Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

Published byMay Smith Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci."— Presentation transcript:

1 www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci INFN (Italy) EELA-2 First Conference Bogota, Columbia, 25-27.02.2009

2 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 The Insider Abuse Problem The Secure Storage Service for the gLite Middleware: –Main Functionalities –Data Access Policy based on VOMS attributes Outline

3 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 Insider Abuse: Problem A grid user could store sensitive data in a Storage Elements managed by external organizations. Storage Elements Administrators could access data (but the data are sensitive!). For this reason data MUST be stored in an encrypted format. Data Encryption/Decryption MUST be performed inside user secure environment (for example inside the user’s organization).

4 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 SE Key Repository SE USER (VIRTUAL) ORGANIZATION Key File Encryption /Decryption Encrypted File Insider Abuse: A Solution SECURE ENVIRONMENT

5 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 The Secure Storage service Provides gLite users with suitable and simple tools to store confidential data in storage elements in a transparent and secure way. The service is composed by the following components: Command Line Applications: commands integrated in the gLite User Interface to encrypt/upload and decrypt/ download files. Application Program Interface: allows the developer to write programs able to manage confidential data. Keystore: a new grid element used to store and retrieve the users’ keys. It is identified by an host X.509 digital certificate and all its Grid transactions are mutually authenticated and encrypted according to GSI model.

6 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 Command Line Applications and API Secure Storage provides a new set of commands and API on the gLite User Interface: –Like lcg-utils commands and API, but they work on encrypted data. –Encryption and decryption process are transparent to the user. These commands and API allow to make the main Data Management operations: –lcg-scr: Copy data/file on Storage Elements –lcg-scp: Read data/file from Storage Elements –lcg-sdel: Delete data/file on Storage Elements –…. API like GFAL (encrypt and decrypt block of data): –allows developers to work to encrypted remote file as local files in clear format.

7 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 lcg-scr: Encryption and Storage GSI AUTHENTICATED CHANNEL OWNER DN DN1 DN2 FQAN1 FQAN2 … ACL Access authorized to: DN1, DN2, FQAN1, FQAN2, … A FQAN AUTHORIZED TO ACCESS THE FILE CAN REPRESENT A WHOLE VO OR A VO GROUP ETC.

8 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 lcg-scp: Retrieval and Decryption OWNER DN DN1 DN2 FQAN1 FQAN2 … ACL THE KEYSTORE PROVIDES USERS WITH THE KEY ONLY IF USER’S DN OR ONE OF THE VOMS ATTRIBUTES INCLUDED IN HIS PROXY MATCHES ONE ENTRY OF THE ACL GSI AUTHENTICATED CHANNEL

9 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 The Keystore (1) The Keystore is a new grid element used to store and retrieve the users’ key in a secure way. The Keystore: is identified by an host X.509 digital certificate; all its Grid transactions are mutually authenticated and encrypted as required by the GSI model; should be placed in a trusted domain and should be appropriately protected by undesired connections; is a black box with a single interface towards the external world. This interface accepts only GSI authenticated connections;

10 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 The Keystore (2) Authorization process performed by the Keystore: the user requests a key through a mutually authenticated and encrypted channel (according to GSI infrastructure): the keystore extracts user’s DN and VOMS extension from the user X509 proxy certificate; the keystore checks if the client is a member of a enabled users list only and/or it belongs to an enabled Virtual Organization or to a specific Virtual Organization Group. The request is discarded in any other cases; the keystore checks if user’s DN and VOMS extension matches one of the entry of the ACL associated to the requested key. If the user is authorized, the keystore provides the key otherwise the request is discarded.

11 www.eu-eela.eu Bogota, EELA-2 Conference, 25-27.02.2009 Any questions ?

Download ppt "Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.

11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Www.consorzio-cometa.it Consorzio COMETA - PI2S2 Project UNIONE EUROPEA SAGE – Storage Accounting for Grid Environments in gLite Fabio Scibilia Consorzio.

Consorzio COMETA - PI2S2 Project UNIONE EUROPEA SAGE – Storage Accounting for Grid Environments in gLite Fabio Scibilia Consorzio.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive

1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Www.eu-eela.eu E-science grid facility for Europe and Latin America Bridging OurGrid-based and gLite-based Grid Infrastructures Abmar de Barros, Adabriand.

E-science grid facility for Europe and Latin America Bridging OurGrid-based and gLite-based Grid Infrastructures Abmar de Barros, Adabriand.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
EGEE-III INFSO-RI- 222667 Enabling Grids for E-sciencE www.eu-egee.org The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.
Www.eu-eela.eu E-science grid facility for Europe and Latin America LFC Server Installation and Configuration Antonio Calanducci INFN Catania.

E-science grid facility for Europe and Latin America LFC Server Installation and Configuration Antonio Calanducci INFN Catania.
Www.eu-eela.eu E-science grid facility for Europe and Latin America JRA1 – Activity Report and Plans Francisco Brasileiro Universidade Federal de Campina.

E-science grid facility for Europe and Latin America JRA1 – Activity Report and Plans Francisco Brasileiro Universidade Federal de Campina.

Similar presentations

Ads by Google