Certification Authority - Sergio Lietti


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Certification Authority - Sergio Lietti

  1. 1. GridUNESP – V Workshop Certification Authority Sergio M. Lietti 16Dec2009
  2. 2. Open Science Grid (OSG)  OSG brings together computing and storage resources from campuses and research communities into a common, shared grid infrastructure over research networks via a common set of middleware  OSG offers participating research communities low- threshold access to more resources than they could afford individually,via a combination of dedicated, scheduled and opportunistic alternatives
  3. 3. Open Science Grid (OSG)  OSG has 82 sites, most of them in USA, but also in Brazil, China, Mexico, South Africa, and South Korea.  GridUnesp will be part of OSG sites soon
  4. 4. Security  In order to share the infrastructure between all sites, security is essencial  The Grid Security Infrastructure (GSI) uses public key cryptography (also known as asymetric cryptography) as the basis for its functionality  The primary motivations behind the GSI are:  The need for secure communication (authenticated and perhaps confidential) between elements of a computational Grid.  The need to support security across organizational boundaries, thus prohibiting a centrally-managed security system.  The need to support "single sign-on" for users of the Grid, including delegation of credentials for computations that involve multiple resources and/or sites.
  5. 5. Certificates  Every user and service on the Grid is identified via a certificate, which contains information vital to identifying and authenticating the user or service  A GSI certificate includes four primary pieces of information:  A subject name, which identifies the person or object that the certificate represents  The public key belonging to the subject  The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject  The digital signature of the named CA
  6. 6. Certificates  A Certification Authority (CA) is used to certify the link between the public key and the subject in the certificate  In order to trust the certificate and its contents, the CA's certificate must be trusted  GSI certificates are encoded in the X.509 certificate format, a standard data format for certificates established by the Internet Engineering Task Force (IETF)
  7. 7. X.509  X.509  In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI)  X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm  In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an e- mail address or a DNS-entry
  8. 8. Public Key Infrastructure  Public-key cryptography is a relatively new cryptographic approach whose distinguishing characteristic is the use of asymmetric key algorithms instead of or in addition to symmetric key algorithms  The asymmetric key algorithms are used to create a mathematically related key pair: a secret private key and a published public key  Encryption and authorization is performed using the public key while decryption and digital signature is performed with the private key  Each user has a pair of cryptographic keys — a public key and a private key. The private key is kept secret, whilst the public key may be widely distributed
  9. 9. User Certificate files  Within the Globus era the key file (userkey.pem) and the certificate file (usercert.pem) correspond to the key pair of the public-key cryptography  The userkey.pem file contains the private key encrypted with your password.  The certificate file (usercert.pem) contains your public key together with additional important informations such as the subject name of the holder of the certificate, the name of the signing CA, and the digital signature of the CA  Both files are stored inside a directory called .globus in the users´s home directory
  10. 10. Userkey.pem example file
  11. 11. Usercert.pem example file
  12. 12. User Certificate files  In order to obtain a valid passport to the Grid you need to create a key pair and submit your public key to the CA (this process is called as a certificate request) for a signature.  The CA will follow its certificate policy and upon successful evaluation of your request your public key will be signed and posted back to you.  The important role of the CA is to establish a trustful connection between the identity of the user and the public key in the certificate file  The digital signature of the CA in the user's certificate file officially declares that the public key in the file belongs to the specific user (subject name)
  13. 13. Certification Authority  Grid Certificates  Hosts and services certificates for the servers  Personal certificates for the users  Why?  Security  User and server identification  Who does issue certificates?  An Certification Authority (CA)  IGTF – The International Grid Trust Federation (TAGPMA, EUGridPMA, APGridPMA, TACAR)  TAGPMA – The Americas Grid Police Management Authority
  14. 14. ANSP Grid Certification Authority  Local Certification Authorities  Brazil – UFF Brazilian Grid CA  São Paulo – the Academic Network at São Paulo Grid CA - soon  Users of ANSP Grid CA  Researchers from GridUNESP projetc  Researchers from the state of São Paulo  ANSP Grid CA will  offer a free X509 certification service for academic research and development activities in the e-Science and Grid Computing Communities of the state of São Paulo
  15. 15. ANSP Grid CA Deployment  ANSP is already a member of TAGPMA  Present status: Accreditation Process.  Recently, ANSP has bought two Hardware Security Modules (HSM´s) to generate its root certificate  TAGPMA accreditation allows members to interoperate with other IGTF participants in worldwide collaborations on the Grid
  16. 16. In the meantime  User certificates will be issued by Simple-CA (globus package) installed on GridUnesp main server  Those certificates will allow users to submit jobs only to GridUnesp machines  A web page is being constructed so users can request their certificates  Requests will be approved by Research Groups leaders and signed certificates will then be sent to users