKCS#11 token PIN: Your proxy is valid until: Sun Feb 24 03:58:09 CEST 2008-02-23 Add VOMS extentions running the command : voms-proxy-init --noregen -voms Creating grid proxies with mkproxy

16 16 Supported APIs The following APIs are supported in the Linux version of eToken PKI Client 4.55: –Microsoft CryptoAPICryptoAPI –The Cryptographic Token Interface PKCS#11

17 17 The Cryptographic Token Interface Standard (PKCS#11) Java support a set of native interfaces to interact with cryptographic tokens (e.g.: hardware cryptographic accelerators and smart cards). It defines sixty prototypes for functions (referred to as cryptoki library) that together can be used to perform a wide range of cryptographic mechanisms, including: –digital signatures ; –public key ciphers ; –symmetric key cipher ; –hash functions ; –etc. The Sun PKCS#11 provider is supported on Solaris SPARC platforms (32-bit and 64-bit Java VM) and on x86 compatible platforms ( Solaris, Linux and Windows OS). It is not supported, however, on 64-bit AMD64 and Itanium platforms.

18 18 The “lightweight” crypto library (1/4) The new “lightweight” crypto library has been designed and developed considering the native PKCS#11 cryptographic, the Bouncy Castle and the Cog-jGlobus (ver 1.8.0) APIs.

19 19 The “lightweight” crypto library (2/4) The Bouncy Castle Provider has been used to generate a self-signed certificate // Generate the Proxy Certificate structure. X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set the serial Number for the certificate. certGen.setSerialNumber(sn); // Set the validity of the certificate. certGen.setNotBefore(firstDate); certGen.setNotAfter(lastDate); // Set the public key for the certificate. certGen.setPublicKey(pair.getPublic()); // Set the Issuer distinguished name. certGen.setIssuerDN(cert.getSubjectX500Principal()); // Set the signature of the new certificate. certGen.setSignatureAlgorithm(cert.getSigAlgName()); // Set the subject. certGen.setSubjectDN(new X500Principal (proxyDN)); // Generate the new certificate. X509Certificate cert = certGen.generate(privateKey);

20 20 The “lightweight” crypto library (3/4) The Cog-jGlobus APIs have been used to set up a GSI connection with the VOMS server of the given VO in order to add the VOMS Attributes Certificate (AC) to the original proxy certificate.

21 21 The “lightweight” crypto library (4/4) Extract the AC from the payload and create a VOMS proxy Start video

22 22 A real use case… The high customizable features of Liferay portal has been combined with the EnginFrame 2010 framework in order to have a new e-Collaboration environment designed to make scientific researcher easy access grid services; R. Rotondo, R. Barbera, G. La Rocca, A. Falzone, P. Maggi and N. Venuti. Conjugating science gateways and grid portals into e-collaboration environments: the Liferay and GENIUS/EnginFrame use case. Proceedings of the 2010 TeraGrid conference, Pittsburgh, Pennsylvania – ISBN:978-1-60558-818-6, http://doi.acm.org/10.1145/1838574.1838575.

23 23 Conclusions The Java SE platform provides developers with a large set of security APIs, algorithms, tools and protocols. We have extended the PKCS#11 cryptographic library together with the Bouncy Castle and Cog-jGlobus Java APIs to implement a new security solution for the gLite Grid middleware. The solution described in this paper can be used by users, applications, Grid portals and/or Science Gateways to generate VOMS proxies starting from the credentials stored into an eToken smart card.

24 24 References & Links

Download ppt "1 A “lightweight” Crypto Library fo supporting a new Advanced Grid Authentication Process with Smart Card R. Barbera 1,2, V. Ciaschini 3, A. Falzone 4."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
eToken PKI Client Overview

eToken PKI Client Overview
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.

SKS – Secure Key Store KeyGen2 –Token Provisioning Protocol Executive Level Presentation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Similar presentations

Ads by Google