• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Vinod Rebello

Vinod Rebello






Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://tagpma08.blogspot.com 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Vinod Rebello Vinod Rebello Presentation Transcript

  • Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid Computing Prof. Vinod Rebello Instituto de Computação Universidade Federal Fluminense Brazil [email_address] TAGPMA The Americas Grid Policy Management Authority
  • A talk about PKI - Why me?
    • User, resource provider and grid operator
    • Manager of the IGTF approved Brazilian and the Latin American and Caribbean Catch-all Grid Certificate Authorities
    • EELA-2 Task leader for Grid CAs and Security
    • Current Chair of the TAGPMA
    • Former Chair of the IGTF
    • There is are worlds outside of Grid Computing…
    • Chair of the Brazilian Educational PMA (ICPEDU)
    • Brazilian Federal PKI Service
    • And these worlds are colliding!
  • The Grid Computing Model Grid/Cloud offering services In this generic model, institutions and businesses own fewer of their own resources. Third parties provide facilities; users get access to services. Businesses themselves can also offer services over the Grid.
  • What is Grid Security?
    • The Grid problem is to enable
    • “ coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations .”
    • From The Anatomy of the Grid
    • So Grid Security is security to enable VOs.
    • Security is about risk assessment , not building a perfect system
  • Essentials for Grid Security
    • Access to shared services
      • cross-domain authentication, authorization, accounting, billing
      • common generic protocols for collective services
    • Support multi-user collaboration
      • may contain individuals acting alone – their home organization administration need not necessarily know about all activities
      • organized in ‘Virtual Organizations’
    • Enable ‘easy’ single sign-on for the user
      • the best security is hidden from the user as much as possible
    • And leave the resource owner always in control
  • Characteristics of Grid Security
    • Current grid security is largely user centric
      • different roles for the same person in the home institution and in the Virtual Organization (VO)
    • There is no a priori trust relationship between members or member organizations
      • VO lifetime can vary from hours to decades
      • VO not necessarily persistent (both long- and short-lived)
      • people and resources are members of many VOs
    • … but a relationship is required
      • as a basis for authorising access
      • for traceability and liability, incident handling, and accounting
  • Role of Computer Security
    • Identification & Authentication ( I&A)
      • Provide a way of identifying entities, and controlling this identity
    • Confidentiality : protection against data disclosure to unauthorized persons
    • Integrity : protection against data modification
    • Availability : protection against data disponibility
    • Non-repudiability
      • Bind an entity to its actions
    • Authorisation
      • Identity combined with an access policy to grant rights to perform some action
  • Security Building Blocks
    • Encryption provides
      • confidentiality, can provide authentication and integrity protection
    • Checksums/hash algorithms provide
      • integrity protection, can provide authentication
    • Digital signatures provide
      • authentication, integrity protection, and non-repudiation
  • Asymmetric Cryptography
    • Use non-reversible functions and a key pair
      • What one key encrypts, the other decrypts
    • Keep one key private
      • Only you can decrypt
    • Let the other be public
      • Everyone can encrypt
    • Security relies on
      • F -1 not being found
    Hello $w!4& F(x) priv Hello $w!4& F(x) pub
  • Assymetric Key Pairs
    • Every user splits a key pair into a private and a public key.
    The public key is known by everybody. The private key should not be known by anyone else. It may be protected by hardware. priv pub
  • Authentication Server Client ch =rand(); Same as ch ? Server needs to keep track of Fred’s public key Challenge - Response I’m Fred 1423 AxW8 Hi Fred decrypt(AxW8); pub of Fred encrypt(1423) priv
  • Creating a Digital Signature
    • The digital signature locks the document to the signer
    • Easily verifyable for everyone in possession of the public key (next slide)
    Original Document Digest function hash Original Document hash SHA-1 MD5 priv
  • Verifying a Digital Signature
    • A verified signature proves that
      • The corresponding private key was used to sign the document
      • The document has not been altered
    Original Document Digest function hash Original Document = ? hash hash pub hash
    • Correct mapping is crucial
    • Ensure the integrity of the mapping by applying a digital signature to it: a certificate
    Distributing the Public Key
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
    -> identity
  • X.509 Public Key Certificate
    • A standardised way to associate a public key with an entity
    • A digitally signed identity document
      • Can identify people, computers, services, …
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
    (Extension data: what type of vehicles the person is authorized to drive)
  • Signing a certificate
    • Normal digital signature procedure
    • Non-sensitive information
      • Contains public data – is verified with public data
    Digest function hash issuer’s private key
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
  • Verifying a certificate
    • Signature
    • Time
    • Revocation
    Digest function hash hash = ? issuer’s public key But who should sign the certificate?
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
      • Version
      • Serial number
      • Issuer identity
      • Validity period
      • User identity
      • Public key
      • Extension fields
  • Certification Authority
    • The role of the CA is manage the certificate life cycle: create, store, renew, revoke
    User data Public key Trusted Third Party User data Public key CA signature User certificate CA
  • Certification Process
    • Subscriber requests Certificate
    • RM posts signing request notice
    • The RA for the Subscriber retrieves request
    • The RA agent reviews request with Grid project
    • The agent updates/approves/rejects request
    • Approved Certificate Request is sent to CM
    Subscriber Registration Authority (RA) Agent 3 4 7
    • CM issues certificate
    • RM sends Email notice to Subscriber
    • Subscriber picks up new certificate
    2 Sponsor Project DBMS 4 5 6 Certificate Manager (CM) (Certificate Signing Engine) Registration Manager (RM) CA 4 1 2 8 9
  • Certificates
    • CA is the only entity able to create/modify the certificate
      • the CA has to be trusted
    • Certificates enable:
      • Clients to authenticate servers
      • Servers to authenticate clients
      • Public key exchange without Public Key Server
    • No disclosure of private/secret keys.
    • Special features:
      • chains of CAs, to distribute the task of issuing certificates
      • Certificate Revocation List, to disable certificates
  • Authentication
    • … the server now only needs to keep track of its trust anchors (CA certificates)
    CA repository Server Client ch =rand(); cert .getPubKey(); decrypt(AxW8); Same as ch ? cert .validate() ? cert .getName(); Hello 1423 Hi Fred encrypt(1423) priv AxW8 pub Fred
  • Trusting the CA
    • Nothing hinders you from setting up your own CA and issuing certificates
      • Getting others to trust you is the hard problem!
    • Trust anchors
      • the CAs that we more or less trust unconditionally
  • Establishing Trust
    • The dynamic cross-organizational resource sharing gives us a problem
      • No initial trust, different policies, different mechanisms
      • no central point of control in Grids
    • We have to provide tools to make this as painless as possible
  • Solving the Trust Problem
    • Trusted Third Parties
      • Independent identity assessment providers
      • The most commonly used today
    • Federations
      • Organizations trust each other to identify their own users
      • Finite “membership” constellations
    • Web of Trust
      • Users trust each other to identify others
      • Less control, scalability arguable
  • International Grid Trust Fed.
    • Commissioned: Mar 2003 (Tokyo) - Chartered: October 5 th , 2005 at GGF 16 (Chicago)
    • Federation of European, Asian, and Western Hemisphere Policy Management Authorities
      • Focused on Identity management and authentication for Grids
    • Establishment of top level CA registries and related services
      • Root CA certificates, CA repositories and CRL publishing points.
      • Uses TERENA TACAR (TERENA Academic CA Repository)
    • Standards
      • Certificate policies, Certification profiles, Accreditation
      • Open Grid Forum publishes standards and community best practices.
  • Building the Federation
    • Providers and Relying Parties together shape the common minimum requirements
      • Several profiles for different identity management models
        • different technologies
      • Authorities testify to compliance with profile guidelines
      • Peer-review process within the federation to (re) evaluate members on entry & periodically
      • Reduce effort on the relying parties
        • single document to review and assess for all Authorities
        • collective acceptance of all accredited authorities
      • Reduce cost on the authorities
        • but participation in the federation comes with a price
    • … the ultimate decision always remains with the RP
  • Model for Grid Authentication
    • A Federation of many independent CAs
      • Policy coordination based on common minimum requirements (not ‘policy harmonisation’ )
      • Acceptable for major relying parties in Grid Infrastructures
    • No strict hierarchy with a single top
      • spread liability and enable failure containment (better resilience)
      • maximum leverage of national efforts
    CA 1 CA 2 CA 3 CA n charter guidelines acceptance process relying party 1 relying party m
  • The Regional PMAs The Americas Grid PMA Asia Pacific Grid PMA European Grid PMA TAGPMA
  • EUGridPMA
    • www.eugridpma.org
    • Member organizations/countries:
      • Canonical list: http:// www.eugridpma.org/members/index.php
      • Membership includes many European national and regional (eg Nordunet, Baltic Grid) Grid projects; Canarie (Canada); DOEGrids and FNAL (US); significant relying parties such as LHC, OSG;
    • Features:
      • ~50 members: most from EU, some from closely affiliated countries, Middle east and Africa
      • Chaired by David Groep (NIKHEF)
      • Completed 14th Face-to-face meeting
      • The senior partner
      • “ Classic” X.509 Grid Authentication Profile
  • APGridPMA
    • www.apgridpma.org
    • Member organizations/countries:
      • Canonical list: https:// www.apgrid.org/CA/CertificateAuthorities.html
    • Features:
      • 18 members from the Asia-Pacific Region, chaired by Yoshio Tanaka (AIST) and Jenny Chin (ASGC),
      • 10 Production CAs are in operation
    • www.tagpma.org
    • The newest PMA, first Face-to-Face meeting in Rio de Janeiro, March 2006.
    • Member organizations/countries:
      • Canonical list: http:// www.tagpma.org /members
    • Features:
      • 21 members: CA, US, Mexico and Latin America
      • Chaired previously by Darcy Quesnel (CANARIE) and currently by Vinod Rebello (UFF) and Jim Marstellar (PSC)
  • TAGPMA Membership
    • CANARIE – Canada
    • DOEGrids (ESNet) – USA
    • EELA – International
    • Fermi National Accelerator Laboratory - USA
    • HEBCA/USHER/Dartmouth College – USA
    • IBDS (ANSP) - Brazil
    • LCG – International
    • NCSA – USA
    • NERSC – USA
    • Open Science Grid – International
    • Purdue University – USA
    • REUNA – Chile
    • San Diego Supercomputer Center – USA
    • TACC – USA
    • TeraGrid – USA
    • Texas High Energy Grid – USA
    • University of Virginia – USA
    • UFF – Brazil
    • ULA – Venezuela
    • UNAM – Mexico
    • UNLP – Argentina
    IGTF Accredited CA Operators CA Accreditation in progress Interested in accreditation Relying Party
  • IGTF Common Policy IGTF Federation Document Common Authentication Profiles Classic (EUGridPMA) SLCS (TAGPMA) trust relations Subject Namespace Assignment Distribution Naming Conventions worldwide relying parties see a uniform IGTF “mesh”
    • EUGridPMA
    • CA E1
    • CA E2
    • APGridPMA
    • CA A1
    • TAGPMA
    • CA T1
  • Policies and Practices
    • Certificate Policy and Certification Practice Statement (CP/CPS)
    • RFC 3647 formatted document that describes policies and procedures followed by the PKI and responsibilities of the parties involved
    • Rules for how a CA operates and how users are vetted when registering for certificates
      • Certificate Policy (CP): requirements for granting and managing PKI credentials
      • Certification Practices Statement (CPS): actual steps an institution takes to implement CP
    • Information not only for Relying Parties but also users!
  • TAGPMA CA Accreditation
    • Initial Consultation & Review with Mentor
    • Submit CP/CPS for review
    • Present proposal at Face-to-Face meeting
    • Once CP/CPS approved then subject to an Operational Review/Audit
    • Include CA root certificate in the IGTF distribution and repository
  • What Are Grid PKIs For?
    • Exist to serve the grid community in terms of authentication
      • X.509 certificates are an essential component of Grid security mechanisms
      • Authentication supports diverse authorization methods (including ongoing research)
      • X.509 Certification Authorities provide a focal point for policy and key lifecycle management
      • IGTF and regional PMAs provide coordination and interoperability standards for Grid PKIs
  • Fostering NGIs in LA?
    • Fostering National Grid Initiatives to meet the demands of Latin America
      • Not just computer science, nor is it just e-science, its e-verything!
      • Learn from but not necessarily copy other NGIs
    • Sustainability
      • Maintenance support for large scale, production class infrastructures
      • Tools to improve accessibility
      • More users
      • Integrate Grid PKI with other broader scoped PKIs
        • UFF BrGrid CA will be an integral part of the Brazilian Educational and Research PKI (ICPEDU).
  • Acknowledgements
    • Various slides from
    • Michael Helm, ESnet/LBL
    • David Groep, NIKHEF
    • Darcy Quesnel, CANARIE
    • Mehran Ahsant, KTH
    • Argentinean National Grid CA – UNLP Grid CA http://www.pkigrid.unlp.edu.ar
    • Questions?
    • Contact information – [email_address]