Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004.

Published byStewart Haynes Modified over 8 years ago

Similar presentations

Presentation on theme: "Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004."— Presentation transcript:

1 Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004

2 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 2 User Concepts Authentication  Are you who you claim to be? Authorisation  Do you have access to the resource you are connecting to? Accounting  What did you do, when did you do it and where did you do it from?

3 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 3 Aspects of Grid Security Resources being used may be valuable & the problems being solved sensitive Dynamic formation and management of virtual organizations (VOs)  Large, dynamic, unpredictable… VO Resources and users are often located in distinct administrative domains  Can’t assume cross-organizational trust agreements  Different mechanisms & credentials Interactions are not just client/server, but service-to-service on behalf of the user  Requires delegation of rights by user to service  Services may be dynamically instantiated slide based on presentation given by Carl Kesselman at GGF Summer School 2004

4 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 4 The Trust Model Certification Domain A Server XServer Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust slide based on presentation given by Carl Kesselman at GGF Summer School 2004

5 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 5 Delegation A Site delegates responsibility for the users that may access its resources to the managers/management system of a VO. A VO delegates its rights to a user. A user delegates their authentication to a service to allow programs to run on remote sites. Delegation : The act of giving an organisation, person or service the right to act on your behalf.

6 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 6 Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004

7 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 7 Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute slide based on presentation given by Carl Kesselman at GGF Summer School 2004

8 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 8 INSECURE SECURE Public Private Key Life Savings Alice Bob Life Savings Private KeyMessage Public Key

9 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 9 Public Key Infrastructure (PKI) PKI allows you to know that a given key belongs to a given user. PKI builds off of asymmetric encryption:  Each entity has two keys: public and private.  Data encrypted with one key can only be decrypted with other.  The public key is public.  The private key is known only to the entity. The public key is given to the world encapsulated in a X.509 certificate. slide based on presentation given by Carl Kesselman at GGF Summer School 2004

10 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 10 Certificates Similar to passport or driver’s license: Identity signed by a trusted party Name Issuer Public Key Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 John Doe 755 E. Woodlawn Urbana IL 61801 BD 08-06-35 Male 6’0” 200lbs GRN Eyes State of Illinois Seal

11 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 11 Certificate Authorities A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates Users authenticate themselves to CA, for example by use of their Passport or Identity Card. The CA signs it’s own certificate which is distributed in a secure manner. Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004

12 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 12 Certificate Request Private Key encrypted on local disk Certificate Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Public

13 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 13 Inside the Certificate Standard (X.509) defined format. User identification (e.g. full name). Users Public key. A “signature” from a CA created by encoding a unique string (a hash) generated from the users identification, users public key and the name of the CA. The signature is encoded using the CA’s private key. This has the effect of:  Proving that the certificate came from the CA.  Vouching for the users identification.  Vouching for the binding of the users public key to their identification.

14 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 14 Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA

15 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 15 User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004

16 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 16 Authorisation Requirements Detailed user rights centrally managed and assigned:  User can have certain group membership and roles Involved parties:  Resource providers. Keep full control on access rights.  The users Virtual Organisation. Member of a certain group should have same access rights independent of resource. Resource provider and VO must agree on authorisation:  Resource providers evaluate authorisation granted by VO to a user and map into local credentials to access resources

17 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 17 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

18 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 18 Accounting Summary User via Certificates and Delegated Services AuthenticationAuthorisation delegated to VO. Resource

19 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 19 Acknowledgements Many slides in this presentation are based on the presentation given by Carl Kesselman at the GGF Summer School 2004. This presentation may be found at http://www.dma.unina.it/~murli/GridSummerSchool2004/ curriculum.htm

20 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 20 Grid Security Infrastructure (GSI) Globus Toolkit TM proposed and implements the Grid Security Infrastructure (GSI)  Protocols and APIs to address Grid security needs GSI protocols extend standard public key protocols  Standards: X.509 & SSL/TLS  Extensions: X.509 Proxy Certificates (single sign-on) & Delegation GSI extends standard GSS-API (Generic Security Service)  The GSS-API is the IETF standard for adding authentication, delegation, message integrity, and message confidentiality to applications. Proxy Certificate:  Short term, restricted certificate that is derived form a long-term X.509 certificate  Signed by the normal end entity cert, or by another proxy  Allows a process to act on behalf of a user  Not encrypted and thus needs to be securely managed by file system

21 Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004 - 21 Example: VO-LDAP server for Authorisation mkgridmap grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local users ban list Adopted by DataGrid Testbed0 (2001/02) DataGrid Testbed1 (2003) DataTAG Testbed (2003)

Download ppt "Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius, 5-6.10.2004."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

Similar presentations

Ads by Google