Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid School Module 4: Grid Security

Published byKerry Dalton Modified over 5 years ago

Similar presentations

Presentation on theme: "Grid School Module 4: Grid Security"— Presentation transcript:

1 Grid School Module 4: Grid Security
Some of the security aspects of grid computing Discuss scenarios to establish requirements Discuss solutions to address requirements

2 Typical Grid Scenario Resources Users
On top we see three different typical grid scenarios or groups of computer resources. On the bottom center we also see several groups of users and to the two extremes we see the representation of intruders. - Large number of resource, pool together Large user pool In reality resources are owned and operated by different groups Restrict access to the resource, yet allow for collaboration Users

3 What do we need ? Identity Authentication Message Protection
Authorization Single Sign On Things that we need to achieve a good level of security: Identity, Authentication, Message Protection, Authorization, and a Single Sign On.

4 Identity & Authentication
Each entity should have an identity Authenticate: Establish identity Is the entity who he claims he is ? Examples: Driving License Username/password Stops masquerading imposters Identity & Authentication. Identity is like a passport, it tells us who you are, authentication is like a visa, it allows entry and rights into a system. Each entity should have an identity. Authenticate: Establish identity, is the entity who he claims he is ? Examples: Driving License, Username/password This process helps stop masquerading imposters

5 Message Protection: Privacy
Medical Record Patient no: 3456 Message Protection: gives the users privacy, for instance if we are using a medical repository system we expect that those records provide a level of privacy to the owner of the data and the patients.

6 Message Protection: Integrity
Run myHome/rm –f * Run myHome/whoami It stops hackers from getting access to this large computing resources.

7 Authorization Establishing rights What can a said identity do ?
Examples: Are you allowed to be on this flight ? Passenger ? Pilot ? Unix read/write/execute permissions Must authenticate first Authorization Establishing rights of access to the users. What can a said identity do ? Are you allowed to be on this flight ?, are you a Passenger or a Pilot ? In a computer running Unix it can give or deny rights such as read, write , execute permissions. For any of the above you Must authenticate yourself first.

8 Grid Security: Single Sign On
Authenticate Once A great advantage of having a Grid Security: Single Sign On Authenticate Once mechanism is that if you need to access 100 different units you only login in once and you get access to all computers.

9 Grid Security: Single Sign On
Delegation Also The Grid Security: Single Sign On allows computer systems to delegate access to the user for another computers.

10 Single Sign-on Important for complex applications that need to use Grid resources Enables easy coordination of varied resources Enables automation of process Allows remote processes and resources to act on user’s behalf Authentication and Delegation Single Sign-on. It is very important for complex applications that need to use Grid resources, it enables easy coordination of varied resources, automation of process, remote processes and resources to act on user’s behalf, and Authentication and Delegation, all of this provides a great user convenience.

11 Solutions tools that do these under the cover
important to understand concepts so we can keep grid secure

12 Cryptography for Message Protection
Enciphering and deciphering of messages in secret code Key Collection of bits Building block of cryptography More bits, the stronger the key Cryptography for Message Protection Enciphering and deciphering of messages in secret code A Key is a collection of bits, building block of cryptography, the more bits, the stronger the key Keys are building blocks 256 bits key is stronger than 128 bits Computing things using larger key also takes more time. Most algorithms are well established and tools have been already developed for performing the computations

13 Encryption Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encrypted data is, in principal, unreadable unless decrypted Data Encryption Function Encryption Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encrypted data is, in principal, unreadable unless decrypted Data is treated as bit streams. It is like a house key

14 Decryption Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data Encryption and decryption functions are linked Decryption Function Decryption Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data Encryption and decryption functions are linked, they are well established algorithms and tools that implement them Data

15 Asymmetric Encryption
Encryption and decryption functions that use a key pair are called asymmetric Keys are mathematically linked Asymmetric Encryption Encryption and decryption functions that use a key pair are called asymmetric, These encryption keys are mathematically linked

16 Public and Private Keys
With asymmetric encryption each user can be assigned a key pair: a private and public key Public key is given away to the world Private key is known only to owner There are two type of keys, Public and Private Keys With asymmetric encryption each user can be assigned a key pair: a private and public key Private key is known only to owner Public key is given away to the world Encrypt with public key, can decrypt with only private key This ensures Message Privacy Encrypt with public key, can decrypt with only private key Message Privacy

17 Digital Signatures Digital signatures allow the world to
determine if the data has been tampered verify who created a chunk of data Sign with private key, verify with public key Message Integrity Digital Signatures Generated and sent with the message Digital signatures allow the world to determine if the data has been tampered, verify who created a chunk of data You sign with private key and verify with public key This ensures Message Integrity

18 Public Key Infrastructure (PKI)
PKI allows you to know that a given public key belongs to a given user PKI builds off of asymmetric encryption: Each entity has two keys: public and private The private key is known only to the entity The public key is given to the world encapsulated in a X.509 certificate Owner Public Key Infrastructure (PKI) Provides a owner tag Any entity that possess the private key, assumes that entity. So if you have my private key, you are me as far as PKI fabric is concerned. PKI allows you to know that a given public key belongs to a given user, it also builds off of asymmetric encryption: Each entity has two keys: public and private, the private key is known only to the entity, the public key is given to the world encapsulated in a X.509 certificate

19 State of Illinois Certificates
X509 Certificate binds a public key to a name. Similar to passport or driver’s license State of Illinois John Doe 755 E. Woodlawn Urbana IL 61801 BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Name Issuer Public Key Validity Signature Certificates X509 Certificate binds a public key to a name. Similar to passport or driver’s license For instance Name Issuer which state issued the drivers license Public Key person’s gender, height, and weight in the drivers license Validity date of validity in the drivers license Signature is the state seal in the drivers license Valid Till:

20 Certification Authorities (CAs)
A Certification Authority is an entity that exists only to sign user certificates The CA signs it’s own certificate which is distributed in a trusted manner Verify CA certificate, then verify issued certificate Name: CA Issuer: CA CA’s Public Key Validity CA’s Signature Certification Authorities (CAs) The CA private key is again a protected key But the CA public key is distributed widely A Certification Authority is an entity that exists only to sign user certificates The CA signs it’s own certificate which is distributed in a trusted manner Verify CA certificate, then verify issued certificate For example: An id card that contains Name: CA, Issuer: CA, CA’s Public Key, Validity, and CA’s Signature

21 Certificate Policy (CP)
Each CA has a Certificate Policy (CP) which states who it will issue certificates to how it identifies people to issue certificates to Lenient CAs don’t pose security threat, since resources determine the CAs they trust. Certificate Policy (CP) Each CA has a Certificate Policy (CP) which states who it will issue certificates to, and how it identifies people to issue certificates to Lenient CAs don’t pose security threat, since resources determine the CAs they trust. - We need certificates from specific CAs to access resources

22 Certificate Issuance User generates public key and private key
CA vets user identity using CA Policy Public key is sent to CA Browser upload Implied Signs user’s public key as X509 Certificate User private key is never seen by anyone, including the CA Certificate Issuance The user generates public key and private key, The CA verifies user identity using CA Policy, then a Public key is sent to CA thru , or Browser upload The CA signs user’s public key as X509 Certificate User private key is never seen by anyone, including the CA

23 Certificate Revocation
CA can revoke any user certificate Private key compromised Malicious user Certificate Revocation List (CRL) List of X509 Certificates revoked Published, typically on CA web site. Before accepting certificate, resource must check CRLs Certificate Revocation A certificate can be revoked by the CA. CA can revoke any user certificate if the Private key has been compromised, if there was a Malicious user There is a Certificate Revocation List (CRL) that list all reasons for the revocation of the certificate. This list of X509 Certificates revoked is published, typically on CA web site. Before accepting certificate, resource must check CRLs

24 Authorization Establishing rights of an identity
Chaining authorization schemes Client must be User Green and have a candle stick and be in the library! Types: Server side authorization Client side authorization Authorization This step deals with establishing rights of an identity, chaining authorization schemes, for exmaple: Client must be User Green and have a candle stick and be in the library! There are two types of authorization: Server side authorization Client side authorization

25 Gridmap Authorization
Commonly used in Globus for server side Gridmap is a list of mappings from allowed DNs to user name ACL + some attribute Controlled by administrator Open read access "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde Gridmap Authorization This authorization is commonly used in Globus for server side. Gridmap is a list of mappings from allowed DNs to user name for instance: "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde It will need ACL + some attribute It is controlled by administrator It has open read access

26 Globus Security: The Grid Security Infrastructure
The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. Based on PKI Uses Secure Socket Layer for authentication and message protection Encryption Signature Adds features needed for Single-Sign on Proxy Credentials Delegation Globus Security: The Grid Security Infrastructure The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. It is Based on PKI, also it uses Secure Socket Layer for authentication and message protection such as: Encryption and Signature It Adds features needed for Single-Sign on like: Proxy Credentials and Delegation

27 GSI: Credentials In the GSI system each user has a set of credentials they use to prove their identity on the grid Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase Good for security, inconvenient for repeated usage GSI: Credentials In the GSI system each user has a set of credentials they use to prove their identity on the grid. They consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase. This is good for security, but inconvenient for repeated usage

28 GSI: Proxy Credentials
Proxy credentials are short-lived credentials created by user Proxy signed by certificate private key Short term binding of user’s identity to alternate private key Same effective identity as certificate GSI: Proxy Credentials The proxy credentials are short-lived credentials created by user, the proxy signed by certificate private key, it is short term binding of user’s identity to alternate private key and it is same effective identity as certificate - Encrypted private key requires some warm body, - long term credential – prevent theft. Same identity as the certificate proxy is created off New key pair signed by your certificate Clock synchronization issues SIGN

29 GSI: Proxy Credentials
Stored unencrypted for easy repeated access Chain of trust Trust CA -> Trust User Certificate -> Trust Proxy Key aspects: Generate proxies with short lifetime Set appropriate permissions on proxy file Destroy when done GSI: Proxy Credentials The Proxy Credentials are stored unencrypted for easy repeated access, it is a Chain of trust Trust CA -> Trust User Certificate -> Trust Proxy The Key aspects generate proxies with short lifetime, sets appropriate permissions on proxy file, and destroy them when done

30 GSI Delegation Enabling another entity to run as you
Provide the other entity with a proxy Ensure Limited lifetime Limited capability GSI Delegation It enabling another entity to run as you, also it provides the other entity with a proxy At the same time it ensures Limited lifetime and Limited capability

31 Grid Security At Work Get certificate from relevant CA Request to be authorized for resources Generate proxy as needed Run clients Authenticate Authorize Delegate as required Grid Security At Work It gets certificate from relevant CA, requests to be authorized for resources, generates proxy as needed Also it runs clients, Authenticate, Authorize them. Delegate as required There are numerous resource, different CAs, and numerous credentials Numerous resource, different CAs, numerous credentials

32 MyProxy Developed at NCSA
Credential Repository with different access mechanism (e.g username/pass phrase) Can act as a credential translator from username/pass phrase to GSI Online CA Supports various authentication schemes Passphrase, Certificate, Kerberos MyProxy It was developed at NCSA. NCSA is a Credential Repository with different access mechanism (e.g username/pass phrase) It can act as a credential translator from username/pass phrase to GSI It is an Online CA that supports various authentication schemes, such as: Passphrase, Certificate, Kerberos

33 MyProxy: Use Cases Credential need not be stored in every machine
Used by services that can only handle username and pass phrases to authenticate to Grid. E.g. web portals Handles credential renewal for long-running tasks Can delegate to other services MyProxy: Use Cases Credential need not be stored in every machine They are used by services that can only handle username and pass phrases to authenticate to Grid. E.g. web portals They handle credential renewal for long-running tasks They can delegate to other services

34 Lab Session Focus on tools Certificates Proxies Gridmap Authorization
Delegation MyProxy Lab Session At this point a lab session begins, please Focus on tools like: Certificates Proxies Gridmap Authorization Delegation MyProxy

35 Grid School Module 2: Grid Security
Prepared by: Rachana Ananthakrishnan Argonne National Laboratory With contributions by Von Welch, Frank Siebenlist, Ben Clifford Some of the security aspects of grid computing Discuss scenarios to establish requirements Discuss solutions to address requirements

Download ppt "Grid School Module 4: Grid Security"

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Similar presentations

Ads by Google