Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in gLite Gergely Sipos MTA SZTAKI

Published byShanon Lane Modified over 7 years ago

Similar presentations

Presentation on theme: "Security in gLite Gergely Sipos MTA SZTAKI"— Presentation transcript:

1 Security in gLite Gergely Sipos MTA SZTAKI sipos@sztaki.hu
With thanks for some slides to EGEE and Globus colleagues

2 What is Grid security? The Grid problem is to enable “coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations.” From ”The Anatomy of the Grid” by Ian Foster at. al So Grid Security is security to enable VOs What is needed in terms of security for a VO?

3 Virtual Organization concept
VO for each application, workload or community Carve out and configure resources for a particular use and set of users The more dynamic the better…

4 Problems at network level
Grid service User Participants of a grid communicate over the Internet How can communication endpoints be identified? Authentication How can a secure channel established between two partners? Encryption Non-repudiation Integrity

5 Problems at VO level Broker Storage Element User
Computing Element Broker Which networked entity belongs to a VO? Who does not? What are VO members allowed to do? Authorization How can services act on behalf of a user? How can a broker access the „user’s sites”? How can a job which is started by the broker access the user’s private data?

6 Security in grids Launch attacks to other sites
Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information Massive distributed storage capacity ideal for example, for swapping movies. Growing number of users have data that must be private – biomedical imaging for example Damage caused by viruses, worms etc. Highly connected infrastructure means worms could spread faster than on the internet in general.

7 Grid Security Infrastructure

8 Grid Security Infrastructure Security at network level:
Public key infrastructure (PKI)

9 Basis of security & authentication
Asymmetric encryption… …. and Digital signatures … A hash derived from the message and encrypted with the signer’s private key Signature is checked by decrypting with the signer’s public key Are used to build trust That a user / site is who they say they are And can be trusted to act in accord with agreed policies Encrypted text Private Key Public Key Clear text message

10 Basis of Public Key Infrastructure
Every networked entity (user/machine/software) is assigned with two keys: one private key and one public key it is impossible to derive the private key from the public one a message encrypted by one key can be decrypted only by the other one. Concept (simplified version): Public keys are exchanged The sender encrypts using receiver’s public key The reciever decrypts using their private key; Paul’s keys public private John Paul ciao 3$r Examples of [ublic key algorithms: Diffie-Helmann (1977) RSA (1978) The lengths of the keys, at the moment, varies from 512 bits (insecure) to 2048 bits. As the keys are much longer respect to those for symmetric algorithms, this kind of algorithms are much slower. For practical pourposes they are used togheter: first a temporary key for a symmetric algorithm is generated, which is used to encrypt the message, then the public key of the receiver is used to encrypt this key, which is sent (in encrypted form) together with the message. John Paul bye %i4 %i4 bye

11 PKI in action Encription Paul’s keys Non-repudiation
Encription with recipient’s public key Only recipient can decript the message Non-repudiation Naiv approach: encript message with sender’s private key Too costly for long messages Solution: generate hash of the message Encript hash with sender’s private key Attach encripted hash to message  Digital signature Additional benefit: Integrity (hash is constant) Paul’s keys public private John Paul ciao 3$r message Hash A Digital Signature Digital Signature

12 PKI in action – the big picture
Paul Paul’s keys message Digital Signature message Hash A private public Digital Signature Mutual authentication and exchanging public keys: SSL protocol John message John’s keys message Digital Signature Hash B = ? private public Hash A

13 Entity identity Since I’m the only one with access to my private key, you know I signed the data associated with it But, how do you know that you have my correct public key? ?

14 Public and private keys
Public key is wrapped into a “certificate file” Certificate files are created by trusted third parties: Grid Certification Authorities (CA) Private key is stored in encripted file – protected by a passphrase Prive key is created by the grid user Certificate Public key Subject:/C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions 1. Hash of Public key & metadata, 2. Encript hash with CA’s private key CA Digital signature

15 Secure Socket Layer (SSL)
B Based on X.509 PKI: every Grid transaction is mutually authenticated: A sends his certificate; B verifies signature in A’s certificate using CA public certificate; B sends to A a challenge string; A encrypts the challenge string with his private key; A sends encrypted challenge to B B uses A’s public key to decrypt the challenge. B compares the decrypted string with the original challenge If they match, B verified A’s identity and A can not repudiate it. Repeat for A to verify B’s identity A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase

16 Certification Authorities
Grid users’ must generate private and public key Public key must be signed by a recognized CA CAs can establish a number of people “registration authorities” RAs: Personal visit to the nearest RA instead of the national CA CAs recognized by EGEE: Per continent Per country Per region

17 Issuing a grid certificate
Instructions, tutorials (should be) on CA homepages User generates public/private key pair in browser or in files. CA root certificate CA signature links identity and public key in certificate. CA informs user. Cert Request Public Key User sends public key to CA and shows RA proof of identity. Certification Authority Cert When CA informs the user that the certificate is ready, using the browser that already generated the key pair, the user downloads the certifiacte into the browser. The private key is already there and matches the public key in the certificate. State of Illinois ID Private Key encrypted on local disk: passphrase

18 User’s private key and certificate
Keep your private key secure if possible on a USB drive only Do not loan your certificate to anyone Report to your CA if your certificate has been compromised. Private key and certificate can: Stored in your browser Stored in files using different file format (PEM, P12, …) Typical situation on Globus, gLite, ARC middleware based grids: sipos]$ ls -l .globus/ total 8 -rw-r--r sipos users Oct usercert.pem -r sipos users Oct userkey.pem If your certificate is used by someone other than you, it cannot be proven that it was not you.

19 Problems at network level
Grid service User Members of a VO communicate over the Internet How can communication endpoints be identified? Authentication How can a secure channel established between two partners? Encryption Non-repudiation Integrity ü ü ü ü

20 Grid Security Infrastructure
Security at VO level

21 Grid services ~ agents: Need for delegation
Start this job for me on the “best” resource of biomed VO! Broker User Process - Authenticate and authorize user - Create process Remote process creation requests* Process Remote process creation requests* - Authenticate and authorize user - Create process Site A Site B Computing Element Computing Element Process Process - Authenticate and authorize user - Access file Remote file access request* Actually in gLite a job cannot submit another job because the WMS does not accept a second level proxy for submission. Site C knows you Site C * With mutual authentication Storage Element

22 Delegation of user identies by limited proxies
Delegation - allows remote process and services to authenticate on behalf of the user Remote process/service “impersonates” the user Achieved by creation of next-level private key–certificate pair from the user’s private key–certificate. New key-pair is a single file: Proxy credential Proxy private key is not protected by password Proxy may be valid for limited operations Proxy has limited lifetime The client can delegate proxies to services, processes Each service decides whether it accepts proxies for authentication

23 * With mutual authentication
Proxy in action Single sign-on via “grid-id” & generation of proxy cred. Broker Proxy credential User Remote process creation requests* Process Proxy credential Authorize Map to a local id Create process Generate credentials GSI-enabled server Process Proxy credential Ditto Remote process creation requests* GSI-enabled server Site A Site B Computing Element Computing Element Authorize Map to local id Access file Remote file access request* GSI-enabled Storage Element Site C * With mutual authentication Storage Element

24 Signed proxy certificate
Creating a proxy Proxy private key Certificate Request Proxy certificate Signed proxy certificate

25 Logging into the Grid: Creating a proxy credential
% voms-proxy-init  login to the Grid Enter PEM pass phrase: ******  private key is protected by a password Options for voms-proxy-init: VO name -hours <lifetime of new credential> -bits <length of key> -help % voms-proxy-destroy  logout from the grid Delegated credentials will not be revoked sipos]$ voms-proxy-init --voms gilda Enter GRID pass phrase: *********** Your identity: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy Done Your proxy is valid until Sat Jun 23 04:55:

26 Basic services of gLite
User Interface Information System Resource Broker Submit job query Retrieve status & output create proxy publish state query Submit job Retrieve status & output File and Replica Catalog Computing Element Storage Element Site X process Authorization Service (VO Management Service)

27 voms-proxy-init in the background
User enters pass phrase, which is used to decrypt private key. New private and new public key-pair generated and saved into proxy file Original private key is used to sign the proxy file User’s private key not exposed after proxy has been signed User certificate file Private Key (Encrypted) Pass Phrase User Proxy Proxy file saved in /t m p the private key part of the Proxy is not encrypted: proxy lifetime is short (typically 12 h) to minimize security risks. NOTE: No network traffic during proxy creation!

28 Logging out from the Grid: Destroying the proxy credential
voms-proxy-init ≡ “login to the Grid” To “logout” you have to destroy your proxy: voms-proxy-destroy This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes To gather information about your proxy: voms-proxy-info Options for printing proxy information -subject -issuer -type timeleft -strength -help

29 Joining a VO Obtaining certificate: Annually Joining VO: Once
Users (and machines) are identified by certificates. Steps User obtains certificate from Certification Authority User registers at the VO usually via a web form VO manager authorizes the user VO DB updated User information is replicated onto VO resources within 24 hours CA List of EGEE VOs: On CIC Operations Portal Joining VO: Once VO manager VO Membership Service Replicating VOMS DB once a day VOMS database Grid sites User’s identity in the Grid = Subject of certificate: $ grid-cert-info -subject /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely

30 Controlling user rights at VO level: Virtual Organization Membership Service
VO can have groups Different rights for each Different groups of experimentalists Nested groups VOMS has roles Assigned to specific purposes E,g. system admin When assume this role VO members belong to one/more groups and can have extra roles VOMS: roles are supported in VO, proxy contains VO infomration unlike in GSI “blahp” another q manager. Jobs come via torgu Now gLite 1.1 IN gLite 1.2, from ~22 July (?) R-GMA only, not BDII (slow with updates), R-GMA better w realtime

31 voms-proxy-init: what really happens in the background
Creates a proxy locally Contacts the VOMS server and extends the proxy with a role VOMS server signs the proxy Sites of the VO recognise and accept signature of VOMS voms-proxy-init –voms gilda Allows VOs to centrally manage user roles Proxy + VOMS roles Proxy

32 Controlling user rights on sites: Pool accounts
VOMS role: administrator Map grid request to a local UNIX user from pool 3 Local Linux user pool 1 Students Grid site Local Linux user pool 2 Proxy + VOMS role Researchers Local Linux user pool 3 VO administrators The grid user can perform those actions on the site that any Linux user from pool 3 is allowed to

33 gLite security summary
User obtains certificate from Certificate Authority Import it into your browser Have it on a User Interface User selects and joins VO User connects to UI by ssh Create proxy Submit jobs, manage files, … Annually CA Once VO mgr UI VOMS VO database GSI

34 User Responsibilities 2.
Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

35 MyProxy server You may need:
To interact with a grid from many machines And you realise that you must NOT, EVER leave your certificate where anyone can find and use it…. Your job may need a long proxy And you should keep the lifetime of delegated proxy short Solution: you can store a long term proxy in a “MyProxy server” and derive a short living proxy certificate when needed MyProxy ~ storage server for proxy files

36 myproxy-get-delegation myproxy-get-delegation
MyProxy example UI MyProxy Server (myproxy-init) Proxy Certificate Private key myproxy-get-delegation myproxy-get-delegation Portal WEB Browser the Grid any grid service Proxy

37 Summary - To become an EGEE user
Obtain a certificate from a recognized CA:  1 year long, renewable certificates, accepted in every EGEE VO Find and register at a VO EGEE NA4 - CIC Operations portal: Use the grid: command line clients and APIs installed on the User Interface (UI is mainaned by the VO / your institute / you) voms-proxy-init –voms <voName> voms-proxy-destroy Portals Might require interaction with MyProxy

38 Outline of security practicals
Security basics: Investigate your certificate Create proxy with voms extension Investigate your proxy Destroy your proxy Typically delivered at the beginning of job management practical

39 Thank you! Questions?

Download ppt "Security in gLite Gergely Sipos MTA SZTAKI"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Similar presentations

Ads by Google