Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Overview

Published byGregory Williamson Modified over 6 years ago

Similar presentations

Presentation on theme: "Grid Security Overview"— Presentation transcript:

1 Grid Security Overview
The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License. See for the full text of this license.

2 Security Terminology Authentication: Establishing identity
Authorization: Establishing rights Message protection Message integrity Message confidentiality Non-repudiation Digital signature Accounting Delegation Grid School 2004 Security Overview

3 Multi-Institution Issues
No Cross- Domain Trust Certification Certification Authority Authority Domain A Domain B Policy Trust Mismatch Mechanism Mismatch Policy Authority Authority Task Server Y Server X Sub-Domain A1 Sub-Domain B1 Grid School 2004 Security Overview

4 Why Grid Security is Hard
Resources being used may be valuable & the problems being solved sensitive Both users and resources need to be careful Dynamic formation and management of virtual organizations (VOs) Large, dynamic, unpredictable… VO Resources and users are often located in distinct administrative domains Can’t assume cross-organizational trust agreements Different mechanisms & credentials X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), X.509 attribute certs vs SAML assertions Grid School 2004 Security Overview

5 Why Grid Security is Hard…
Interactions are not just client/server, but service-to-service on behalf of the user Requires delegation of rights by user to service Services may be dynamically instantiated Standardization of interfaces to allow for discovery, negotiation and use Implementation must be broadly available & applicable Standard, well-tested, well-understood protocols; integrated with wide variety of tools Policy from sites, VO, users need to be combined Varying formats Want to hide as much as possible from applications! Grid School 2004 Security Overview

6 The Grid Trust solution
Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) set up trust at the user/resource level Virtual Organizations (VOs) for multi-user collaborations Federate through mutually trusted services Local policy authorities rule Users able to set up dynamic trust domains Personal collection of resources working together based on trust of user Grid School 2004 Security Overview

7 Grid Solution: Use Virtual Organization as Bridge
No Cross- Domain Trust Certification Certification Authority Sub-Domain B1 Authority Server X Policy Authority Server Y Policy Authority Task Domain B Sub-Domain A1 Domain A Federation Service GSI Virtual Organization Domain Grid School 2004 Security Overview

8 Effective Policy Governing Access Within A Collaboration
Grid School 2004 Security Overview

9 Use Delegation to Establish Dynamic Distributed System
Compute Center Service Rights VO Compute Center Grid School 2004 Security Overview

10 Goal is to do this with arbitrary mechanisms
Compute Center X.509 AC X.509/SSL SAML Attribute Service X.509 AC Kerberos/ WS-Security Rights VO Compute Center SAML Attribute Grid School 2004 Security Overview

11 Grid Security Infrastructure (GSI)
Use GSI as a standard mechanism for bridging disparate security mechanisms Doesn’t solve trust problem, but now things talk same protocol and understand each other’s identity credentials Basic support for delegation, policy distribution Translate from other mechanisms to/from GSI as needed Convert from GSI identity to local identity for authorization Grid School 2004 Security Overview

12 GSI GSI implements X.509 Proxy Certificates as extensions to these standards to support dynamic naming of services, delegation of rights and single sign-on After authentication, GSI identity is mapped by administer configuration to a local identity for authorization. Local identity controls access to local files, job startup rights, etc. Grid School 2004 Security Overview

13 Grid Security Infrastructure (GSI)
Based on standard PKI technologies SSL protocol for authentication, message protection CAs allow one-way, light-weight trust relationships (not just site-to-site) X.509 Certificates for asserting identity for users, services, hosts, etc. Proxy Certificates GSI extension to X.509 certificates for delegation, single sign-on Grid School 2004 Security Overview

14 Grid Security Infrastructure (GSI)
GSI is: Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation PKI (CAs and Certificates) SSL/ TLS SSL for Authentication And message protection PKI for credentials Grid School 2004 Security Overview

15 Grid Identity, Local Policy
In current model, all Grid entities assigned a PKI identity. User is mapped to local identities to determine local policy. . Map to local name Grid Identity Local Policy Map to local name Local Policy Grid School 2004 Security Overview

16 Local Identity, Grid Identity, Local Policy
KCA Map to local name Grid Identity Kerberos Site Local Policy SSLK5 KRB5 Resources Grid School 2004 Security Overview

17 GSI Implementation Services (running Access Compute Center Rights’’
SSL/WS-Security with Proxy Certificates Services (running on user’s behalf) Authz Callout Access Compute Center Rights’’ CAS or VOMS issuing SAML or X.509 ACs Local Policy on VO identity or attribute authority VO Users Rights VO MyProxy Rights’ KCA Grid School 2004 Security Overview

18 Public Key Infrastructure (PKI)
PKI allows you to know that a given key belongs to a given user PKI builds off of asymmetric encryption: Each entity has two keys: public and private Data encrypted with one key can only be decrypted with other. The public key is public The private key is known only to the entity The public key is given to the world encapsulated in a X.509 certificate Owner Grid School 2004 Security Overview

19 State of Illinois Certificates
Similar to passport or driver’s license: Identity signed by a trusted party State of Illinois John Doe 755 E. Woodlawn Urbana IL 61801 BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Name Issuer Public Key Signature Grid School 2004 Security Overview

20 Hash =? Hash Certificates
By checking the signature, one can determine that a public key belongs to a given user. Name Issuer Public Key Signature Hash Hash =? Decrypt Hash Can talk about certificate chains here. Issuer Public Key from Issuer Grid School 2004 Security Overview

21 Certificate Authorities (CAs)
A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates The CA signs it’s own certificate which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature Grid School 2004 Security Overview

22 Certificate Authorities (CAs)
The public key from the CA certificate can then be used to verify other certificates Name Issuer: CA Public Key Signature Hash Hash =? Decrypt Hash Can also talk about namespaces and RAs here. Name: CA Issuer: CA CA’s Public Key CA’s Signature CA Grid School 2004 Security Overview

23 Certificate State of Illinois Authority Certificate Request
User send public key to CA along with proof of identity. User generates public/private key pair. CA confirms identity, signs certificate and sends back to user. Cert Request Public Key Cert Certificate Authority State of Illinois ID Private Key encrypted on local disk Grid School 2004 Security Overview

24 X.509 Proxy Certificates GSI Extension to X.509 Identity Certificates
RFC Enables single sign-on Allow user to dynamically assign identity and rights to service Can name services created on the fly and give them rights (i.e. set policy) What is effectively happening is the user is creating their own trust domain of services Services trust each other with user acting as the trust root Grid School 2004 Security Overview

25 Rights: Can access file F1,
Proxy Certificates Create F1 Service CN=Jane Doe CN=Jane Doe/9874 Rights: Can access file F1, Service S1, X.509 Proxy Delegation Use delegated rights to access resources. X.509 Id certificate X.509 Proxy certificate S1 Grid School 2004 Security Overview

26 Obtaining a Certificate
The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/: usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file Must be readable only by the owner Mail usercert_request.pem to Receive a Globus-signed certificate Place in ~/.globus/usercert.pem Other organizations use different approaches NCSA, NPACI, NASA, etc. have their own CA Grid School 2004 Security Overview

27 Certificate Information
To get cert information run grid-cert-info % grid-cert-info -subject /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster Options for printing cert information -all -startdate -subject -enddate -issuer -help Grid School 2004 Security Overview

28 “Logging on” to the Grid
To run programs, authenticate to Globus: % grid-proxy-init Enter PEM pass phrase: ****** Creates a temporary, local, short-lived proxy credential for use by our computations Options for grid-proxy-init: -hours <lifetime of credential> -bits <length of key> -help Grid School 2004 Security Overview

29 grid-proxy-init Details
grid-proxy-init creates the local proxy file. User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. User’s private key not exposed after proxy has been signed Proxy placed in /tmp, read-only by user NOTE: No network traffic! grid-proxy-info displays proxy details Grid School 2004 Security Overview

30 Grid Sign-On With grid-proxy-init
User certificate file User Proxy certificate file Pass Phrase Private Key (Encrypted) Grid School 2004 Security Overview

31 Destroying Your Proxy (logout)
To destroy your local proxy that was created by grid-proxy-init: % grid-proxy-destroy This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes Grid School 2004 Security Overview

32 Proxy Information To get proxy information run grid-proxy-info
% grid-proxy-info -subject /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster Options for printing proxy information -subject -issuer -type -timeleft -strength -help Options for scripting proxy queries -exists -hours <lifetime of credential> -exists -bits <length of key> Returns 0 status for true, 1 for false: Grid School 2004 Security Overview

33 Delegation Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Proxy cert and public key sent to client Clients signs proxy cert and returns it Server (usually) puts proxy in /tmp Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user Grid School 2004 Security Overview

34 Limited Proxy During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy GRAM (job submission) client does this Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited proxy to be used Grid School 2004 Security Overview

35 Secure Services On most unix machines, inetd listens for incoming service connections and passes connections to daemons for processing. On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files in /etc/grid-security It maps to local users via the gridmap file Grid School 2004 Security Overview

36 Sample Gridmap File Gridmap file maintained by Globus administrator
Entry maps Grid-id into local user name(s) # Distinguished name Local # username "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost "/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543 "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf Grid School 2004 Security Overview

37 Authorization GSI handles authentication, but authorization is a separate issue Authorization issues: Management of authorization on a multi-organization grid is still an interesting problem. The grid-mapfile doesn’t scale well, and works only at the resource level, not the collective level. Large communities that share resources exacerbates authorization issues, which has led us to CAS… Grid School 2004 Security Overview

38 Security Summary Programs for credential management
grid-cert-info, grid-proxy-init, grid-proxy-destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid Security Infrastructure (GSI) uses this API, which allows programs to easily add security globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use Grid School 2004 Security Overview

Download ppt "Grid Security Overview"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Similar presentations

Ads by Google