Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Published byBritney Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources."— Presentation transcript:

1 1 Grid School Module 4: Grid Security

2 2 Typical Grid Scenario Users Resources

3 3 What do we need ? l Identity l Authentication l Message Protection l Authorization l Single Sign On

4 4 Identity & Authentication l Each entity should have an identity l Authenticate: Establish identity –Is the entity who he claims he is ? –Examples: >Driving License >Username/password l Stops masquerading imposters

5 5 Message Protection: Privacy Medical Record Patient no: 3456

6 6 Message Protection: Integrity Run myHome/whoami Run myHome/rm –f *

7 7 Authorization l Establishing rights l What can a said identity do ? Examples: –Are you allowed to be on this flight ? >Passenger ? >Pilot ? –Unix read/write/execute permissions l Must authenticate first

8 8 Grid Security: Single Sign On Authenticate Once

9 9 Grid Security: Single Sign On Delegation

10 10 Single Sign-on l Important for complex applications that need to use Grid resources –Enables easy coordination of varied resources –Enables automation of process –Allows remote processes and resources to act on user’s behalf –Authentication and Delegation

11 11 Solutions

12 12 Cryptography for Message Protection l Enciphering and deciphering of messages in secret code l Key –Collection of bits –Building block of cryptography –More bits, the stronger the key 0 1 0 1 0 0 1 1 1 0 1 0 1 1 1

13 13 Encryption l Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out l Encrypted data is, in principal, unreadable unless decrypted Encryption Function

14 14 Decryption l Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data –Encryption and decryption functions are linked Decryption Function

15 15 Asymmetric Encryption l Encryption and decryption functions that use a key pair are called asymmetric –Keys are mathematically linked

16 16 Public and Private Keys l With asymmetric encryption each user can be assigned a key pair: a private and public key Private key is known only to owner Public key is given away to the world l Encrypt with public key, can decrypt with only private key l Message Privacy

17 17 Digital Signatures l Digital signatures allow the world to –determine if the data has been tampered –verify who created a chunk of data l Sign with private key, verify with public key l Message Integrity

18 18 Public Key Infrastructure (PKI) l PKI allows you to know that a given public key belongs to a given user l PKI builds off of asymmetric encryption: –Each entity has two keys: public and private –The private key is known only to the entity l The public key is given to the world encapsulated in a X.509 certificate Owner

19 19 John Doe 755 E. Woodlawn Urbana IL 61801 BD 08-06-65 Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates l X509 Certificate binds a public key to a name. l Similar to passport or driver’s license Name Issuer Public Key Validity Signature Valid Till: 01-02-2008

20 20 Certification Authorities (CAs) l A Certification Authority is an entity that exists only to sign user certificates l The CA signs it’s own certificate which is distributed in a trusted manner l Verify CA certificate, then verify issued certificate Name: CA Issuer: CA CA’s Public Key Validity CA’s Signature

21 21 Certificate Policy (CP) l Each CA has a Certificate Policy (CP) which states –who it will issue certificates to –how it identifies people to issue certificates to l Lenient CAs don’t pose security threat, since resources determine the CAs they trust.

22 22 Certificate Issuance l User generates public key and private key l CA vets user identity using CA Policy l Public key is sent to CA –Email –Browser upload –Implied l Signs user’s public key as X509 Certificate l User private key is never seen by anyone, including the CA

23 23 Certificate Revocation l CA can revoke any user certificate –Private key compromised –Malicious user l Certificate Revocation List (CRL) –List of X509 Certificates revoked –Published, typically on CA web site. l Before accepting certificate, resource must check CRLs

24 24 Authorization l Establishing rights of an identity l Chaining authorization schemes –Client must be User Green and have a candle stick and be in the library! l Types: –Server side authorization –Client side authorization

25 25 Gridmap Authorization l Commonly used in Globus for server side l Gridmap is a list of mappings from allowed DNs to user name l ACL + some attribute l Controlled by administrator l Open read access "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde

26 26 Globus Security: The Grid Security Infrastructure l The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. l Based on PKI l Uses Secure Socket Layer for authentication and message protection –Encryption –Signature l Adds features needed for Single-Sign on –Proxy Credentials –Delegation

27 27 GSI: Credentials l In the GSI system each user has a set of credentials they use to prove their identity on the grid –Consists of a X509 certificate and private key l Long-term private key is kept encrypted with a pass phrase –Good for security, inconvenient for repeated usage

28 28 GSI: Proxy Credentials l Proxy credentials are short-lived credentials created by user –Proxy signed by certificate private key l Short term binding of user’s identity to alternate private key l Same effective identity as certificate SIGN

29 29 GSI: Proxy Credentials l Stored unencrypted for easy repeated access l Chain of trust –Trust CA -> Trust User Certificate -> Trust Proxy l Key aspects: –Generate proxies with short lifetime –Set appropriate permissions on proxy file –Destroy when done

30 30 GSI Delegation l Enabling another entity to run as you l Provide the other entity with a proxy l Ensure –Limited lifetime –Limited capability

31 31 Grid Security At Work l Get certificate from relevant CA l Request to be authorized for resources l Generate proxy as needed l Run clients –Authenticate –Authorize –Delegate as required Numerous resource, different CAs, numerous credentials

32 32 MyProxy l Developed at NCSA l Credential Repository with different access mechanism (e.g username/pass phrase) l Can act as a credential translator from username/pass phrase to GSI l Online CA l Supports various authentication schemes –Passphrase, Certificate, Kerberos

33 33 MyProxy: Use Cases l Credential need not be stored in every machine l Used by services that can only handle username and pass phrases to authenticate to Grid. E.g. web portals l Handles credential renewal for long- running tasks l Can delegate to other services

34 34 Lab Session l Focus on tools –Certificates –Proxies –Gridmap Authorization –Delegation –MyProxy

35 35 Grid School Module 2: Grid Security Prepared by: Rachana Ananthakrishnan Argonne National Laboratory With contributions by Von Welch, Frank Siebenlist, Ben Clifford

Download ppt "1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Similar presentations

Ads by Google