Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Jinny Chien Academia Sinica Grid Computing.

Published byAmberly George Modified over 6 years ago

Similar presentations

Presentation on theme: "Grid Security Jinny Chien Academia Sinica Grid Computing."— Presentation transcript:

1 Grid Security Jinny Chien Academia Sinica Grid Computing

2 Grid Security Infrastructure Encryption & Data Integrity
Security in gLite Security Authentication Grid Security Infrastructure Encryption & Data Integrity Authorization GSI is based on public key encryption, X.509 certificates, and the Secure Sockets Layer (SSL) communication protocol. Authentication, Authorisation and Security 2 2

3 Basis of security & authentication
Symmetric encryption Asymmetric encryption…(Public Key Infrastructure) Private key and public key are in pair. it is impossible to derive one key from another key. a message encrypted by one key can be decrypted only by another one. Encrypted text Private Key Public Key plain text 1. Basic security technique for grid security Authentication, Authorisation and Security 3 3

4 An Example of Asymmetric Encryption
Public keys are exchanged Paul gets John’s public key.. Paul encrypts using the public key of John John decrypts using his private key; Public key algorithm: Make sure of data confidentiality John’s keys private public Paul John ciao 3$r Use the different keys Public and Private key are pair Make sure .. The transfer communction is secret not be modified Authentication, Authorisation and Security 4 4

5 Digital Signature Paul calculates the hash of the message
Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get Hash A, using Paul’s public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key (Paul encrypted it) Paul message Digital Signature message Hash A Digital Signature John 1. Use the asymmetric encryption 2. hash a and b are the same During the process , the data is not be modified by others Check the date sent from Paul Paul’s keys message Digital Signature Hash B = ? Hash A public private Authentication, Authorisation and Security 5

6 CA’s Digital Signature
Certificate Certificate It is based on Digital Signature mechanism. Grid authenticates users or resources by verifying their certificate. Certificate is issued by one of the national Certification Authorities. certificate Public Key User’s Information CA's information Time of validity CA’s Digital Signature Sign In grid , we use the digital signature to add our certificate. In Grid , every user and host machine must have to Authenticate idnetfication We could check the certificate to Authenticate user or host idnetfication Certification Authorities. CA private key Authentication, Authorisation and Security 6 6

7 X.509 Certificates An X.509 Certificate contains:
owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; Optional extensions digital signature of the CA Structure of a X.509 certificate Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature Authentication, Authorisation and Security 7

8 Example: X.509 Certificates
grid-cert-info Authentication, Authorisation and Security 8 8

9 sign Proxy certificate information information user’s signature
user key user cert CA’s signature information information sign user’s signature proxy certificate 1. In grid , use his user certificate to sign another proxy certificate 2. The proxy certificate replace the real certificate to execute the activities. 3. The lifetime is 12 hours 4. To avoid user to create a long time proxy ….. Maybe there is some mistake and cause some secret issue proxy key Authentication, Authorisation and Security 9 9

10 Evolution of VO management
VOMS (Virtual Organization Membership Service) VO Administration : check which VO the user belongs to Add VO information on user’s proxy certificate. voms-proxy-init a gLite command to Contact the VOMS with user’s proxy certificate Retrieve the certificate that contains VO information on it. information User’s Digital Signature VO: TWGrid proxy certificate Authorization----- VOMS objective….. To give user the authority what they could do … The Virtual Organisation Membership Service (VOMS) is a system which allows a proxy to have extensions containing information about the VO, the groups the user belongs to in the VO, and any roles the user is entitled to have. FQAN (short form for Fully Qualified Attribute Name). The format is: FQAN = <group name>[/Role=<role name>] One clear advantage of VOMS proxies over standard proxies is that the middleware can find out to which VO the user belongs from the proxy Authentication, Authorisation and Security 11

11 Summary of AA VO service Daily update
Authentication User obtains certificate from Certificate Authority Connects to UI by ssh (UI is the user’s interface to Grid) Uploads certificate to UI Single logon – to UI - create proxy Grid Security Infrastructure Annually CA VO mgr UI VO service Authorisation User joins Virtual Organisation VO negotiates access to Grid nodes and resources Authorisation tested by resource: Credentials in proxy determine user’s rights VO database This is all we talked today . Authentication – make sure who is who…. How to identify user in the grid Authorization: decide what you can do…… what to allow user to do or use the resource in the grid ----- Authentication ……. Use GSI to support GSI Daily update Mapping to access rights Authentication, Authorisation and Security 13

12 User Responsibilities
Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. The important things that user follows Proxies also contain private keys, and although these are less valuable, as the lifetime of a proxy is short, it is still important to look after them. Not share your certificate to others – security If your certificate is any compromised , please contact your CA or RA

13 Reference Grid Security
LCG Security: Globus Security: Grid-it portal: LCG Registration: Background GGF Security: IETF PKIX charter: PKCS:

14 Thanks for Your Listening

Download ppt "Grid Security Jinny Chien Academia Sinica Grid Computing."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

Similar presentations

Ads by Google