Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Authorisation and Authentication

Published byMarianna Jade Manning Modified over 6 years ago

Similar presentations

Presentation on theme: "Security, Authorisation and Authentication"— Presentation transcript:

1 Security, Authorisation and Authentication
Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

2 Grid Security Infrastructure Encryption & Data Integrity
Security Overview Security Authentication Grid Security Infrastructure Encryption & Data Integrity Authorization

3 The Problems - 1 User Resource
How does a user securely access the Resource without having an account with username and password on the machines in between or even on the Resource? How does the Resource know who a user is? How are rights controlled? Authentication: how is identity of user/site communicated? Authorisation: what can a user do? Authentication, Authorisation and Security

4 The Problems -2: reducing vulnerability
Launch attacks to other sites Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information Massive distributed storage capacity ideal for example, for swapping movies. Growing number of users have data that must be private – biomedical imaging for example Damage caused by viruses, worms etc. Highly connected infrastructure means worms could spread faster than on the internet in general. Authentication, Authorisation and Security

5 Basis of security & authentication
Asymmetric encryption… …. and Digital signatures … A hash derived from the message and encrypted with the signer’s private key Signature is checked by decrypting with the signer’s public key Are used to build trust That a user / site is who they say they are And can be trusted to act in accord with agreed policies Encrypted text Private Key Public Key Clear text message Authentication, Authorisation and Security

6 Public Key Algorithms Paul’s keys private public
Every user has two keys: one private and one public: it is impossible to derive the private key from the public one; a message encrypted by one key can be decrypted only by the other one. Public keys are exchanged Concept - simplified version: The sender encrypts using his private key The receiver decrypts using senders public key; The number of keys is O(n) Paul’s keys public private Paul John ciao 3$r Examples of [ublic key algorithms: Diffie-Helmann (1977) RSA (1978) The lengths of the keys, at the moment, varies from 512 bits (insecure) to 2048 bits. As the keys are much longer respect to those for symmetric algorithms, this kind of algorithms are much slower. For practical pourposes they are used togheter: first a temporary key for a symmetric algorithm is generated, which is used to encrypt the message, then the public key of the receiver is used to encrypt this key, which is sent (in encrypted form) together with the message.

7 Digital Signature Paul calculates the hash of the message
Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get A, using Paul’s public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key Paul message Digital Signature message Hash A Digital Signature John Paul’s keys message Digital Signature Hash B = ? Hash A public private

8 The “third party” is called a Certification Authority (CA).
Digital Certificates How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? A third party certifies correspondence between the public key and Paul’s identity. Both John and Paul trust this third party The “third party” is called a Certification Authority (CA).

9 X.509 Certificates An X.509 Certificate contains:
owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; Optional extensions digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions Sample user certificate Certificate: Version: 3 (0x2) Serial Number: 981 (0x3d5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN Certification Authority Issuer (CA) Validity Not Before: Oct 10 15:50: GMT Not After : Oct 10 15:50: GMT Subject: C=IT,O=INFN,CN=M User’s name Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) User’s public key Modulus (1024 bit): :bf:7e:b9:91:9f:dd:07:10:aa:0f:e6:5b:dc:b6: [...] Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Certificate use Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 CRL Distribution Points: CRL information URI: X509v3 Certificate Policies: Policy information Policy: X509v3 Subject Key Identifier: A:57:A5:DC:C2:76:44:E1:29:B9:C4:BC:13:58:70:2A:A0:01:37:B X509v3 Authority Key Identifier: keyid:CA:11:EF:5D:1D:07:04:98:A9:A5:B5:58:1A:66:4E:0A:16:2B:E0: DirName:/C=IT/O=INFN/CN=INFN Certification Authority serial: X509v3 Subject Alternative Name: X509v3 Issuer Alternative Name: URI: Signature Algorithm: md5WithRSAEncryption Signature of the CA :f7:ee:d2:57:f4:99:fc:1a:73:90:ab:ae:c4:8f:dc:de:b5: [...] CA Digital signature

10 Certification Authorities
User’s identity has to be certified by one of the national Certification Authorities (CAs) Resources are also certified by CAs CAs are mutually recognized CAs each establish a number of people “registration authorities” RAs To find RAs in UK go to

11 Grid Security Infrastructure - proxies
To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates Short-lived certificates signed by the user’s certificate or a proxy Reduces security risk, enables delegation

12 Certificate Request Certification Authority State of Illinois Cert
CA root certificate User generates public/private key pair in browser. CA signature links identity and public key in certificate. CA informs user. Cert Request Public Key User sends public key to CA and shows RA proof of identity. Certification Authority Cert When CA informs the user that the certificate is ready, using the browser that already generated the key pair, the user downloads the certifiacte into the browser. The private key is already there and matches the public key in the certificate. State of Illinois ID Private Key encrypted on local disk

13 “Compute element”: a batch job queue
Job request I.S. Logging Logging Info system Globus gatekeeper gridmapfile Local Resource Management System: Condor / PBS / LSF master Different systems for managing queues of jobs to run on networked computers. If user’s grid id is not in gridmapfile, not authorised to run the job “Worker nodes”

14 User Responsibilities
Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

15 AA Summary VO service Daily update
Authentication User obtains certificate from Certificate Authority Connects to UI by ssh UI is the user’s interface to Grid Uploads certificate to UI Single logon – to UI - create proxy then Grid Security Infrastructure uses proxies Annually CA VO mgr UI VO service Authorisation User joins Virtual Organisation VO negotiates access to Grid nodes and resources Authorisation tested by resource: Gridmapfile (or similar) maps user to local account VO database GSI Daily update Gridmapfiles for grid services

16 Our setup ssh UI Internet Tutorial room machines Core NGS nodes
training-ui.nesc.ed.ac.uk. Internet Core NGS nodes Light Blue denotes the data nodes and dark blue the compute nodes. The training CA (AFAIK) is only supported on these nodes.

17 The Practical You should have been given an information sheet containing your username and password Login to your workstation Open a browser window and follow the link from today’s agenda page Click on “further information” for this practical.

Download ppt "Security, Authorisation and Authentication"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Similar presentations

Ads by Google