Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Mechanisms The European DataGrid Project Team

Published byAlexia Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Mechanisms The European DataGrid Project Team"— Presentation transcript:

1 Security Mechanisms The European DataGrid Project Team http://www.eu-datagrid.org

2 Security Tutorial - n° 2Torino, 5-6/12/02 Contents  Concepts of Cryptography  Digital Certificates  Security problems (and solution) of the Grid  EDG user authentication (practical guide)  EDG authorization (overview)

3 Security Tutorial - n° 3Torino, 5-6/12/02 Security Needs  Authentication n establish the identity of an entity (user, process, host, service,...)  Confidentiality n a third party cannot understand the communication  Integrity n data is not modified during communication  Non-repudiation n the sender cannot claim he didn’t send the data  Authorization n establish the rights of the entity

4 Security Tutorial - n° 4Torino, 5-6/12/02 Cryptography  Mathematical tool that provides some important building blocks for the implementation of a security infrastructure  Terminology n Plaintext: M n Cyphertext: C n Encryption with key K 1 : E K 1 (M) = C n Decryption with key K 2 : D K 2 (C) = M  Algorithms n Symmetric: K 1 = K 2 n Public Key (asymmetric): K 1 ≠ K 2 K2K2 K1K1 Encryption Decryption MCM

5 Security Tutorial - n° 5Torino, 5-6/12/02 Symmetric Algoritms  The same key is used for encryption and decryption n fast n how to distribute the keys? n the number of keys is O(n 2 )  Examples: n DES n 3DES n Rijndael (AES) n Blowfish AB ciao3$rciao AB 3$rciao3$r

6 Security Tutorial - n° 6Torino, 5-6/12/02 Public Key Algorithms  Every user has two keys: one private and one public: n it is practically impossible to derive the private key from the public one; n a message encrypted by one key can be decripted only by the other one.  No exchange of secrets is necessary n the sender cyphers using the public key of the receiver; n the receiver decripts using his private key; n the number of keys is O(n).  Examples: n Diffie-Helmann (1977) n RSA (1978) B’s keys public private A’s keys publicprivate AB ciao3$rciao AB cy7ciao 3$r cy7

7 Security Tutorial - n° 7Torino, 5-6/12/02 One-Way Hash Functions  Functions ( H ) that given as input a variable-length message ( M ) produce as output a string of fixed length ( h ) the length of h must be at least 128 bits (to avoid birthday attacks) 1. given M, it must be easy to calculate H(M) = h 2. given h, it must be difficult to calculate M = H -1 (h) 3. given M, it must be difficult to find M’ such that H(M) = H(M’)  Examples: n SNEFRU: hash of 128 or 256 bits; n MD4/MD5: hash of 128 bits; n SHA (Standard FIPS): hash of 160 bits.

8 Security Tutorial - n° 8Torino, 5-6/12/02 Digital Signature  A calculates the hash of the message and he encrypts it using his private key: the encrypted hash is the digital signature.  A sends the signed message to B.  B calculates the hash of the message and verifies it with the one received by A and decyphered with A’s pubblic key.  If the thwo hashes are equal, the message wasn’t modified and A cannot repudiate it. A’s keys publicprivate B hash (B) hash (A) = ? ciao A hash (A)

9 Security Tutorial - n° 9Torino, 5-6/12/02 Digital Certificates  A’s digital signature is safe if: 1. A’s private key is not compromised 2. B knows A’s public key  How can B be sure that A’s public key is really A’s public key and not someone else’s? n A third party guarantees the correspondence between public key and owner’s identity, by signing a document which contains the owner’s identity and his public key (Digital Certificate) n Both A and B must trust this third party  Two models: n X.509: hierarchical organization; n PGP: “web of trust”.

10 Security Tutorial - n° 10Torino, 5-6/12/02 PGP “web of trust” A B C D E F  F knows D and E, who knows A and C, who knows A and B.  F is reasonably sure that the key from A is really from A.

11 Security Tutorial - n° 11Torino, 5-6/12/02 X.509 Certificates  The “third party” is called Certification Authority (CA).  An X.509 Certificate contains: n identity of the owner; n time of validity; n owner’s public key; n info on the Certification Authority; n digital signature of the Certification Authority.  Certificates are published in a directory (e.g. LDAP or WWW) managed by the CA  CA’s periodically publish a list of compromised certificates n Certificate Revocation Lists (CRL) n Online Certificate Status Protocol (OCSP).

12 Security Tutorial - n° 12Torino, 5-6/12/02 Certificate Chains Per: INFN CA Firma: INFN CA Per: Verisign Firma: Verisign Per: AltraCA Firma: Verisign Per:Leo Firma:AltraCA Per:Silvia Firma:AltraCA Per:Carlo Firma:INFNCA  CA’s have their own certificates, too.  A CA can guarantee for other CA’s by signing their certificates  At the top there is a self- signed certificate (root certificate).  CA certificate are widely publicized and so difficult to forge.

13 Security Tutorial - n° 13Torino, 5-6/12/02

14 Security Tutorial - n° 14Torino, 5-6/12/02 The problems of grid security  The user population is large and dynamic n the same user will have different credentials and accounts at different sites; n the same user may have a regular account at some site, while at others a dynamically assigned one  Users want to authenticate themselves to the Grid only once (single sign-on)  The resources being used may be valuable.  The data to process may be sensitive (e.g. medical data).  The set of resources required by a process may be large, dynamic, and unpredictable.  Resources may belong to different administrative domains, each with its own specific policies.  Security mechanisms must not override local policies.

15 Security Tutorial - n° 15Torino, 5-6/12/02 Grid Security Infrastructure (GSI)  Based on an X.509 PKI: n every user/host/service has an X.509 certificate; n certificates are signed by trusted (by the local sites) CA’s; n every Grid transaction is mutually authenticated: 1. user sends his certificate; 2. other end sends user a challenge string; 3. user encodes the challenge string with his private key; 4. the public key is used to decode the challenge. n Private keys must be stored only in protected places, and only in encrypted form.

16 Security Tutorial - n° 16Torino, 5-6/12/02 X.509 Proxy Certificate  A Proxy is a special type of X.509 certificate, signed by the normal end entity cert (or by another proxy).  It allows process to act on behalf of user, supporting single sign-on and delegation n if there is a need to have agents requesting services on behalf of the user, avoids the need to re-enter the user's pass phrase s the Subject of the proxy contains the Subject of the signing cert  It reduces exposure of user’s private key  It is created by the grid-proxy-init command  The private key of the Proxy is not encrypted: n stored in local file protected by file system security: must be readable only by the owner; n proxy lifetime is short (typically 12 h) to minimize security risks.

17 Security Tutorial - n° 17Torino, 5-6/12/02 Delegation  Proxy creation can be recursive n each time a new private key and new X.509 proxy certificate, signed by the original key  Allows remote process to act on behalf of the user  Avoids sending passwords or private keys across the network  The proxy may be a “Restricted Proxy”: a proxy with a reduced set of privileges (e.g. cannot submit jobs).

18 Security Tutorial - n° 18Torino, 5-6/12/02 Site A (Kerberos) Site A (Kerberos) Site B (Unix) Site B (Unix) GSI interface Remote process creation requests* * with mutual authentication Site C (Kerberos) Site C (Kerberos) User Single sign-on & generation of proxy cred. User Proxy Proxy credential Storage system Communication* GSI-enabled FTP server Authorize Map to local id Access file Remote file access request* Process Kerberos ticket Restricted proxy Process Restricted proxy Local id Authorize Map to local id Create process Generate credentials Authorize Map to local id Create process Generate credentials Job Execution from The Globus Toolkit™: Security Services, http://www.globus.org/ Or: retrieval of proxy cred. from online repository

19 Security Tutorial - n° 19Torino, 5-6/12/02 Authentication/Authorization  Authentication n 16 national certification authorities + CrossGrid CA’s n policies & procedures  mutual trust n users identified by certificates  Authorization n Based on Virtual Organizations (VO). n Management tools for VO membership lists. n 10+2 Virtual Organizations VO’s ALICEEarth Obs. ATLASBiomedical BaBarD0 GenomicsMedical Im. CMSTestbed LHCbTutorial CA’s CERN CESNET CNRS (3) GermanGrid Grid-Ireland INFN NIKHEF NorduGrid LIP Russian DataGrid DATAGRID-ES GridPP (UK) US–DOE Root CA US-DOE Sub CA CrossGrid (*)

20 Security Tutorial - n° 20Torino, 5-6/12/02 EDG AA Overview  User requests a certificate from his CA [yearly]  User registers himself in the EDG LDAP-VO [once]  User generates a proxy certificate (short lifetime) [daily]  Host/service requests a certificate [yearly]  Local site retrieves the trusted CA’s certificates [periodically] and their CRL’s [daily]  Local site generates a gridmap-file from the LDAP database for authorization and mapping [daily]  User contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap-file

21 Security Tutorial - n° 21Torino, 5-6/12/02 Requesting a certificate (batch)  grid-cert-request A certificate request and private key is being created. [...] Using configuration from /usr/local/grid/globus/etc/globus- user-ssleay.conf Generating a 1024 bit RSA private key [...] A private key and a certificate request has been generated with the subject: /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner [...] Your private key is stored in.../.globus/userkey.pem Your request is stored in.../.globus/usercert_request.pem Please e-mail the certificate request to the CERN CA  cat.../.globus/usercert_request.pem | mail cern- globus-ca@cern.ch  Your certificate will be mailed to you within two working days.

22 Security Tutorial - n° 22Torino, 5-6/12/02 Requesting a certificate (online)  Online procedure: n donwload your CA certificate; n fill the online request form; n wait for the identity check by the CA; n download the certificate.  Protect the certificate.  Export the certificate and make a backup copy.

23 Security Tutorial - n° 23Torino, 5-6/12/02 Download the INFN CA cert 1/2  http://security.fi.infn.it /CA/  Click on Certificato INFN CA n ignore warning messages about connecting to an unknow site...  Click on Scarica Certificato

24 Security Tutorial - n° 24Torino, 5-6/12/02 Download the INFN CA cert 2/2  Netscape: n select all the three options  Explorer: n save with extension.der n double-click on the file name and click on Installa certificato n choose the default answer in all the following questions  Verify that the certificate is among the “root certificates” Explorer Netscape

25 Security Tutorial - n° 25Torino, 5-6/12/02 Fill the online request form  http://security.fi.infn.it/CA/  Click on Richiesta certificati  Fill the details of the owner: n Nome sezione; n Nome e Cognome; n E-mail, it must be the official one, Nome.Cognome@sezione.infn.it.  Click on Sottometti Richiesta.  After the identity checks, you’ll receive an e-mail with the instructions for the download.

26 Security Tutorial - n° 26Torino, 5-6/12/02 Download the certificate  Open the URL in the mail from INFN-CA with the same browser used to submit the request  Verify that the certificate appears in the browser DB Netscape

27 Security Tutorial - n° 27Torino, 5-6/12/02 Protect the certificate  Your certificate must be password protected to avoid unauthorized use Netscape

28 Security Tutorial - n° 28Torino, 5-6/12/02 Export the certificate  Export the certificate (extension.p12) and save a copy on a floppy (two is better...).The copy can be imported in another browser.  Protect the copy with a good password (it will be asked during the export procedure)  Convert the certificate for use by the globus toolkit: openssl pkcs12 -nocerts\ –in user.p12 \ –out ~/.globus/userkey.pem openssl pkcs12 –clcerts \ -nokeys \ –out ~/.globus/usercert.pem Netscape Explorer

29 Security Tutorial - n° 29Torino, 5-6/12/02 Registration  Users must accept the EDG usage guidelines and be registered in an EDG VO  If you don’t have your certificate in a browser: n convert the certificate openssl pkcs12 –export \ –in ~/.globus/usercert.pem \ –inkey ~/.globus/userkey.pem \ –out user.p12 –name ’M. Rossi’ n import your certificate in your browser  Sign the usage guidelines n open the following URL and click on “Accept”: https://marianne.in2p3.fr/cgi- bin/datagrid/register/account.pl  Ask an account from your VO administrator.

30 Security Tutorial - n° 30Torino, 5-6/12/02 Starting a grid session  „login”: grid-proxy-init Your identity: /C=IT/O=INFN/CN=M.Rossi/Email=M.Rossi@infn.it Enter GRID pass phrase for this identity: ********* Creating proxy........................................ Done Your proxy is valid until Fri Nov 29 02:44:51 2002 the proxy is stored in /tmp/x509up_uxxx  You can now use use the grid services.  „logout”: grid-proxy-destroy

31 Security Tutorial - n° 31Torino, 5-6/12/02 Proxy certificate structure  openssl x509 -text -noout -in /tmp/x509up_u504 Data: Version: 3 (0x2) Serial Number: 981 (0x3d5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT,O=INFN,CN=M.Rossi/Email=M.Rossi@infn.it Validity Not Before: Nov 28 14:14:57 2002 GMT Not After : Nov 29 02:19:57 2002 GMT Subject: C=IT,O=INFN,CN=M.Rossi/Email=M.Rossi@infn.it, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit):...................................... Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption......................................

32 Security Tutorial - n° 32Torino, 5-6/12/02 Authorization: the present  Based on VO LDAP servers n Each VO manages an LDAP Directory n Only groups provided, no roles n Secure web interface for EDG AUP signing  Mapping X509 credentials  user at local site n Each site periodically generates (mkgridmap) a “grid-mapfile” (mapping DN  username). n Dynamic mapping available (gridmapdir). n Mapping customizable by the local site managers.

33 Security Tutorial - n° 33Torino, 5-6/12/02 grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

34 Security Tutorial - n° 34Torino, 5-6/12/02 Authorization: the future  Virtual Organization Membership Service (VOMS) n Grants authorization data to users at VO level n Each VO has its own VOMS  Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric  Local Credential Mapping Service (LCMAPS) n Provides local credentials needed for jobs in fabric  Grid ACL (GACL) library n Provides DN based ACL’s

35 Security Tutorial - n° 35Torino, 5-6/12/02 VOMS Operations Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy User’s attribute s 1. Mutual authentication Client- Server 2. Client sends request to Server 3. Server checks correctness of request 4. Server sends back the required info, signed by itself 5. Client repeats process for other VOMS ’ s 6. Client creates a proxy certificate containing all the info received into a (non critical) extension

36 Security Tutorial - n° 36Torino, 5-6/12/02 LCAS / LCMAPS  LCAS n Handles authorization requests to local fabric n Authorization decisions based on proxy user certificate and job specification n Supports gridmap-file mechanism n Plug-in framework (hooks for external authorization plug-ins)  LCMAPS n Provides local credentials needed for jobs in fabric s Accepts requests validated by LCAS s Returns, if any, local credentials already assigned to user or generates new ones. n Replaces gridmap(dir), but keeps functionality

37 Security Tutorial - n° 37Torino, 5-6/12/02 EDG gatekeeper TLS auth LCAS (so) assist_gridmap Jobmanager-* Gatekeeper TLS auth LCAS client apply creds * Jobmanager-* Gatekeeper LCAS ACL timeslot gridmap config LCMAPS clnt LCMAPS role2uid role2afs config * And store in job repository Id Yes/no Id credlist NOWEDG1.4, EDG2.x By Martijn Steenbakkers (EDG WP4)

38 Security Tutorial - n° 38Torino, 5-6/12/02 Further Information Grid  EDG CAs: http://marianne.in2p3.fr/datagrid/ca  EDG Security Requirements: http://edms.cern.ch/document/340234  GGF Security Area: http://www.gridforum.org/security/  Grid Security Infrastructure (GSI): http://www.globus.org/security/ Background  Bruce Schneier,Applied Cryptography: Protocols, Algorithms and Source Code in C, John Wiley & Sons.  Generic Security Services Application Programming Interface (GSSAPI): http://www.faqs.org/faqs/kerberos-faq/general/section- 84.html  S. Tuecke et al., Internet X.509 Public Key Infrastructure Proxy Certificate Profile, draft-ietf-pkix-proxy-03.

Download ppt "Security Mechanisms The European DataGrid Project Team"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google