grid authentication


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

grid authentication

  1. 1. Grid Authentication Technologies Asif Motorwala Abbas Shamji
  2. 2. Agenda• Quick Refresher on PKI• Grid portal integration• Example: grid approach – Cross-certification and PKI Bridges – National PKI context
  3. 3. Two Types of Cryptography• Symmetric key cryptography – A pre-shared secret is used to encrypt the data – Some examples: DES, 3-DES, RC4, etc• Public key cryptography – A pair of mathematically related keys are generated • One of the keys, the Public Key, is freely distributed • The other key, the Private Key, is kept confidential – Given one of the keys, it is computationally very hard to compute the other
  4. 4. Public Key Cryptography– Data encrypted using the public key can only be decrypted by the person with the private key Example: Bob sends secret data to Alice1. Bob obtains a 1. Alice receives copy of Alice’s the data public key 2. Alice decrypts2. Bob encrypts the data using the data using the private the public key key that only and sends it she possesses to Alice
  5. 5. A Digital Certificate is:– An object that binds a user’s identity to their public key– An object signed by a Certification Authority (CA)– An object containing some attributes about the person who owns the certificate– An object containing some information about the CA • Useful for relying party to understand campus identity policy– Often published in a campus directory if support for encryption is anticipated
  6. 6. Digital Certificates and Security• Login id and password never flow over the network• Strong cryptography – what does flow over the network is very safe• Enables mutual authentication• Defeats a variety of man in the middle attacks• No (practical) brute-force attacks• Is often easier to use than login/password
  7. 7. DRM Security• The ASCI DRM environment uses a Kerberos implementation of the GSS-API. – As far as tools and APIs go, this is not visible. (That’s the point of GSS- API!) – However, it is NOT interoperable with GSI based versions of the Globus Toolkit – Various differences of Kerberos vs GSI: • The security files created “under the covers” in the system and the services are different. • Different commands to login, logout, etc.• Treatment – We will discuss security using GSI (PKI). – Pat will talk later about how the Kerberos GSS-API changes things in the DRM.
  8. 8. Good Practices For Grid Authentication:- Trust, Private Key Protection and Non-Repudiation• Digital signatures - based on the idea that only the user has access their private key• A user’s private key is generally protected by the workstation’s operating system – Typical protection is no better than for any password that the user lets the operating system store• Hardware tokens can be used for strong private key protection, mobility, and as a component in a non-repudiation strategy
  9. 9. Grid Security Infrastructure (GSI)• Basic Grid security needs – Strong authentication – Ability to encrypt data – Single sign-on• Solution – GSI is based on PKI and certificates are used for authentication – Uses mutual authentication and encryption when needed
  10. 10. PKI Mutual Authentication• Client Authentication 1. Client connects to server and sends user’s certificate 2. Server uses its root key store to validate the user’s certificate 3. Server sends client some random data; client uses private key to encrypt data; server decrypts data validating that client has access to the private key• Server Authentication 1. Server replies sending its digital certificate to the client 2. Client validates the server’s certificate using its trusted root store 3. Client sends some random data to the server; server encrypts the data using its private key; client decrypts data validating that server has access to the private key• Globus uses SSL/TLS to accomplish mutual authentication
  11. 11. Background: Cross-certification• Top section I: UAB I: UVA S: UAB S: UVA – Traditional hierarchical validation example I: UAB I: UVA S: User-2 S: User-1• Bottom section – Validation using cross I: UAB I: UVA certification example S: UAB S: UVA – UVA signed a certificate I: UAB Cross I: UVA request from the UAB CA S: UVA Certs S: UAB – UAB signed a certificate request from the UVA CA I: UVA I: UAB S: User-1 S: User-2
  12. 12. THANK YOU