Session6 Security Emidio

701 views

Published on

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
701
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Session6 Security Emidio

  1. 1. Enabling Grids for E-sciencE Grid Security Emidio Giorgio INFN Catania emidio.giorgio "at" ct.infn.it With thanks for some slides to EGEE and Globus, UNICORE colleagues www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 1
  2. 2. What is Grid security? Enabling Grids for E-sciencE • Why security is needed on Grids ? The Grid problem is to enable “coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations.” From ”The Anatomy of the Grid” by Ian Foster at. al • Grid intrinsically enables VO concept • What is needed in terms of security for a VO ? INFSO-RI-508833 2 lunedì 6 luglio 2009 2
  3. 3. Security issues in grids Enabling Grids for E-sciencE • Launch attacks to other sites – Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. • Illegal or inappropriate data distribution and access sensitive information – Massive distributed storage capacity ideal for example, for sharing illegaly movies. – Growing number of users have data that must be private – biomedical imaging for example • Damage caused by viruses, worms etc. – Highly connected infrastructure means worms could spread faster than on the internet in general. INFSO-RI-508833 6 lunedì 6 luglio 2009 3
  4. 4. Virtual Organization concept Enabling Grids for E-sciencE • VO for each application, workload or community • Carve out and configure resources for a particular use and set of users • The more dynamic the better… INFSO-RI-508833 3 lunedì 6 luglio 2009 4
  5. 5. Problems at network level Enabling Grids for E-sciencE User Grid service Participants of a grid communicate over the Internet • How can communication endpoints be identified? – Authentication • How can a secure channel established between two partners? – Encryption – Non-repudiation – Integrity INFSO-RI-508833 4 lunedì 6 luglio 2009 5
  6. 6. Problems at VO level Enabling Grids for E-sciencE Computing Broker User Element Storage Element • What are VO members allowed to do? – Authorization • How can services act on behalf of a user? – How can a service access the user’s sites”? – How can a job which is started by the broker access the user’s private data? INFSO-RI-508833 5 lunedì 6 luglio 2009 6
  7. 7. Enabling Grids for E-sciencE Grid Security Infrastructure (GSI) www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 7
  8. 8. Enabling Grids for E-sciencE Grid Security Infrastructure Security at network level: Public key infrastructure (PKI) INFSO-RI-508833 8 lunedì 6 luglio 2009 8
  9. 9. Basis of security & authentication Enabling Grids for E-sciencE • Asymmetric encryption… Clear text Encrypted Clear text message text message Private Key Public Key • …. and Digital signatures … – A hash derived from the message and encrypted with the signer’s private key – Signature is checked by decrypting with the signer’s public key • Are used to build trust – That a user / site is who they say they are – And can be trusted to act in accord with agreed policies INFSO-RI-508833 9 lunedì 6 luglio 2009 9
  10. 10. Basis of Public Key Infrastructure Enabling Grids for E-sciencE • Every networked entity (user/ machine/software) is assigned with two keys: one private key and one public key Paul’s keys – it is impossible to derive the private key from the public one – a message encrypted by one key can be decrypted only by the other one. public private • Concept (simplified version): John Paul – Public keys are exchanged ciao 3$r 3$r ciao – The sender encrypts using receiver’s public key John Paul – The receiver decrypts using his/her private key; bye %i4 %i4 bye INFSO-RI-508833 10 lunedì 6 luglio 2009 10
  11. 11. Entity identity Enabling Grids for E-sciencE • Since I’m the only one with access to my private key, you know I signed the data associated with it • But, how do you know that you ? have my correct public key? • X509 certificates INFSO-RI-508833 13 lunedì 6 luglio 2009 11
  12. 12. Public and private keys Enabling Grids for E-sciencE • Public key is wrapped into a • Private key is stored in “certificate file” encrypted file – protected by a • Certificate files are created by passphrase trusted third parties: Grid • Private key is created by the Certification Authorities (CA) grid user Certificate Public key Subject:/C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Emidio Giorgio 1. Hash of Public key & metadata, Issuer: C=IT, O=INFN, OU=Catania, 2. Encript hash with CA’s private CN=INFN CA key Expiration date: Mar 05 08:08:10 2008 GMT Serial number: 9504 (0x2520) Optional Extensions CA Digital signature INFSO-RI-508833 14 lunedì 6 luglio 2009 12
  13. 13. Certification Authorities Enabling Grids for E-sciencE INFSO-RI-508833 16 lunedì 6 luglio 2009 13
  14. 14. Certification Authorities Enabling Grids for E-sciencE • Grid users’ must generate private and public key • Public key must be signed by a recognized CA – CAs can establish a number of people “registration authorities” RAs: Personal visit to the nearest RA instead of the national CA • CAs web of trust:  Per continent • Per country o Per region • http://www.igtf.net/ – http://www.gridpma.org/ – http://www.apgridpma.org/ – http://www.tagpma.org/ INFSO-RI-508833 16 lunedì 6 luglio 2009 13
  15. 15. Issuing a grid certificate Enabling Grids for E-sciencE CA root certificate Certification INFSO-RI-508833 Authority 17 lunedì 6 luglio 2009 14
  16. 16. Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. Certification Authority Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
  17. 17. Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. Cert Request Public Key Certification Authority User sends public key to CA and shows RA proof of identity. State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
  18. 18. Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. CA signature links identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
  19. 19. Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser or in files. CA signature links identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. Cert State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
  20. 20. Issuing a grid certificate Enabling Grids for E-sciencE Instructions, tutorials (should be) on CA homepages CA root User generates certificate public/private key pair in browser the browser used for certificate or in files. download must be the same used CA signature links for request identity and public key in certificate. Cert Request CA informs user. Public Key Certification Authority User sends public key to CA and shows RA proof of identity. Cert State of Illinois ID Private Key encrypted on local disk: passphrase INFSO-RI-508833 17 lunedì 6 luglio 2009 14
  21. 21. Certificate request example Enabling Grids for E-sciencE • Check the official CA for your country, find how the RA has to identify you and then fill the web form INFSO-RI-508833 15 lunedì 6 luglio 2009 15
  22. 22. Certificate request example/2 Enabling Grids for E-sciencE After a couple of working days, an email is sent to the user with the URL where to download the certificate The browser used for the certificate download must be the same used for request INFSO-RI-508833 16 lunedì 6 luglio 2009 16
  23. 23. How to Apply for Certificates to use in the German e-Science Infrastructure D-Grid  Accepted Certification Authorities are DFN and GridKA  www.d-grid.de  User Portal  Access to the Resources guides to application pages  The certification policy expects you to contact a Registration Authority (RA) which has to validate your request  Select a RA  Apply for a user certificate  Print out the reply and fill in your identity card details  Contact RA with your identity card in person (DFN) or with a copy of your ID-card by mail (GridKA)  Receive your certificate by e-mail and include it in your browser where your private key resides 06/07/2009 Slide lunedì 6 luglio 2009 17
  24. 24. Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
  25. 25. Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
  26. 26. Export your certificate/1 Enabling Grids for E-sciencE INFSO-RI-508833 18 lunedì 6 luglio 2009 18
  27. 27. Export your certificate/2 Enabling Grids for E-sciencE INFSO-RI-508833 19 lunedì 6 luglio 2009 19
  28. 28. Export on different formats Enabling Grids for E-sciencE • Certificate is released in PKCS12 format, but other middleware may need a different one griduser@gridx:~/.globus$ openssl pkcs12 -nocerts -in cert.p12 - out userkey.pem Enter Import Password: (insert your certificate password) MAC verified OK Enter PEM pass phrase: (insert your Enter PEM pass phrase) Verifying - Enter PEM pass phrase: (reinsert your Enter PEM pass phrase) griduser@gridx:~/.globus$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem Enter Import Password: (insert your certificate password) MAC verified OK griduser@gridx:~/.globus$ griduser@gridx:~/.globus$ chmod 400 userkey.pem griduser@gridx:~/.globus$ chmod 644 usercert.pem INFSO-RI-508833 20 lunedì 6 luglio 2009 20
  29. 29. the GILDA CA Enabling Grids for E-sciencE • https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php • Training CA --> not included in EuGridPMA • Used for training purposes – simplified access procedure – no identification performed INFSO-RI-508833 21 lunedì 6 luglio 2009 21
  30. 30. the GILDA CA Enabling Grids for E-sciencE • https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php • Training CA --> not included in EuGridPMA • Used for training purposes – simplified access procedure – no identification performed INFSO-RI-508833 21 lunedì 6 luglio 2009 21
  31. 31. User’s private key and certificate Enabling Grids for E-sciencE • Keep your private key secure – if possible on a USB drive only • Do not loan your certificate to anyone • Report to your CA if your certificate has been compromised. • Private key and certificate can: – Stored in your browser – Stored in files using different file format (PEM, P12, …) • Typical situation on Globus, gLite, ARC middleware based grids: $ ls -l .globus total 24 -rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem -r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem INFSO-RI-508833 18 lunedì 6 luglio 2009 22
  32. 32. User’s private key and certificate Enabling Grids for E-sciencE • Keep your private key secure – if possible on a USB drive only • Do not loan your certificate to anyone • Report to your CA if your certificate has been compromised. • Private key and certificate can: – Stored in your browser – Stored in files using different file format (PEM, P12, …) • Typical situation on Globus, gLite, ARC middleware based grids: $ ls -l .globus total 24 -rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem -r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem If your certificate is used by someone other than you, it cannot be proven that it was not you. INFSO-RI-508833 18 lunedì 6 luglio 2009 22
  33. 33. Problems at network level Enabling Grids for E-sciencE User Grid service Members of a VO communicate over the Internet • How can communication endpoints be identified? – Authentication • How can a secure channel established between two  partners? – Encryption  – Non-repudiation  – Integrity  INFSO-RI-508833 19 lunedì 6 luglio 2009 23
  34. 34. Security at VO level Enabling Grids for E-sciencE • Implementation of services for users authorization (what an user is allowed to do) depends from the middleware – VOMS (gLite), XUUDB (UNICORE), etc.. INFSO-RI-508833 20 lunedì 6 luglio 2009 24
  35. 35. Enabling Grids for E-sciencE Thank you! Questions? www.eu-egee.org INFSO-RI-508833 lunedì 6 luglio 2009 25

×