• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Session6 Security  Emidio
 

Session6 Security Emidio

on

  • 721 views

 

Statistics

Views

Total Views
721
Views on SlideShare
721
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Session6 Security  Emidio Session6 Security Emidio Presentation Transcript

    • Enabling Grids for E-sciencE Grid Security Emidio Giorgio INFN Catania emidio.giorgio "at" ct.infn.it With thanks for some slides to EGEE and Globus, UNICORE colleagues www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 1
    • What is Grid security? Enabling Grids for E-sciencE • Why security is needed on Grids ? The Grid problem is to enable “coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations.” From ”The Anatomy of the Grid” by Ian Foster at. al • Grid intrinsically enables VO concept • What is needed in terms of security for a VO ? INFSO-RI-508833 2 lunedì 6 luglio 2009 2
    • Security issues in grids Enabling Grids for E-sciencE • Launch attacks to other sites – Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. • Illegal or inappropriate data distribution and access sensitive information – Massive distributed storage capacity ideal for example, for sharing illegaly movies. – Growing number of users have data that must be private – biomedical imaging for example • Damage caused by viruses, worms etc. – Highly connected infrastructure means worms could spread faster than on the internet in general. INFSO-RI-508833 6 lunedì 6 luglio 2009 3
    • Virtual Organization concept Enabling Grids for E-sciencE • VO for each application, workload or community • Carve out and configure resources for a particular use and set of users • The more dynamic the better… INFSO-RI-508833 3 lunedì 6 luglio 2009 4
    • Problems at network level Enabling Grids for E-sciencE User Grid service Participants of a grid communicate over the Internet • How can communication endpoints be identified? – Authentication • How can a secure channel established between two partners? – Encryption – Non-repudiation – Integrity INFSO-RI-508833 4 lunedì 6 luglio 2009 5
    • Problems at VO level Enabling Grids for E-sciencE Computing Broker User Element Storage Element • What are VO members allowed to do? – Authorization • How can services act on behalf of a user? – How can a service access the user’s sites”? – How can a job which is started by the broker access the user’s private data? INFSO-RI-508833 5 lunedì 6 luglio 2009 6
    • Enabling Grids for E-sciencE Grid Security Infrastructure (GSI) www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 7
    • Enabling Grids for E-sciencE Grid Security Infrastructure Security at network level: Public key infrastructure (PKI) INFSO-RI-508833 8 lunedì 6 luglio 2009 8
    • Basis of security & authentication Enabling Grids for E-sciencE • Asymmetric encryption… Clear text Encrypted Clear text message text message Private Key Public Key • …. and Digital signatures … – A hash derived from the message and encrypted with the signer’s private key – Signature is checked by decrypting with the signer’s public key • Are used to build trust – That a user / site is who they say they are – And can be trusted to act in accord with agreed policies INFSO-RI-508833 9 lunedì 6 luglio 2009 9
    • Basis of Public Key Infrastructure Enabling Grids for E-sciencE • Every networked entity (user/ machine/software) is assigned with two keys: one private key and one public key Paul’s keys – it is impossible to derive the private key from the public one – a message encrypted by one key can be decrypted only by the other one. public private • Concept (simplified version): John Paul – Public keys are exchanged ciao 3$r 3$r ciao – The sender encrypts using receiver’s public key John Paul – The receiver decrypts using his/her private key; bye %i4 %i4 bye INFSO-RI-508833 10 lunedì 6 luglio 2009 10
    • Entity identity Enabling Grids for E-sciencE • Since I’m the only one with access to my private key, you know I signed the data associated with it • But, how do you know that you ? have my correct public key? • X509 certificates INFSO-RI-508833 13 lunedì 6 luglio 2009 11
    • Public and private keys Enabling Grids for E-sciencE • Public key is wrapped into a • Private key is stored in “certificate file” encrypted file – protected by a • Certificate files are created by passphrase trusted third parties: Grid • Private key is created by the Certification Authorities (CA) grid user Certificate Public key Subject:/C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Emidio Giorgio 1. Hash of Public key & metadata, Issuer: C=IT, O=INFN, OU=Catania, 2. Encript hash with CA’s private CN=INFN CA key Expiration date: Mar 05 08:08:10 2008 GMT Serial number: 9504 (0x2520) Optional Extensions CA Digital signature INFSO-RI-508833 14 lunedì 6 luglio 2009 12
    • Certification Authorities Enabling Grids for E-sciencE INFSO-RI-508833 16 lunedì 6 luglio 2009 13
    • Certification Authorities Enabling Grids for E-sciencE • Grid users’ must generate private and public key • Public key must be signed by a recognized CA – CAs can establish a number of people “registration authorities” RAs: Personal visit to the nearest RA instead of the national CA • CAs web of trust:  Per continent • Per country o Per region • http://www.igtf.net/ – http://www.gridpma.org/ – http://www.apgridpma.org/ – http://www.tagpma.org/ INFSO-RI-508833 16 lunedì 6 luglio 2009 13
    • Issuing a grid certificate Enabling Grids for E-sciencE CA root certificate Certification INFSO-RI-508833 Authority 17 lunedì 6 luglio 2009 14
    • Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. Certification Authority Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
    • Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. Cert Request Public Key Certification Authority User sends public key to CA and shows RA proof of identity. State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
    • Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. CA signature links identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
    • Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. CA signature links identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. Cert State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
    • Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser the browser used for certificate or in files. download must be the same used CA signature links for request identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. Cert State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
    • Certificate request example Enabling Grids for E-sciencE • Check the official CA for your country, find how the RA has to identify you and then fill the web form INFSO-RI-508833 15 lunedì 6 luglio 2009 15
    • Certificate request example/2 Enabling Grids for E-sciencE After a couple of working days, an email is sent to the user with the URL where to download the certificate The browser used for the certificate download must be the same used for request INFSO-RI-508833 16 lunedì 6 luglio 2009 16
    • How to Apply for Certificates to use in the German e-Science Infrastructure D-Grid  Accepted Certification Authorities are DFN and GridKA  www.d-grid.de  User Portal  Access to the Resources guides to application pages  The certification policy expects you to contact a Registration Authority (RA) which has to validate your request  Select a RA  Apply for a user certificate  Print out the reply and fill in your identity card details  Contact RA with your identity card in person (DFN) or with a copy of your ID-card by mail (GridKA)  Receive your certificate by e-mail and include it in your browser where your private key resides 06/07/2009 Slide lunedì 6 luglio 2009 17
    • Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
    • Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
    • Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
    • Export your certificate/2 Enabling Grids for E-sciencE INFSO-RI-508833 19 lunedì 6 luglio 2009 19
    • Export on different formats Enabling Grids for E-sciencE • Certificate is released in PKCS12 format, but other middleware may need a different one griduser@gridx:~/.globus$ openssl pkcs12 -nocerts -in cert.p12 - out userkey.pem Enter Import Password: (insert your certificate password) MAC verified OK Enter PEM pass phrase: (insert your Enter PEM pass phrase) Verifying - Enter PEM pass phrase: (reinsert your Enter PEM pass phrase) griduser@gridx:~/.globus$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem Enter Import Password: (insert your certificate password) MAC verified OK griduser@gridx:~/.globus$ griduser@gridx:~/.globus$ chmod 400 userkey.pem griduser@gridx:~/.globus$ chmod 644 usercert.pem INFSO-RI-508833 20 lunedì 6 luglio 2009 20
    • the GILDA CA Enabling Grids for E-sciencE • https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php • Training CA --> not included in EuGridPMA • Used for training purposes – simplified access procedure – no identification performed INFSO-RI-508833 21 lunedì 6 luglio 2009 21
    • the GILDA CA Enabling Grids for E-sciencE • https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php • Training CA --> not included in EuGridPMA • Used for training purposes – simplified access procedure – no identification performed INFSO-RI-508833 21 lunedì 6 luglio 2009 21
    • User’s private key and certificate Enabling Grids for E-sciencE • Keep your private key secure – if possible on a USB drive only • Do not loan your certificate to anyone • Report to your CA if your certificate has been compromised. • Private key and certificate can: – Stored in your browser – Stored in files using different file format (PEM, P12, …) • Typical situation on Globus, gLite, ARC middleware based grids: $ ls -l .globus total 24 -rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem -r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem INFSO-RI-508833 18 lunedì 6 luglio 2009 22
    • User’s private key and certificate Enabling Grids for E-sciencE • Keep your private key secure – if possible on a USB drive only • Do not loan your certificate to anyone • Report to your CA if your certificate has been compromised. • Private key and certificate can: – Stored in your browser – Stored in files using different file format (PEM, P12, …) • Typical situation on Globus, gLite, ARC middleware based grids: $ ls -l .globus total 24 -rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem -r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem If your certificate is used by someone other than you, it cannot be proven that it was not you. INFSO-RI-508833 18 lunedì 6 luglio 2009 22
    • Problems at network level Enabling Grids for E-sciencE User Grid service Members of a VO communicate over the Internet • How can communication endpoints be identified? – Authentication • How can a secure channel established between two  partners? – Encryption  – Non-repudiation  – Integrity  INFSO-RI-508833 19 lunedì 6 luglio 2009 23
    • Security at VO level Enabling Grids for E-sciencE • Implementation of services for users authorization (what an user is allowed to do) depends from the middleware – VOMS (gLite), XUUDB (UNICORE), etc.. INFSO-RI-508833 20 lunedì 6 luglio 2009 24
    • Enabling Grids for E-sciencE Thank you! Questions? www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 25