Security Authentication and Authorization on Grid Computing 1
- Slides: 31
Security, Authentication and Authorization on Grid Computing 1 st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December 11 th-16 th 2006 Sophie Nicoud CNRS/UREC Sophie. Nicoud@urec. cnrs. fr
Overview ² What do we need to access to Grid Computing infrastructure ? ² Authentication ü Digital certificates ü Certification Authority collaboration ü Grid Security Infrastructure (GSI) ² Authorization ü Concept of Virtual Organizations ü Mechanisms and architecture ² Security Groups Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 2
What do we need to access to Grid Computing infrastructure ? ² Authentication ü ² Who I am ? Authorization ü Access to GRID ² Single Sign-On ² Accounting ² => Virtual Organization (VO or VOMS) What I am allowed to do ² ü => Digital Certificate X 509 v 3 (CA) => User Interface or Web portal (UI) WHO do WHAT and WHEN ? Future billing Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 3
Overview ² Authentication ü Digital certificates ü Certification Authorities collaboration ü Grid Security Infrastructure (GSI) Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 4
What’s a digital certificate ? ² Build on mathematical asymmetric algorithms ² and trust in a third party, the Certification Authority (CA) ² It’s a couple of two keys ü The keys are generated together ü It is impossible to derive the private key from the public one ü A message encrypted by one key can be decrypted only by the other one ² It’s composed of a public key and a private key ² The public key ² ü Plus some information about the owner is signed by the Certification Authority ü Published worldwide by the CA ü In the current language, it’s named certificate The private key ü Stored in the hard disk of the user machine ü Encrypted and protected by password Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 5
X 509 v 3 Certificate ²A (1) digital certificate (or X 509 v 3 certificate) can be issued for ü Physical person (personal certificate) ü Machine (host certificate) ü Program (service certificate) ² The CA check the identity of the requester => RA‘s job Registration Authority ² The digital certificate has a validity period an unique serial number ² CA has a certificate signed ü by itself => Root CA ü by other CA => sub-CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 6
X 509 v 3 Certificate ² When ü (2) a certificate is lost, stolen or password forgotten the certificate is revoked ² The CRL, Certificate Revocation List, ü contains all serial number of revoked certificates ü is published when a certificate is revoked ü at least every month Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 7
X 509 v 3 Certificate ² The certificate contains : ü Subject or DN (Distinguish Name) ü Serial number ü Time of validity ü Public key ü Info on the CA ü X 509 v 3 extensions ü (3) s Owner email s Allowed use of the certificate s . . . Digital signature of the CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 8
X 509 v 3 Certificate # (4) openssl x 509 -text -noout -in usercert. pem ² Serial number Certificate: Data: ² Issuer CA Version: 3 (0 x 2) Serial Number: 656 (0 x 290) ² Time of validity Signature Algorithm: sha 1 With. RSAEncryption Issuer: C=FR, O=CNRS, CN=GRID-FR Validity Not Before: Feb 8 10: 04: 45 2006 GMT Not After : Feb 8 10: 04: 45 2007 GMT Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Sophie Nicoud Subject Public Key Info: ² Subject Public Key Algorithm: rsa. Encryption RSA Public Key: (1024 bit) ² Public key Modulus (1024 bit): 00: b 9: 8 d: 52: 15: ee: 80: d 8: 8 f: 3 c: a 7: 1 f: fb: 59: 6 d: Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 9
Un certificat X 509 v 3 extensions: X 509 v 3 Basic Constraints: critical CA: FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X 509 v 3 Key Usage: critical (2) ² X 509 v 3 extensions ü Allowed use Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement ² X 509 v 3 extensions X 509 v 3 Certificate Policies: Policy: 1. 3. 6. 1. 4. 1. 10813. 1. 1. 8. 1. 0 CP/CPS version X 509 v 3 Subject Alternative Name: Email email: Sophie. Nicoud@urec. cnrs. fr CRL X 509 v 3 CRL Distribution Points: URI: http: //crls. services. cnrs. fr/GRID-FR/getder. crl 1. 3. 6. 1. 4. 1. 7650. 1: ² CA signature unicore. Client Signature Algorithm: sha 1 With. RSAEncryption 7 a: e 5: 96: d 6: cb: 2 f: 2 e: a 6: 9 c: 1 d: 06: 55: 8 a: af: 2 a: 7 a: 1 c: ü ü ü Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 10
Digital signature Signing of a certificate by the issuer CA Public key Encripted fingerprint £$ Fingerprint Hash code CA private key Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 CA signing Public key + info + CA signature £$ Certificate 11
Certificate checks Hash code Fingerprint A Public key + info + CA signature £$ Equal ? £$ Fingerprint B Certificate CA public key CRL £$ Public key + info + CA signature £$ Inclu de in CRL ? Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Time of validit y? Public key + info + CA signature £$ 12
Certification Authorities collaboration ² In a Grid environment with many users and many organizations ü need single sign-on and identity certificates ü for all national and global grid projects ü thus issued by independent identity providers ü and trusted by everyone in the grid ² Impossible ü (1) to use only one CA by project or partner => One CA by country s But also by set of country or institute ü Need collaboration in each country ü Need CA coordination to establish CA trust domain ü Need Catch-all CA for countries without CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 13
Certification Authorities collaboration ² At start of EDG in 2001 ü 3 CA : CNRS, INFN, CERN ü One coordination group CACG then Eu. Grid. PMA ² Now, in 2006 ü Coordination group splits in 3 continents ü European coordination : 37 CAs ü Asia and Pacific coordination : 8 CAs ü Americas coordination : 2 CAs ü Every year new CAs come ü (2) Many Grid projects : EGEE, LCG, DEISA, EELA, Eu. Med. Grid, EScience, PPDG, … Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 14
Organisation of GRID PMAs ² ² IGTF, International Grid Trust Federation ü Establish worldwide trust for Grid ü Establish rules and charter between PMAs ü Approved at GGF 15, October 5, 2005 ü http: //www. gridpma. org/ EUGrid. PMA ü First PMA to establish IGTF ü In fact covers not only Europe but stays the reference for most continents ü http: //www. eugridpma. org TAGPMA ü America South and North ü 2 CA, DOE and Canada. Many in accreditation process for South America APGrid. PMA ü Asia and Pacific ü 10 CA, Australia, Japan, China, Taiwan, … ü http: //apgrid. org/ Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 15
Purpose of GRID PMA ² ² Policy Management Authority : GRID PMA ü Establish minimal requirements and best practices for GRID CA ü Accredit CAs by review CP/CPS ü Audit CAs Minimal requirements : ü Certificate Revocation List (CRL) s s s ü CA Namespace s ü Lifetime must be no more than 30 days New CRL must be generated at least 7 days before expiration New CRL must be issued immediately after a certificate revocation No clash with any other CA CA System s Dedicated machine in a secure environment where access is controlled ü Some certificate extensions must be set to specific values ü … Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 16
Chinese CA ² IHEP ü ü CA https: //gridca. ihep. ac. cn/ Issue certificates to people and sites participating in Grid Computing ü CA running since 2004 ü Accredited by EUGrid. PMA and APGrid. PMA in 2005 ü Managed by Gongxing SUN ² SDG ü ü CA http: //ca. sdg. grid. cn/en/ SDG CA provides PKI services for the Scientific Data Grid research community that are involved in Grid activities ü Accrdited by APGrid. PMA ü Managed by Kai Nan Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 17
French CA ² 2001 -2004 ü Sub-CA of CNRS CA dedicated to Data. Grid (EDG) project ² Since ü 2005 : GRID-FR CNRS CA Sub-CA of CNRS CA dedicated to GRID projects ² Issues ü certificates for: All French entities: s ü : Datagrid-fr CA French institutes or private companies involved in GRID project with the CNRS Catch-all CA: s ² Now, Institutes or private companies, no HEP, involved with CNRS in a GRID project which have not a national GRID CA we issue around 800 certificates per year in 27 countries Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 18
Grid Security Infrastructure (GSI) ² Authentication based on digital certificates and trusted CA ² A standard for Grid softwares ² Implement : ü Single sign-on: the password is given only one time ü Mutual authentication : every Grid transaction is mutually authenticated ü Proxy: allows remote process to authenticate on behalf of the user, to allow someone to use his authorizations and his authentication ² Proxy certificates ü Certificate with limited lifetime signed with user private key Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 19
Overview ² Authorization ü Concept of Virtual Organizations ü Mechanisms and architecture Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 20
Authorization ² Virtual Organizations (VO) ü A set of entities sharing the same objective ü Users ü Resources A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 21
Virtual Organizations ² (1) A VO can be a set of user sharing the same experiment, or from the same lab, area or project : ü Experiment : Biomed, gene, Alice, Atlas, Babar, LHCb, ESR, EGEODE, . . . ü Labs, areas : vo. dapnia. cea. fr, vo. lal. in 2 p 3. fr, . . . ü Projects : ambrace, infngrid, Grid. PP, auvergrid, . . . ü Other : dteam, . . . ² https: //cic. in 2 p 3. fr/index. php? id=vo ² One administrator per Virtual Organization ü He’s the manager of the users of his VO ² Site managers allow VO to access to site resources ² Specific rights can be allowed by site administrators ü VO VO Refuse users with specific certificate subject patterns Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 22
LDAP VO ² At each site each user certificate is mapped into a unique local user account (UID/GID) in function of his VO ² This UID/GID is picked up in the VO pool account defined by the site administrator ² Now, there’re 2 types of VO : LDAP VO and VOMS ² LDAP VO ü The oldest method, it is based on. LDAP server that contains the list of VO members ü A user can be a member of only one VO ü All members of a VO have the same rights access ü User authentication command is : grid-proxy-init ü The local authorization file, grid-mapfile, is rebuilt every few hours from the LDAP server. Each certificate subject of the VO is mapped with its VO pool account. "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=Sylvain Reynaud". dte "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Alexandre Rozanov". atl "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev" lhcs Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 23
VO LDAP architecture high frequency low frequency CA CA CA Host Cert. (1 an max) CA Cert. User Interface User Cert. (1 an max) registration grid-proxy-init Proxy Cert. (24 h max) Service CRL update VO VO VO grid-mapfile Mutual authentication + authorization checks Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 24
VOMS ² VOMS, ü ü (1) Virtual Organization Membership Service VOMS database contains VO members with their specific rights A VOMS user can have many different set of authorization, next a user can be a member of many VOMS ü User rights depend of his group or role membership in the VOMS ü Groups, roles and rights are included in the user proxy ü User authentication command is : voms-proxy-init --voms <vo-name> ü Authorizations are expressed by FQAN* and included in proxy attributes <group>/Role=[<role>][/Capability=<capability>] *FQAN : Fully Qualified Attributes Name Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 25
VOMS (2) ² Groups ü Groups can have a hierarchical structure, indefinitely deep ü Useful to give different authorization in function of group membership ü Default group is /<vo-name> ² Roles ü Software manager, VO-Administrator, Production, … ü Roles have no hierarchical structure – there is no sub-role ü Roles are not used in ‘normal operation’ ü They must be specifically requested when user creates his proxy ² Proxy attributes are check by each site with LCAS and LCMAPS Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 26
VOMS (3) ² LCMAPS ü Maps grid credentials (subject + attributes of the proxy certificate) to local credentials (UID/GID) ² LCAS ü Checks if the user is authorized or banned at the site (currently using the grid-mapfile) ² Local authorization file, grid-mapfile, is rebuilt every few hours. Each VOMS/group/role is mapped with its pool account. "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer". dte "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer" dtes "/VO=dteam/GROUP=/dteam". dte "/VO=dteam/GROUP=/dteam/ROLE=NULL/CAPABILITY=NULL". dte "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin" dtes "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin/CAPABILITY=NULL" dtes "/VO=dteam/GROUP=/dteam/ROLE=production" dtep "/VO=dteam/GROUP=/dteam/ROLE=production/CAPABILITY=NULL" dtep Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 27
VOMS architecture high frequency Low frequency User Interface CA CA Cert. User Cert. (1 an max) registration voms-proxy-init Host Cert. (1 an max) Service CRL update VOMS Cert. VOMS Proxy cert. (24 h max) Authorization = Cert. Mutal authentication and authorization Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 LCAS LCMAPS 28
Overview ü ² Security Groups Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 29
Security groups ² ² Security Incident Response Policy (EGEE/LCG) ü Grid Security Incident Handling and Response Guide, ü Announcements and Information Dissemination ü Incident Detection and Analysis ü Incident Response on-site => Member(s) on each site ü Vulnerability Handling Middleware Security Group (EGEE) ü ² http: //osgdocdb. opensciencegrid. org/000019/002/OSG_incident_handling_v 1. 0. pdf Focalized on middleware developments JSPG, Joint Security Policy Group (LCG) ü ü Advise and make recommendations to the LCG Grid Deployment Manager and the LCG Grid Deployment Board (GDB) on matters related to LCG Security. AUP, Grid Acceptable Use Policy, https: //edms. cern. ch/document/428036 ² CA Manager Groups ² VO Manager Group Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 30
Links ² Certification Authorities ü ² VOMS ü ² http: //gridpma. org/ https: //edms. cern. ch/file/572406/1/user-guide. pdf Security Groups ü http: //egee-jra 3. web. cern. ch/egee-jra 3/ ü http: //proj-lcg-security. web. cern. ch/proj-lcg-security/ ü https: //cic. gridops. org/index. php? section=roc&page=securityissues Thanks ! Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 31
- Authentication filters in mvc 5
- Authentication authorization auditing
- Grid security infrastructure
- Peer entity authentication definition
- Iff
- Grid computing security
- Authentication in cryptography and network security
- Keamanan database adalah
- Security security security
- Pin grid array and land grid array
- Cipher based message authentication code
- System.security.authentication
- Grid computing disadvantages
- Grid and cloud computing lmu
- Grid and cloud computing definition
- Conventional computing and intelligent computing
- Resource broker in grid computing
- Ogsa in grid computing
- Grid computing tutorial
- Worldwide lhc computing grid
- Sas grid computing
- Sas grid computing
- History of grid computing
- Challenges of grid computing
- Derivatives of grid computing
- Grid computing ejemplos
- Challenges of grid computing
- Sas grid computing
- Introduction to grid computing
- Grid computing introduction
- Cern grid computing
- What is grid system