Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus,

Published byShauna Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus,"— Presentation transcript:

1 Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus, 29-31 October 2007

2 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Outline  What are Grids?  Security in the GRID  GRID Certificates  HIAST Plan to be the Syria’s CA for GRID computing  CP/CPS preparation  CA design issues

3 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 What are Grids?  Set of services over the Internet, allowing geographically dispersed users to share: computer power data storage capacity remote instrumentation  Grid Computing is a particular example of distributed computing based on the idea to share resources on a global scale

4 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 R R R R R R R R R R What Grid is About: Aggregation in Virtual Organizations Distributed resources and people Linked by networks, crossing administrative domains Sharing resources, common goals Dynamic behaviors Fault-tolerant VO-B VO-A R R R R

5 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 What is VO  Virtual organizations (VOs) are collections of diverse and distributed individuals that seek to share and use diverse resources in a coordinated fashion  Users can join into several VOs, while resource providers also partition their resources to several VOs.

6 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Requirements for Grid computing Authentication and Authorization  An Authentication and Authorization system, providing secure access to resources: secure communication, secure data, resources etc. security across organisational boundaries single sign-onsingle sign-on for users of the Grid  A mechanism (middleware) for managing and allocating resources to users and applications  A reliable, high-performance network connection amongst resources

7 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Needs for new security standard  Several security standards exist: Public Key Infrastructure (PKI) Secure Socket Layer (SSL) Kerberos  Need for a common security standard for Grid services Above standards do not meet all Grid requirements (e.g. delegation, single sign-on etc.)  Grid community mainly uses X.509 PKI for the Internet Well established and widely used (also for www, e-mail, etc.)

8 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Why Grid Security is Hard?  Dynamic formation and management of virtual organizations (VOs)  VO Resources and users are often located in distinct administrative domains  Interactions are not just client/server, but service-to-service on behalf of the user: Requires delegation of rights by user to service Services may be dynamically instantiated  Policy from sites, VO, users need to be combined Varying formats  Want to hide as much as possible from applications! slide based on presentation given by Carl Kesselman at GGF Summer School 2004

9 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 The Grid Trust solution set up trust at the user/resource level  Instead of setting up trust relationships at the organizational level, set up trust at the user/resource level  Grid users must belong to a Virtual Organization Sets of users belonging to a collaboration Each VO user has the same access privileges to Grid resources  VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts Sites decide which VOs to accept  Users are able to set up dynamic trust domains Personal collection of resources working together based on trust of user

10 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Use Delegation to Establish Dynamic Distributed System Compute Center Rights VO Service

11 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Proxy  Consists of a new certificate with new public, private keys, and owner’s identify (/CN=proxy added to name)  Certificate signed by owner (not CA)  Proxy given limited lifetimes  Proxy’s private key does not need to be kept as secure as owner’s private key - setting file permissions usually sufficient

12 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Proxy Certificates

13 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Grid Security Infrastructure (GSI)  de facto standard for Grid middleware  Based on PKI  Implements some important features Single sign-on: no need to give one’s password every time Delegation: a service can act on behalf of a person Mutual authentication: both sides must authenticate to the other  Introduces proxy certificates Short-lived certificates including their private key and signed with the user’s certificate Proxies provide “single sign-on”: Enable user and it’s agents to acquire additional resources without repeated authentication (passwords)

14 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 GSI General Overview PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication and message protection Proxies and delegation (GSI Extensions) for secure single Sign-on Based on Slide from Globus Tutorial

15 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Public key Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

16 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Grid Certificates (X.509)  X.509 is ITU Standard: ITU-T Recommendation X.509 (1997 E). Information technology - Open Systems Interconnection - The Directory: Authentication Framework Defines a certificate format (originally based on X.500 Directory Access Protocol) – Latest standard: X.509 version 3 certificate format  X.509 certificate includes: User identification (someone’s subject name) Public key A “signature” from a Certificate Authority (CA) that: – Proves that the certificate came from the CA. – Vouches for the subject name – Vouches for the binding of the public key to the subject

17 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Involved entities User Certificate Authority Public key Private key certificate CA Resource (site offering services)

18 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Certificate Authorities  Issue certificates for users, programs and machines  Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation  Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire  CA certificates are self-signed Name: CA Issuer: CA CA’s Public Key CA’s Signature

19 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Certificate Request Private Key encrypted on local disk Certificate Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Public Certificate Authority

20 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Authorisation Requirements  Detailed user rights assigned: User can have certain group membership and roles  Involved parties: Resource providers. – Keep full control on access rights. The users Virtual Organisation. – Member of a certain group should have same access rights independent of resource.  Resource provider and VO must agree on authorisation: Resource providers evaluate authorisation granted by VO to a user and map into local credentials to access resources

21 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 HIAST Plan to be the Syria’s CA for GRID computing  HIAST was nominated to be the Registration Authority (RA) for GRID computing community in Syria in 2006  We are now working on the following points: 1.Studying how to meet all EUGRIDPMA requirements until acceptance 2.Subscribing to EUGRIDPMA mailing list 3.Evaluating and checking the CP/CPS documents published by other CA’s 4.Writing a draft document of HIAST’s CP/CPS 5.Evaluating the options to begin acquisition and subsequent installation of necessary hardware and software 6.Developing a secure website to be the interface for certificate requests and to help users find all information regarding CA, CRL, CP/CPS documents and contact information 7.Interacting with EUGRIDPMA to review all the above steps in details 8.Setting up the CA and making it operational 9.Getting the accreditation and announcing the service

22 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 The main points which will be covered through the CP/CPS Document  CP (Certificate Policy): is to establish WHAT participants must do  CPS (Certification Practice Statement): is to disclose HOW the participants perform their functions and implement control 1. CA Role: Issuing certificates and CRLs Publishing the issued certificate and CRLs Managing all the hardware and software

23 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 The main points which will be covered through the CP/CPS Document 2. RA Role: Authenticating the user which makes the request Verifying the information provided by the user Notifying the CA all the requests 3. Request Types: Certificate request Renewal request. Revocation request 4. Certificate Types: Personal certificate Server/Host certificate Service certificate

24 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 5. The Procedure in details will include: How to design secure certificate request (new, renewal and revocation) How to validate the identities of certificate requests. Way of authentication Communication between the CA and RA 6. The required CA Equipment : Dedicated computer system not connected to network Software needed (OpenCA) 7. Physical control and security

25 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Role of Certification Authority  Verifies certificate request information  Generates and digitally signs the certificate  Revokes certificate if information changes  Revokes certificate if private key is disclosed  Support certificate hierarchies

26 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Certificate Policy (CP)  Who is responsible for the RA/CA operation?  What is the community served?  What are the rules for identifying Subjects?  What’s in a certificate?  What constraints are there on operation of the CA?  What must be done if something goes wrong?

27 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 CA Design issues  Main points to cover in design: Structure of CA: online or offline? Structure of RAs network CA/RA responsibilities Identity validation process for new certificate requests Secure communication of RAs and CA Properties of CA, user, host and service certificates and private keys (Refer to RFC 3280 for certificate profile): – Certificate extensions – Passphrase for private keys

28 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 CA Design issues (2)  Main points to cover in design (cont'd): Structure your CP/CPS as defined in RFC 3647 Define revocation situations and CRL (Certificate Revocation List) life time (Refer to RFC 3280 for CRL profile) Describe clearly certificate request handling Security of dedicated CA (physical security, how to keep private key and passphrase for root CA cert) Web repository, what to publish on CA website Specify necessary records and archives Define a CA disaster recovery plan

29 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 CP/CPS Preparation 1. Make a request for an OID arc  Every CP/CPS version of every CA must have a unique object identifier. Your organization, that is responsible to operate the CA must have a valid OID arc. There are two alternatives to have it: 1.You can apply to IANA for an OID arc. (http://www.iana.org/cgi- bin/enterprise.pl) it takes almost two months!http://www.iana.org/cgi- bin/enterprise.pl HIAST OID is : 1.3.6.1.4.1.27601 2. You can apply to IGTF for an OID arc. (http://www.eugridpma.org/objectid/)http://www.eugridpma.org/objectid/

30 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Establish your CA website  CA web repository must include: General info about your CA (homepage) CA root certificate CRL URL CP/CPS – policy document official contact email address, responsible for CA physical postal contact address ssl protected web form for certificate requests (either via OpenCA or your own scripts)

31 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Operational Requirements  CA must protect its private key appropriately Must not generate key pairs for Subjects  Certificate management Revocation required at Basic or higher LOA – Requires standard CRL; allows for OCSP – Relying Party required to check for revocation Suspension not used  Security Audit Procedure Everything that might affect the CA or RA

32 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Physical, Procedural and Personnel Security Controls  CA Roles Administrator - sysadmin; installs & configures Officer - approves issuance and revocation of PKCs (Public Key certificates) Operator - routine system operation & backup Auditor - reviews syslogs; oversees external audit  Separation of roles required at least 2 people (Admin./Op. & Officer/Auditor) at least 3 at higher LOAs  Some tasks require action by 2 out of 4 persons

33 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Installation of CA  X.509 standard, public key infrastructure (PKI) used in Grid Certification Authorities  OpenSSL is the preferred tool for X.509 operations including creating and signing certificate requests, CRLs, revoking certificates, renewing certificates.  See main openssl commands on page http://www.openssl.org/docs/apps/openssl.html http://www.openssl.org/docs/apps/openssl.html  You have two main alternatives to set up your CA: Write your own scripts Install and run OpenCA

34 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Install and run OpenCA  You can download and install free software OpenCA for your CA/RA operations including online certificate requests: http://www.openca.org/ It uses OpenLDAP, OpenSSL, Apache facilities. It is suitable for a large scale CA.

35 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Maintenance of CA  Below are the most important issues to follow for a successful operation: Prepare the environment for dedicated offline CA machine. Maintain CA protection at best efforts. (Smart card, security personnel, safes...) Train your RA personnel. Always keep secure communication between RAs and CA. Keep your RA staff as distributed as possible. (local RAs for identity validation)

36 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Maintenance of CA (2)  Most important issues for CA maintenance: Give importance to identity validation. (face-to-face meeting, checking from an ID card) Show immediate reaction to revocation circumstances. Be on time for periodical CRL issuing and publishing. Know OpenSSL commands well. Make sure you have the accurate records as you have stated in your CP/CPS.

37 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Acknowledgements  Some slides of this presentation are taken or inspired from the following presentations and/or web sites: Carl Kesselman, GRID Security Overview, GGF Summer School 2004 Asli Zengin, Rome, Tutorial for Certification Authority Managers, 12.09.2006 Heinz Stockinger, Grid Security, EMBRACE Grid Tutorial, Helsinki, 16 June 2006 Globus Web site, www.globus.org

38 What are Grids? Security in the GRID GRID Certificates HIAST Plan CP/CPS preparation CA design issues Damascus, Regional Seminar on Identity Management and E-signatures, 29-31 October 2007 Thank you For your Attention

Download ppt "Setting up and Managing National CA for GRID Computing Ghassan SABA, HIAST H I A S T Regional Seminar on Identity Management and E-signatures Damascus,"

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.

Similar presentations

Ads by Google