Presentation is loading. Please wait.

Presentation is loading. Please wait.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Published byMeredith Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology."— Presentation transcript:

1 Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology Department of Computer Engineering

2 Military Technical Academy Bucharest, 2004  Authentication and Authorization  Delegation mechanism

3 Military Technical Academy Bucharest, 2004 Authentication and Authorization

4 Military Technical Academy Bucharest, 2004 Authentication & Authorization In Grid environments, your host will become a client in some cases, and a server in other cases. => Therefore, your host might be required: to authenticate another host andto authenticate another host and be authenticated by the host at the same time.be authenticated by the host at the same time. The mutual Authentication function of GSI: It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure.It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure. Briefly speaking: Authentication is the process of sharing public keys securely with each otherAuthentication is the process of sharing public keys securely with each other Authorization is the process that MAPS your DN to a local user/group of a remote host.Authorization is the process that MAPS your DN to a local user/group of a remote host.

5 Military Technical Academy Bucharest, 2004 Mutual Authentication procedure

6 Military Technical Academy Bucharest, 2004 Delegation mechanism

7 Military Technical Academy Bucharest, 2004 Delegation mechanism  Remote delegation: where a user creates a proxy certificate at a REMOTE machine  Local delegation: where a user creates a proxy certificate at the LOCAL machine

8 Military Technical Academy Bucharest, 2004 REMOTE DELEGATION When you make a proxy to a remote machine, the proxy's private key is on the remote machine => The super-user of that machine can access your proxy's private key and conduct business under your name. This delegated credential can be vulnerable to attacks.This delegated credential can be vulnerable to attacks. In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example.In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example. (The standardization of this proxy restriction is now going on under GSI Working Group of Grid Forum Security)  To distribute jobs to remote grid machines, and  Let them distribute their child jobs to other machines under your security policy. => The DELEGATION function of GSI can be used.

9 Military Technical Academy Bucharest, 2004 Delegation procedure of user’s proxy

10 Military Technical Academy Bucharest, 2004 If you are on the side of host A, => you can create your proxy at host B => to delegate your authority  This proxy acts as yourself, and submits a request to host C on your behalf. The next steps: the procedure to create your proxythe procedure to create your proxy (proxy creation) at a remote machine, and the procedure to submit a request to the other remote host on your behalf (proxy action)the procedure to submit a request to the other remote host on your behalf (proxy action)

11 Military Technical Academy Bucharest, 2004 Proxy creation 1. A trusted communication is created between host A and host B. 2. You request host B to create a proxy that delegates your authority. 3. Host B creates the request for your proxy certificate, and send it back to host A. 4. Host A signs the request to create your proxy certificate using your private key and sends it back to host B. 5. Host A sends your certificate to host B.

12 Military Technical Academy Bucharest, 2004 Proxy action 1. Your proxy sends your certificate and the certificate of your proxy to host C. 2. Host C gets your proxy's public key through the path validation procedure: a.Host C gets your subject and your public key from your certificate using CA's public key. b. Host C gets the proxy's subject and your proxy's public key from your proxy's certificate using your public key. c. The subject is a Distinguished Name similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name" The subject of proxy certificate is similar to its owner's (your) subject and is similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name/CN=proxy"

13 Military Technical Academy Bucharest, 2004 So in order to validate the proxy certificate, Host C just has to check that the words that eliminate the words "/CN=proxy" from the proxy's subject is just the same as your subject. => If it is validated, your proxy is authenticated by host C and able to act on your behalf. 3. The proxy encrypts a request message using its private key and sends it to Host C. 4. Host C decrypts the encrypted message using the proxy's public key and gets the request. 5. Host C runs the request under the authority of a local user. The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).

14 Military Technical Academy Bucharest, 2004

15

16

Download ppt "Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Similar presentations

Ads by Google