Session6 Security Emidio

Enabling Grids for E-sciencE

Grid Security

Emidio Giorgio
INFN Catania
emidio.giorgio "at" ct.infn.it

With thanks for some slides to EGEE and Globus, UNICORE
colleagues

www.eu-egee.org

INFSO-RI-508833
lunedì 6 luglio 2009 1

What is Grid security?

• Why security is needed on Grids ?

The Grid problem is to enable
“coordinated resource sharing
and problem solving in dynamic,
multi-institutional virtual
organizations.”
From ”The Anatomy of the Grid” by Ian Foster at. al

• Grid intrinsically enables VO concept
• What is needed in terms of security for
a VO ?
INFSO-RI-508833 2

Security issues in grids

• Launch attacks to other sites
– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.

• Illegal or inappropriate data distribution and
access sensitive information
– Massive distributed storage capacity ideal for example, for
sharing illegaly movies.
– Growing number of users have data that must be private –
biomedical imaging for example

• Damage caused by viruses, worms etc.
– Highly connected infrastructure means worms could
spread faster than on the internet in general.

INFSO-RI-508833 6

Virtual Organization concept

• VO for each application, workload or community
• Carve out and configure resources for a
particular use and set of users
• The more dynamic the better…

INFSO-RI-508833 3

Problems at network level

User Grid service

Participants of a grid communicate over the Internet
• How can communication endpoints be identified?
– Authentication
• How can a secure channel established between two
partners?
– Encryption
– Non-repudiation
– Integrity
INFSO-RI-508833 4

Problems at VO level

Computing
Broker
User Element Storage
Element

• What are VO members allowed to do?
– Authorization
• How can services act on behalf of a user?
– How can a service access the user’s sites”?
– How can a job which is started by the broker access the
user’s private data?

INFSO-RI-508833 5


Grid Security Infrastructure
(GSI)

www.eu-egee.org

INFSO-RI-508833


Grid Security Infrastructure

Security at network level:
Public key infrastructure (PKI)

INFSO-RI-508833 8

Basis of security & authentication

• Asymmetric encryption…

Clear text Encrypted Clear text
message text message
Private Key Public Key

• …. and Digital signatures …
– A hash derived from the message and encrypted with the signer’s
private key
– Signature is checked by decrypting with the signer’s public key

• Are used to build trust
– That a user / site is who they say they are
– And can be trusted to act in accord with agreed
policies

INFSO-RI-508833 9

Basis of Public Key Infrastructure

• Every networked entity (user/
machine/software) is assigned
with two keys: one private key
and one public key
Paul’s keys
– it is impossible to derive the
private key from the public one
– a message encrypted by one
key can be decrypted only by
the other one. public private
• Concept (simplified version): John Paul
– Public keys are exchanged
ciao 3$r 3$r ciao

– The sender encrypts using
receiver’s public key
John Paul
– The receiver decrypts using
his/her private key; bye %i4 %i4 bye

INFSO-RI-508833 10

Entity identity

• Since I’m the only
one with access to
my private key, you
know I signed the
data associated
with it
• But, how do you
know that you
?
have my correct
public key?
• X509 certificates

INFSO-RI-508833 13

Public and private keys

• Public key is wrapped into a • Private key is stored in
“certificate file” encrypted file – protected by a
• Certificate files are created by passphrase
trusted third parties: Grid • Private key is created by the
Certification Authorities (CA) grid user
Certificate
Public key
Subject:/C=IT/O=INFN/OU=Personal
Certificate/L=Catania/CN=Emidio
Giorgio 1. Hash of Public key & metadata,
Issuer: C=IT, O=INFN, OU=Catania,
2. Encript hash with CA’s private
CN=INFN CA key
Expiration date: Mar 05 08:08:10 2008
GMT
Serial number: 9504 (0x2520)
Optional Extensions

CA Digital signature

INFSO-RI-508833 14

Certification Authorities

INFSO-RI-508833 16

Certification Authorities

• Grid users’ must generate private and public key
• Public key must be signed by a recognized CA
– CAs can establish a number of people “registration
authorities” RAs: Personal visit to the nearest RA instead of
the national CA

• CAs web of trust:
 Per continent
• Per country
o Per region

• http://www.igtf.net/
– http://www.gridpma.org/
– http://www.apgridpma.org/
– http://www.tagpma.org/

INFSO-RI-508833 16

Issuing a grid certificate

CA root
certificate

Certification
INFSO-RI-508833 Authority 17


Instructions, tutorials
(should be) on CA
homepages CA root
User generates
certificate
public/private
key pair in browser
or in files.

Certification
Authority
Private Key encrypted
on local disk:
passphrase

INFSO-RI-508833 17


(should be) on CA
homepages CA root
User generates
certificate
public/private
key pair in browser
or in files.

Cert
Request
Public Key

Certification
Authority
User sends public key to
CA and shows RA proof
of identity.
State of Illinois

ID
on local disk:
passphrase

INFSO-RI-508833 17


(should be) on CA
homepages CA root
User generates
certificate
public/private
key pair in browser
or in files. CA signature links
identity and public key in
certificate.
Cert
Request
CA informs user.
Public Key

Certification
Authority
of identity.
State of Illinois

ID
on local disk:
passphrase

INFSO-RI-508833 17


(should be) on CA
homepages CA root
User generates
certificate
public/private
key pair in browser
or in files. CA signature links
identity and public key in
certificate.
Cert
Request
CA informs user.
Public Key

Certification
Authority
of identity. Cert
State of Illinois

ID
on local disk:
passphrase

INFSO-RI-508833 17


(should be) on CA
homepages CA root
User generates
certificate
public/private
key pair in browser the browser used for certificate
or in files. download must be the same used CA signature links
for request identity and public key in
certificate.
Cert
Request
CA informs user.
Public Key

Certification
Authority
of identity. Cert
State of Illinois

ID
on local disk:
passphrase

INFSO-RI-508833 17

Certificate request example

• Check the official CA for your country, find how the RA
has to identify you and then fill the web form

INFSO-RI-508833 15

Certificate request example/2

After a couple of
working days, an
email is sent to
the user with the
URL where to
download the
certificate

The browser
used for the
certificate
download must
be the same used
for request
INFSO-RI-508833 16

How to Apply for Certificates to use in the
German e-Science Infrastructure D-Grid

 Accepted Certification Authorities are DFN and GridKA
 www.d-grid.de  User Portal  Access to the
Resources guides to application pages
 The certification policy expects you to contact a
Registration Authority (RA) which has to validate your
request
 Select a RA
 Apply for a user certificate
 Print out the reply and fill in your identity card details
 Contact RA with your identity card in person (DFN) or
with a copy of your ID-card by mail (GridKA)
 Receive your certificate by e-mail and include it in your
browser where your private key resides
06/07/2009 Slide


Export your certificate/1

INFSO-RI-508833 18

Export your certificate/2

INFSO-RI-508833 19

Export on different formats

• Certificate is released in PKCS12 format, but other
middleware may need a different one

griduser@gridx:~/.globus$ openssl pkcs12 -nocerts -in cert.p12 -
out userkey.pem
Enter Import Password: (insert your certificate password)
MAC verified OK
Enter PEM pass phrase: (insert your Enter PEM pass phrase)
Verifying - Enter PEM pass phrase: (reinsert your Enter PEM pass
phrase)
griduser@gridx:~/.globus$ openssl pkcs12 -clcerts -nokeys -in
cert.p12 -out usercert.pem
Enter Import Password: (insert your certificate password)
MAC verified OK
griduser@gridx:~/.globus$
griduser@gridx:~/.globus$ chmod 400 userkey.pem
griduser@gridx:~/.globus$ chmod 644 usercert.pem

INFSO-RI-508833 20

the GILDA CA

• https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php
• Training CA --> not included in EuGridPMA
• Used for training purposes
– simplified access procedure
– no identification performed

INFSO-RI-508833 21

User’s private key and certificate

• Keep your private key secure
– if possible on a USB drive only
• Do not loan your certificate to anyone
• Report to your CA if your certificate has been compromised.
• Private key and certificate can:
– Stored in your browser
– Stored in files using different file format (PEM, P12, …)
• Typical situation on Globus, gLite, ARC middleware based grids:
$ ls -l .globus
total 24
-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem
-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem

INFSO-RI-508833 18

User’s private key and certificate

• Keep your private key secure
– if possible on a USB drive only
• Do not loan your certificate to anyone
• Report to your CA if your certificate has been compromised.
• Private key and certificate can:
– Stored in your browser
– Stored in files using different file format (PEM, P12, …)
• Typical situation on Globus, gLite, ARC middleware based grids:
$ ls -l .globus
total 24
-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem
-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem

If your certificate is used by someone other than
you, it cannot be proven that it was not you.

INFSO-RI-508833 18

Problems at network level

User Grid service

Members of a VO communicate over the Internet
• How can communication endpoints be identified?
– Authentication
• How can a secure channel established between two

partners?
– Encryption 
– Non-repudiation 
– Integrity

INFSO-RI-508833 19

Security at VO level

• Implementation of services for users
authorization (what an user is allowed to do)
depends from the middleware
– VOMS (gLite), XUUDB (UNICORE), etc..

INFSO-RI-508833 20


Thank you!

Questions?

www.eu-egee.org

INFSO-RI-508833

Session6 Security Emidio

More Related Content

What's hot

Viewers also liked

Similar to Session6 Security Emidio

More from ISSGC Summer School

Recently uploaded

Session6 Security Emidio