Security Authentication and Authorization on Grid Computing 1

  • Slides: 31
Download presentation
Security, Authentication and Authorization on Grid Computing 1 st Chinese-French workshop on LHC Physics

Security, Authentication and Authorization on Grid Computing 1 st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December 11 th-16 th 2006 Sophie Nicoud CNRS/UREC Sophie. Nicoud@urec. cnrs. fr

Overview ² What do we need to access to Grid Computing infrastructure ? ²

Overview ² What do we need to access to Grid Computing infrastructure ? ² Authentication ü Digital certificates ü Certification Authority collaboration ü Grid Security Infrastructure (GSI) ² Authorization ü Concept of Virtual Organizations ü Mechanisms and architecture ² Security Groups Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 2

What do we need to access to Grid Computing infrastructure ? ² Authentication ü

What do we need to access to Grid Computing infrastructure ? ² Authentication ü ² Who I am ? Authorization ü Access to GRID ² Single Sign-On ² Accounting ² => Virtual Organization (VO or VOMS) What I am allowed to do ² ü => Digital Certificate X 509 v 3 (CA) => User Interface or Web portal (UI) WHO do WHAT and WHEN ? Future billing Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 3

Overview ² Authentication ü Digital certificates ü Certification Authorities collaboration ü Grid Security Infrastructure

Overview ² Authentication ü Digital certificates ü Certification Authorities collaboration ü Grid Security Infrastructure (GSI) Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 4

What’s a digital certificate ? ² Build on mathematical asymmetric algorithms ² and trust

What’s a digital certificate ? ² Build on mathematical asymmetric algorithms ² and trust in a third party, the Certification Authority (CA) ² It’s a couple of two keys ü The keys are generated together ü It is impossible to derive the private key from the public one ü A message encrypted by one key can be decrypted only by the other one ² It’s composed of a public key and a private key ² The public key ² ü Plus some information about the owner is signed by the Certification Authority ü Published worldwide by the CA ü In the current language, it’s named certificate The private key ü Stored in the hard disk of the user machine ü Encrypted and protected by password Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 5

X 509 v 3 Certificate ²A (1) digital certificate (or X 509 v 3

X 509 v 3 Certificate ²A (1) digital certificate (or X 509 v 3 certificate) can be issued for ü Physical person (personal certificate) ü Machine (host certificate) ü Program (service certificate) ² The CA check the identity of the requester => RA‘s job Registration Authority ² The digital certificate has a validity period an unique serial number ² CA has a certificate signed ü by itself => Root CA ü by other CA => sub-CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 6

X 509 v 3 Certificate ² When ü (2) a certificate is lost, stolen

X 509 v 3 Certificate ² When ü (2) a certificate is lost, stolen or password forgotten the certificate is revoked ² The CRL, Certificate Revocation List, ü contains all serial number of revoked certificates ü is published when a certificate is revoked ü at least every month Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 7

X 509 v 3 Certificate ² The certificate contains : ü Subject or DN

X 509 v 3 Certificate ² The certificate contains : ü Subject or DN (Distinguish Name) ü Serial number ü Time of validity ü Public key ü Info on the CA ü X 509 v 3 extensions ü (3) s Owner email s Allowed use of the certificate s . . . Digital signature of the CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 8

X 509 v 3 Certificate # (4) openssl x 509 -text -noout -in usercert.

X 509 v 3 Certificate # (4) openssl x 509 -text -noout -in usercert. pem ² Serial number Certificate: Data: ² Issuer CA Version: 3 (0 x 2) Serial Number: 656 (0 x 290) ² Time of validity Signature Algorithm: sha 1 With. RSAEncryption Issuer: C=FR, O=CNRS, CN=GRID-FR Validity Not Before: Feb 8 10: 04: 45 2006 GMT Not After : Feb 8 10: 04: 45 2007 GMT Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Sophie Nicoud Subject Public Key Info: ² Subject Public Key Algorithm: rsa. Encryption RSA Public Key: (1024 bit) ² Public key Modulus (1024 bit): 00: b 9: 8 d: 52: 15: ee: 80: d 8: 8 f: 3 c: a 7: 1 f: fb: 59: 6 d: Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 9

Un certificat X 509 v 3 extensions: X 509 v 3 Basic Constraints: critical

Un certificat X 509 v 3 extensions: X 509 v 3 Basic Constraints: critical CA: FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X 509 v 3 Key Usage: critical (2) ² X 509 v 3 extensions ü Allowed use Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement ² X 509 v 3 extensions X 509 v 3 Certificate Policies: Policy: 1. 3. 6. 1. 4. 1. 10813. 1. 1. 8. 1. 0 CP/CPS version X 509 v 3 Subject Alternative Name: Email email: Sophie. Nicoud@urec. cnrs. fr CRL X 509 v 3 CRL Distribution Points: URI: http: //crls. services. cnrs. fr/GRID-FR/getder. crl 1. 3. 6. 1. 4. 1. 7650. 1: ² CA signature unicore. Client Signature Algorithm: sha 1 With. RSAEncryption 7 a: e 5: 96: d 6: cb: 2 f: 2 e: a 6: 9 c: 1 d: 06: 55: 8 a: af: 2 a: 7 a: 1 c: ü ü ü Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 10

Digital signature Signing of a certificate by the issuer CA Public key Encripted fingerprint

Digital signature Signing of a certificate by the issuer CA Public key Encripted fingerprint £$ Fingerprint Hash code CA private key Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 CA signing Public key + info + CA signature £$ Certificate 11

Certificate checks Hash code Fingerprint A Public key + info + CA signature £$

Certificate checks Hash code Fingerprint A Public key + info + CA signature £$ Equal ? £$ Fingerprint B Certificate CA public key CRL £$ Public key + info + CA signature £$ Inclu de in CRL ? Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Time of validit y? Public key + info + CA signature £$ 12

Certification Authorities collaboration ² In a Grid environment with many users and many organizations

Certification Authorities collaboration ² In a Grid environment with many users and many organizations ü need single sign-on and identity certificates ü for all national and global grid projects ü thus issued by independent identity providers ü and trusted by everyone in the grid ² Impossible ü (1) to use only one CA by project or partner => One CA by country s But also by set of country or institute ü Need collaboration in each country ü Need CA coordination to establish CA trust domain ü Need Catch-all CA for countries without CA Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 13

Certification Authorities collaboration ² At start of EDG in 2001 ü 3 CA :

Certification Authorities collaboration ² At start of EDG in 2001 ü 3 CA : CNRS, INFN, CERN ü One coordination group CACG then Eu. Grid. PMA ² Now, in 2006 ü Coordination group splits in 3 continents ü European coordination : 37 CAs ü Asia and Pacific coordination : 8 CAs ü Americas coordination : 2 CAs ü Every year new CAs come ü (2) Many Grid projects : EGEE, LCG, DEISA, EELA, Eu. Med. Grid, EScience, PPDG, … Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 14

Organisation of GRID PMAs ² ² IGTF, International Grid Trust Federation ü Establish worldwide

Organisation of GRID PMAs ² ² IGTF, International Grid Trust Federation ü Establish worldwide trust for Grid ü Establish rules and charter between PMAs ü Approved at GGF 15, October 5, 2005 ü http: //www. gridpma. org/ EUGrid. PMA ü First PMA to establish IGTF ü In fact covers not only Europe but stays the reference for most continents ü http: //www. eugridpma. org TAGPMA ü America South and North ü 2 CA, DOE and Canada. Many in accreditation process for South America APGrid. PMA ü Asia and Pacific ü 10 CA, Australia, Japan, China, Taiwan, … ü http: //apgrid. org/ Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 15

Purpose of GRID PMA ² ² Policy Management Authority : GRID PMA ü Establish

Purpose of GRID PMA ² ² Policy Management Authority : GRID PMA ü Establish minimal requirements and best practices for GRID CA ü Accredit CAs by review CP/CPS ü Audit CAs Minimal requirements : ü Certificate Revocation List (CRL) s s s ü CA Namespace s ü Lifetime must be no more than 30 days New CRL must be generated at least 7 days before expiration New CRL must be issued immediately after a certificate revocation No clash with any other CA CA System s Dedicated machine in a secure environment where access is controlled ü Some certificate extensions must be set to specific values ü … Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 16

Chinese CA ² IHEP ü ü CA https: //gridca. ihep. ac. cn/ Issue certificates

Chinese CA ² IHEP ü ü CA https: //gridca. ihep. ac. cn/ Issue certificates to people and sites participating in Grid Computing ü CA running since 2004 ü Accredited by EUGrid. PMA and APGrid. PMA in 2005 ü Managed by Gongxing SUN ² SDG ü ü CA http: //ca. sdg. grid. cn/en/ SDG CA provides PKI services for the Scientific Data Grid research community that are involved in Grid activities ü Accrdited by APGrid. PMA ü Managed by Kai Nan Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 17

French CA ² 2001 -2004 ü Sub-CA of CNRS CA dedicated to Data. Grid

French CA ² 2001 -2004 ü Sub-CA of CNRS CA dedicated to Data. Grid (EDG) project ² Since ü 2005 : GRID-FR CNRS CA Sub-CA of CNRS CA dedicated to GRID projects ² Issues ü certificates for: All French entities: s ü : Datagrid-fr CA French institutes or private companies involved in GRID project with the CNRS Catch-all CA: s ² Now, Institutes or private companies, no HEP, involved with CNRS in a GRID project which have not a national GRID CA we issue around 800 certificates per year in 27 countries Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 18

Grid Security Infrastructure (GSI) ² Authentication based on digital certificates and trusted CA ²

Grid Security Infrastructure (GSI) ² Authentication based on digital certificates and trusted CA ² A standard for Grid softwares ² Implement : ü Single sign-on: the password is given only one time ü Mutual authentication : every Grid transaction is mutually authenticated ü Proxy: allows remote process to authenticate on behalf of the user, to allow someone to use his authorizations and his authentication ² Proxy certificates ü Certificate with limited lifetime signed with user private key Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 19

Overview ² Authorization ü Concept of Virtual Organizations ü Mechanisms and architecture Sophie Nicoud

Overview ² Authorization ü Concept of Virtual Organizations ü Mechanisms and architecture Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 20

Authorization ² Virtual Organizations (VO) ü A set of entities sharing the same objective

Authorization ² Virtual Organizations (VO) ü A set of entities sharing the same objective ü Users ü Resources A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 21

Virtual Organizations ² (1) A VO can be a set of user sharing the

Virtual Organizations ² (1) A VO can be a set of user sharing the same experiment, or from the same lab, area or project : ü Experiment : Biomed, gene, Alice, Atlas, Babar, LHCb, ESR, EGEODE, . . . ü Labs, areas : vo. dapnia. cea. fr, vo. lal. in 2 p 3. fr, . . . ü Projects : ambrace, infngrid, Grid. PP, auvergrid, . . . ü Other : dteam, . . . ² https: //cic. in 2 p 3. fr/index. php? id=vo ² One administrator per Virtual Organization ü He’s the manager of the users of his VO ² Site managers allow VO to access to site resources ² Specific rights can be allowed by site administrators ü VO VO Refuse users with specific certificate subject patterns Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 22

LDAP VO ² At each site each user certificate is mapped into a unique

LDAP VO ² At each site each user certificate is mapped into a unique local user account (UID/GID) in function of his VO ² This UID/GID is picked up in the VO pool account defined by the site administrator ² Now, there’re 2 types of VO : LDAP VO and VOMS ² LDAP VO ü The oldest method, it is based on. LDAP server that contains the list of VO members ü A user can be a member of only one VO ü All members of a VO have the same rights access ü User authentication command is : grid-proxy-init ü The local authorization file, grid-mapfile, is rebuilt every few hours from the LDAP server. Each certificate subject of the VO is mapped with its VO pool account. "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=Sylvain Reynaud". dte "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Alexandre Rozanov". atl "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev" lhcs Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 23

VO LDAP architecture high frequency low frequency CA CA CA Host Cert. (1 an

VO LDAP architecture high frequency low frequency CA CA CA Host Cert. (1 an max) CA Cert. User Interface User Cert. (1 an max) registration grid-proxy-init Proxy Cert. (24 h max) Service CRL update VO VO VO grid-mapfile Mutual authentication + authorization checks Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 24

VOMS ² VOMS, ü ü (1) Virtual Organization Membership Service VOMS database contains VO

VOMS ² VOMS, ü ü (1) Virtual Organization Membership Service VOMS database contains VO members with their specific rights A VOMS user can have many different set of authorization, next a user can be a member of many VOMS ü User rights depend of his group or role membership in the VOMS ü Groups, roles and rights are included in the user proxy ü User authentication command is : voms-proxy-init --voms <vo-name> ü Authorizations are expressed by FQAN* and included in proxy attributes <group>/Role=[<role>][/Capability=<capability>] *FQAN : Fully Qualified Attributes Name Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 25

VOMS (2) ² Groups ü Groups can have a hierarchical structure, indefinitely deep ü

VOMS (2) ² Groups ü Groups can have a hierarchical structure, indefinitely deep ü Useful to give different authorization in function of group membership ü Default group is /<vo-name> ² Roles ü Software manager, VO-Administrator, Production, … ü Roles have no hierarchical structure – there is no sub-role ü Roles are not used in ‘normal operation’ ü They must be specifically requested when user creates his proxy ² Proxy attributes are check by each site with LCAS and LCMAPS Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 26

VOMS (3) ² LCMAPS ü Maps grid credentials (subject + attributes of the proxy

VOMS (3) ² LCMAPS ü Maps grid credentials (subject + attributes of the proxy certificate) to local credentials (UID/GID) ² LCAS ü Checks if the user is authorized or banned at the site (currently using the grid-mapfile) ² Local authorization file, grid-mapfile, is rebuilt every few hours. Each VOMS/group/role is mapped with its pool account. "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer". dte "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer" dtes "/VO=dteam/GROUP=/dteam". dte "/VO=dteam/GROUP=/dteam/ROLE=NULL/CAPABILITY=NULL". dte "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin" dtes "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin/CAPABILITY=NULL" dtes "/VO=dteam/GROUP=/dteam/ROLE=production" dtep "/VO=dteam/GROUP=/dteam/ROLE=production/CAPABILITY=NULL" dtep Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 27

VOMS architecture high frequency Low frequency User Interface CA CA Cert. User Cert. (1

VOMS architecture high frequency Low frequency User Interface CA CA Cert. User Cert. (1 an max) registration voms-proxy-init Host Cert. (1 an max) Service CRL update VOMS Cert. VOMS Proxy cert. (24 h max) Authorization = Cert. Mutal authentication and authorization Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 LCAS LCMAPS 28

Overview ü ² Security Groups Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec.

Overview ü ² Security Groups Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 29

Security groups ² ² Security Incident Response Policy (EGEE/LCG) ü Grid Security Incident Handling

Security groups ² ² Security Incident Response Policy (EGEE/LCG) ü Grid Security Incident Handling and Response Guide, ü Announcements and Information Dissemination ü Incident Detection and Analysis ü Incident Response on-site => Member(s) on each site ü Vulnerability Handling Middleware Security Group (EGEE) ü ² http: //osgdocdb. opensciencegrid. org/000019/002/OSG_incident_handling_v 1. 0. pdf Focalized on middleware developments JSPG, Joint Security Policy Group (LCG) ü ü Advise and make recommendations to the LCG Grid Deployment Manager and the LCG Grid Deployment Board (GDB) on matters related to LCG Security. AUP, Grid Acceptable Use Policy, https: //edms. cern. ch/document/428036 ² CA Manager Groups ² VO Manager Group Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 30

Links ² Certification Authorities ü ² VOMS ü ² http: //gridpma. org/ https: //edms.

Links ² Certification Authorities ü ² VOMS ü ² http: //gridpma. org/ https: //edms. cern. ch/file/572406/1/user-guide. pdf Security Groups ü http: //egee-jra 3. web. cern. ch/egee-jra 3/ ü http: //proj-lcg-security. web. cern. ch/proj-lcg-security/ ü https: //cic. gridops. org/index. php? section=roc&page=securityissues Thanks ! Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 31