Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 1 Managing Confidential Data in the gLite Middleware – The Secure Storage.

Published bySolomon Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 1 Managing Confidential Data in the gLite Middleware – The Secure Storage."— Presentation transcript:

1 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 1 Managing Confidential Data in the gLite Middleware – The Secure Storage Service Fabio Scibilia per conto di - Diegi Scardaci (INFN Catania) - Giordano Scuderi (UNICO srl - Catania) Seconda Scuola su aspetti pratici del grid computing Trieste, 1-12 Dic. 2008

2 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 2 Outline Data Encryption and Secure Storage –Insider Abuse: Problem and Solution The Secure Storage Service for the gLite Middleware: –Command Line Applications –Application Program Interface –The Keystore

3 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 3 Data Encryption and Secure Storage The Secure Storage project is carried out by UNICO S.R.L. (http://www.unicosrl.it/) in collaboration with INFN Catania.http://www.unicosrl.it/ The objective of the project is to create a mechanism to store in a secure way and in an encrypted format data on the grid storage elements. Thanks to this solution we want to solve the insider abuse problem.

4 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 4 Insider Abuse: Problem A grid user could store sensitive data in a Storage Elements managed by external organizations. Storage Elements Administrators could access data (but the data are sensitive!). For this reason data MUST be stored in an encrypted format. Data Encryption/Decryption MUST be performed inside user secure environment (for example inside the user’s organization).

5 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 5 SE KeyStore SE USER (VIRTUAL) ORGANIZ ATION Key File Encryption /Decryption Encrypted File Insider Abuse: A Solution SECURE ENVIRONMENT

6 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 6 A Secure Storage service for the gLite Middleware Provides gLite users with suitable and simple tools to store confidential data in storage elements in a transparent and secure way. The service is composed by the following components: Command Line Applications: commands integrated in the gLite User Interface to encrypt/upload and decrypt/ download files. Application Program Interface: allows the developer to write programs able to manage confidential data. Keystore: a new grid element used to store and retrieve the users’ keys.

7 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 7 Command Line Applications We provide a new set of commands on the gLite User Interface: –Like lcg-utils commands, but they work on encrypted data. –Encryption and decryption process are transparent to the user. –Example (copy a local file on a GRID Storage Element): lcg-cr -d -L lcg-scr -d -L These commands allow to make the main Data Management operations: –Copy data/file on Storage Elements –Read data/file from Storage Elements –Delete data/file on Storage Elements –….

8 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 8 Command Line Applications Main Commands: – lcg-scr  encrypts a file and uploads it on a storage element, registering its Logical File Name in a LFC catalog. Moreover, it stores the key used to encrypt the file in a key repository. An ACL will be associated to each key on the repository. This ACL will contain all users authorized to access the file. – lcg-scp  downloads an encrypted file, gets the key to decrypt the file from the repository, decrypts the file and store it on a local file-system. Only authorized users (inserted into an ACL ) can access the key necessary to decrypt the file. – lcg-sdel  deletes one or all the replicas of a file. It also deletes the key associated to this file (only if you delete the last replica!)

9 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 9 Command Line Applications lcg-scr: lcg-scp:

10 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 10 Command Line Applications lcg-sdel:

11 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 11 Command Line Applications Man pages available:

12 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 12 Command Line Applications details Details about the main commands: –lcg-scr –lcg-scp

13 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 13 lcg-scr: Encryption and Storage

14 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 14 lcg-scp: Retrieval and Decryption

15 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 15 Command Line Interface details Encryption Algorithm: –The command line applications use AES (Advanced Encryption Standard) with 256 bit key length. Main development problems: –GFAL does not allow to create a new file using a LFN as input  It is necessary to use lower level API. –It is not possible to use standard (last version) OpenSSL library  Conflicts with OpenSSL version used by Globus.  New routines for encryption/decryption and keys generation are been developed.

16 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 16 Secure Storage API Secure Storage C API ( like lcg API encrypt and decrypt entire file ): –int lcg_scr ( char *src_file, char *dest_file, char *guid, char* lfn, char *vo, char *relative_path, char *conf_file, int insecure, int verbose, char *actual_gid ); –int lcg_scp ( char *src_file, char *dest_file, char *vo, char *conf_file, int insecure, int verbose ); –int lcg_sdel ( char *src_file, int aflag, char *se, char *vo, char *conf_file, int insecure, int verbose, int timeout); To use Secure Storage C API add in your code: –#include “securestorage.h”

17 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 17 Secure Storage API 2 Development of API like GFAL ( encrypt and decrypt block of data ):  int securestorage_open( char *lfn, int flags, mode_t mode );  int securestorage_write ( int fd, void *buffer, size_t size );  int securestorage_read ( int fd, void *buffer, size_t size );  int securestorage_close ( int fd ); Read and Write encrypted data like plain data! –open –read/write –close

18 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 18 The Keystore (1) The Keystore is a new grid element used to store and retrieve the users’ key in a secure way. The Keystore: is identified by an host X.509 digital certificate; all its Grid transactions are mutually authenticated and encrypted as required by the GSI model; should be placed in a trusted domain and should be appropriately protected by undesired connections; is a black box with a single interface towards the external world. This interface accepts only GSI authenticated connections;

19 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 19 The Keystore (2) The Keystore: the client request is processed only if the client is a member of a enabled users list and/or it belongs to an enabled Virtual Organization; if the client want to retrieve a key, the keystore checks if the request is coming from an authorized user inserted on the ACL associated to the request key.

20 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 20 Refernces Wiki page –https://grid.ct.infn.it/twiki/bin/view/GILDA/GILDASecureStoragehttps://grid.ct.infn.it/twiki/bin/view/GILDA/GILDASecureStorage –At the bottom of the page you can download an AVI clip Web page –http://securestorage.sourceforge.net/http://securestorage.sourceforge.net/

21 www.ccr.infn.it http://grid.infn.it/ Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 21 Any questions ?

Download ppt "Scuola Grid INFN, Trieste, 1-12 Dic. 2008 - 1 Managing Confidential Data in the gLite Middleware – The Secure Storage."

Similar presentations

Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
1 CHEP 2000, 10.02.2000Roberto Barbera Tests of data management services in EDG 1.2 ALICE Off-line Week, 09-13.09.2002.

1 CHEP 2000, Roberto Barbera Tests of data management services in EDG 1.2 ALICE Off-line Week,
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.

11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
EGEE-III INFSO-RI- 222667 Enabling Grids for E-sciencE www.eu-egee.org The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.
1 HeMoLab - Porting HeMoLab's SolverGP to EELA glite Grid Environment FINAL REPORT Ramon Gomes Costa - Paulo Ziemer.

1 HeMoLab - Porting HeMoLab's SolverGP to EELA glite Grid Environment FINAL REPORT Ramon Gomes Costa - Paulo Ziemer.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.

The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) GISELA Additional Services Diego Scardaci

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) GISELA Additional Services Diego Scardaci
The Grid System Design Liu Xiangrui Beijing Institute of Technology.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.
Group 1 : Grid Computing Laboratory of Information Technology Supervisors: Alexander Ujhinsky Nikolay Kutovskiy.

Group 1 : Grid Computing Laboratory of Information Technology Supervisors: Alexander Ujhinsky Nikolay Kutovskiy.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.
Www.eu-eela.eu E-science grid facility for Europe and Latin America Using Secure Storage Service inside the EELA-2 Infrastructure Diego Scardaci INFN (Italy)

E-science grid facility for Europe and Latin America Using Secure Storage Service inside the EELA-2 Infrastructure Diego Scardaci INFN (Italy)
Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, 13-14 November 2008.

Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.
MTA SZTAKI Hungarian Academy of Sciences Introduction to Grid portals Gergely Sipos

MTA SZTAKI Hungarian Academy of Sciences Introduction to Grid portals Gergely Sipos

Similar presentations

Ads by Google