Grid School Module 4 Grid Security 1 Typical
- Slides: 35
Grid School Module 4: Grid Security 1
Typical Grid Scenario Resources Users 2
What do we need ? l Identity l Authentication l Message Protection l Authorization l Single Sign On 3
Identity & Authentication l Each entity should have an identity l Authenticate: Establish identity – Is the entity who he claims he is ? – Examples: > Driving License > Username/password l Stops masquerading imposters 4
Message Protection: Privacy Medical Record Patient no: 3456 5
Message Protection: Integrity Run my. Home/rm –f * Run my. Home/whoami 6
Authorization l Establishing rights l What can a said identity do ? Examples: – Are you allowed to be on this flight ? > Passenger ? > Pilot ? – Unix read/write/execute permissions l Must authenticate first 7
Grid Security: Single Sign On Authenticate Once 8
Grid Security: Single Sign On Delegation 9
Single Sign-on l Important for complex applications that need to use Grid resources – Enables easy coordination of varied resources – Enables automation of process – Allows remote processes and resources to act on user’s behalf – Authentication and Delegation 10
Solutions 11
Cryptography for Message Protection l l Enciphering and deciphering of messages in secret code Key – Collection of bits 0101001110 10111 – Building block of cryptography – More bits, the stronger the key 12
Encryption l l Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encryption Function Encrypted data is, in principal, unreadable unless decrypted 13
Decryption l Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data – Encryption and decryption functions are linked Decryption Function 14
Asymmetric Encryption l Encryption and decryption functions that use a key pair are called asymmetric – Keys are mathematically linked 15
Public and Private Keys With asymmetric encryption each user can be assigned a key pair: a private and public key l Private key is known only to owner l l Public key is given away to the world Encrypt with public key, can decrypt with only private key Message Privacy 16
Digital Signatures l Digital signatures allow the world to – determine if the data has been tampered – verify who created a chunk of data l l Sign with private key, verify with public key Message Integrity 17
Public Key Infrastructure (PKI) l l PKI allows you to know that a given public key belongs to a given user PKI builds off of asymmetric encryption: – Each entity has two keys: public and private r e n w O – The private key is known only to the entity l The public key is given to the world encapsulated in a X. 509 certificate 18
Certificates l X 509 Certificate binds a public key to a name. l Similar to passport or driver’s license Name Issuer Public Key Validity Signature John Doe 755 E. Woodlawn Urbana IL 61801 State of Illinois Seal BD 08 -06 -65 Male 6’ 0” 200 lbs GRN Eyes Valid Till: 01 -02 -2008 19
Certification Authorities (CAs) l l l A Certification Authority is an entity that exists only to sign user certificates The CA signs it’s own certificate which is distributed in a trusted manner Verify CA certificate, then verify issued certificate Name: CA Issuer: CA CA’s Public Key Validity CA’s Signature 20
Certificate Policy (CP) l Each CA has a Certificate Policy (CP) which states – who it will issue certificates to – how it identifies people to issue certificates to l Lenient CAs don’t pose security threat, since resources determine the CAs they trust. 21
Certificate Issuance l l l User generates public key and private key CA vets user identity using CA Policy Public key is sent to CA – Email – Browser upload – Implied l l Signs user’s public key as X 509 Certificate User private key is never seen by anyone, including the CA 22
Certificate Revocation l CA can revoke any user certificate – Private key compromised – Malicious user l Certificate Revocation List (CRL) – List of X 509 Certificates revoked – Published, typically on CA web site. l Before accepting certificate, resource must check CRLs 23
Authorization l Establishing rights of an identity l Chaining authorization schemes – Client must be User Green and have a candle stick and be in the library! l Types: – Server side authorization – Client side authorization 24
Gridmap Authorization l l Commonly used in Globus for server side Gridmap is a list of mappings from allowed DNs to user name "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=Mike. Wilde” wilde l ACL + some attribute l Controlled by administrator l Open read access 25
Globus Security: The Grid Security Infrastructure l l l The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. Based on PKI Uses Secure Socket Layer for authentication and message protection – Encryption – Signature l Adds features needed for Single-Sign on – Proxy Credentials – Delegation 26
GSI: Credentials l In the GSI system each user has a set of credentials they use to prove their identity on the grid – Consists of a X 509 certificate and private key l Long-term private key is kept encrypted with a pass phrase – Good for security, inconvenient for repeated usage 27
GSI: Proxy Credentials l Proxy credentials are short-lived credentials created by user – Proxy signed by certificate private key l l Short term binding of user’s identity to alternate private key Same effective identity as certificate SIGN 28
GSI: Proxy Credentials l l Stored unencrypted for easy repeated access Chain of trust – Trust CA -> Trust User Certificate -> Trust Proxy l Key aspects: – Generate proxies with short lifetime – Set appropriate permissions on proxy file – Destroy when done 29
GSI Delegation l Enabling another entity to run as you l Provide the other entity with a proxy l Ensure – Limited lifetime – Limited capability 30
Grid Security At Work l Get certificate from relevant CA l Request to be authorized for resources l Generate proxy as needed l Run clients – Authenticate – Authorize – Delegate as required Numerous resource, different CAs, numerous credentials 31
My. Proxy l l l Developed at NCSA Credential Repository with different access mechanism (e. g username/pass phrase) Can act as a credential translator from username/pass phrase to GSI l Online CA l Supports various authentication schemes – Passphrase, Certificate, Kerberos 32
My. Proxy: Use Cases l l Credential need not be stored in every machine Used by services that can only handle username and pass phrases to authenticate to Grid. E. g. web portals Handles credential renewal for longrunning tasks Can delegate to other services 33
Lab Session l Focus on tools – Certificates – Proxies – Gridmap Authorization – Delegation – My. Proxy 34
Grid School Module 2: Grid Security Prepared by: Rachana Ananthakrishnan Argonne National Laboratory With contributions by Von Welch, Frank Siebenlist, Ben Clifford 35
- Provate security
- Typical school day
- C device module module 1
- Module 3: information and network security
- Lan security concepts
- Linux security modules
- Lsm framework
- Pin grid array
- Grid security infrastructure
- Grid computing security
- Explain osi security architecture
- Security guide to network security fundamentals
- Wireless security in cryptography and network security
- Visa international security model diagram
- Electronic mail security in network security
- Cnss model 27 cells example
- E commerce security meaning
- Building security software
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- In a typical asme welder qualification test
- A typical sequence of movements in a classical concerto is
- Typical graph
- Typical composition of untreated domestic wastewater
- Typical vertebra
- Sequence of manufacturing supply chain
- Quota sampling in qualitative research
- What does jennifer peters do on a typical day
- Case studies of typical holistic technologies
- Typical manor house in medieval europe
- Sample of logbook entry
- Typical chest pain
- Typical hungarian breakfast
- Typical chest pain
- Steel roof design
- Bogey tactic