Session 5: Intro to security - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Session 5: Intro to security

Description:

Session 5: Intro to security – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 26
Provided by: jone1
Category:
Tags: ciao | intro | security | session

less

Transcript and Presenter's Notes

Title: Session 5: Intro to security


1
Session 5 Intro to security
07/07/2008
  • Gergely SiposMTA SZTAKIwww.lpds.sztaki.husipos_at_
    sztaki.hu

2
What is Grid security?
The Grid problem is to enable coordinated
resource sharing and problem solving in dynamic,
multi-institutional virtual organizations.
From The Anatomy of the Grid by Ian Foster at.
al
  • So Grid Security is security to enable
    multi-institutional, dynamic VOs
  • What is needed in terms of security for such a
    VO?

3
Virtual Organization concept
  • VO for each application, workload or community
  • The more dynamic the betterand the harder
  • Security problems at two levels
  • network level security
  • VO level security

4
Problems at network level
Grid service
User
  • Participants of a grid communicate over the
    Internet
  • How can communication endpoints be identified?
  • Authentication
  • How can a secure channel established between two
    partners?
  • Message encryption
  • Non-repudiation
  • Message integrity

5
Problems at VO level
Computingservice
Broker
  • Which networked entity is / is not member of a
    VO?
  • What are VO members allowed to do?
  • Authorization
  • How can services act on behalf of a user?
  • How can a broker access the users sites?
  • How can a job which is started by the broker
    access the users private data?

6
Grid Security InfrastructureGSI
7
  • Grid Security Infrastructure
  • Security at network level
  • Public key infrastructure (PKI)

8
Basis of Public Key Infrastructure
  • Every networked entity (user/machine/software) is
    assigned with two keys one private key and one
    public key
  • a message encrypted by one key can be decrypted
    only by the other one.
  • it is impossible to derive the private key from
    the public one
  • Concept (simplified version)
  • Public keys are exchanged
  • The sender encrypts using receivers public key
  • The reciever decrypts using their private key

Pauls keys
public
private
John
Paul
bye
i4
bye
i4
9
PKI in action
  • Encription
  • Encription with recipients public key
  • Only recipient can decript the message
  • Non-repudiation
  • Naiv approach encript message with senders
    private key
  • Too costly for long messages
  • Solution
  • generate hash of the message
  • Encript hash with senders private key
  • Attach encripted hash to message ? Digital
    signature
  • Additional benefit Integrity (hash is constant)

message
Hash A
Digital Signature
Digital Signature
10
PKI in action the big picture
Hash function
Paul
Pauls keys
message
Hash A
private
public
Digital Signature
Mutual authentication and exchanging public keys
SSL protocol
John
message
Johns keys
Hash B
private
public
Hash A
Hash function
11
Entity identity
  • Since Im the only one with access to my private
    key, you know I signed the data associated with
    it
  • But, how do you know that you have my correct
    public key?

?
12
Public and private keys
  • Public key is wrapped into a certificate
  • Certificate is created by trusted third parties
    Grid Certification Authorities (CA)
  • Private key is stored in an encripted form
    protected by a passphrase
  • Prive key is created by the grid user
  • Private key can be accessed only by the owner

Certificate
Public key
Subject/CHU/ONIIF CA/OUGRID/OUNIIF/CNGergely
Sipos/Emailsipos_at_sztaki.hu Issuer CCH,
OCERN, OUGRID, CNCERN CA Expiration date Oct
26 080814 2009 GMT Serial number 625
(0x271) Optional Extensions
Typically valid for one year
1. Hash of Public key metadata, 2. Encript
hash with CAs private key
CA Digital signature
13
Secure Socket Layer (SSL)
B
A
Based on X.509 PKI
  • every Grid transaction is mutually authenticated
  • A sends his certificate
  • B verifies signature in As certificate using CA
    public certificate
  • B sends to A a challenge string
  • A encrypts the challenge string with his private
    key
  • A sends encrypted challenge to B
  • B uses As public key to decrypt the challenge.
  • B compares the decrypted string with the original
    challenge
  • If they match, B verified As identity and A can
    not repudiate it.
  • Repeat for A to verify Bs identity

14
Certification Authorities (CA)
  • Grid users must generate private and public key
  • Public key must be signed by a recognized CA
  • CAs can establish a number of people
    registration authorities RAs Personal visit to
    the nearest RA instead of the national CA
  • Grid CAs http//www.gridpma.org/
  • Per continent
  • Per country
  • Per region

15
Issuing a grid certificate
Instructions, tutorials (should be) on CA
homepages
CA root certificate
User generatespublic/privatekey pair in
browseror in files.
CA signature links identity and public key in
certificate. CA informs user.
CertRequest Public Key
User sends public key to CA and shows RA proof of
identity.
Certification Authority
Cert
Private Key encrypted on local disk passphrase
16
Users private key and certificatein practice
  • Keep your private key secure
  • if possible on a USB drive only
  • Do not loan your certificate to anyone
  • Report to your CA if your certificate has been
    compromised.
  • Private key and certificate can
  • Stored in your browser
  • Stored on the file system in different file
    formats (PEM, P12, )
  • Situation at the school

issgc12_at_gliteui1 ls -l /.globus total
12 -rw-r--r-- 1 issgc12 users 1797 Jul 4 1625
ISSGC12.p12 -rw-r--r-- 1 issgc12 users 1115 Jul
4 1625 usercert.pem -r-------- 1 issgc12 users
963 Jul 4 1625 userkey.pem
If your certificate is used by someone other than
you, it cannot be proven that it was not you.
17
Problems at network level
Grid service
User
  • Participants of a grid communicate over the
    Internet
  • How can communication endpoints be identified?
  • Authentication
  • How can a secure channel established between two
    partners?
  • Message encryption
  • Non-repudiation
  • Message integrity

ü
ü
ü
ü
18
  • Grid Security Infrastructure
  • Security at VO level

19
Keeping track of VO members
  • Technology specific registration
  • Web based registration form
  • Email
  • Personal contact
  • Technology specific VO database solution
  • Keeping a database on every site
  • e.g. Gridmap files in Globus
  • Keeping a list centrally
  • e.g. VOManagement Service (VOMS) in gLite

20
  • Grid-specific security solutions

21
Problem Need for delegation
Start this job for meon the best resource of
the biomedical VO!
Broker
John
private
public
Site A
Site B
Computing service
Computing service
Process
Process
Site C
With mutual authentication
Johnsfiles
Storage service
22
Delegation of user identities by limited proxies
  • Delegation - allows remote process and services
    to authenticate on behalf of the user
  • Remote process/service impersonates the user
  • Achieved by creation of next-level private
    keycertificate pair from the users private
    keycertificate.
  • New key-pair is a single file Proxy credential
  • Proxy private key is not protected by password
  • Proxy has limited lifetime
  • Proxy may be valid for limited operations
  • The client can delegate proxies to services,
    processes
  • Each service decides whether it accepts proxies
    for authentication

23
Proxy in action
Single sign-on via grid-id generation of
proxy cred.
John
private
public
GSI-enabled server
GSI-enabled server
Site A
Site B
Computing Element
Computing Element
Site C
With mutual authentication
Storage Element
24
Creating a proxy
CA for the proxy
Private key
Certificate (public key)
Proxy private key
Proxy Certificate Request
Proxy certificate
Signed proxy certificate
25
GSI Delegation
Proxy2 private key
Proxy private key
Proxy certificate
Certificate Request
Proxy2 Public key
Certificate
Delegated Credential Proxy2
Server side
Client side
26
Logging into the VO Creating a proxyThe gLite
example
  • voms-proxy-init ? login to the Grid
  • Enter PEM pass phrase ? private key is
    protected by a password
  • voms-proxy-destroy ? logout from the grid
  • Delegated credentials will not be revoked
  • sipos_at_glite-tutor sipos voms-proxy-init --voms
    gilda
  • Enter GRID pass phrase
  • Your identity /CHU/ONIIF CA/OUGRID/OUNIIF/CN
    Gergely Sipos/Emailsipos_at_sztaki.hu
  • Creating temporary proxy .........................
    ................................... Done
  • Contacting voms.ct.infn.it15001
    /CIT/OINFN/OUHost/LCatania/CNvoms.ct.infn.i
    t "gilda" Done
  • Creating proxy ................................
    Done
  • Your proxy is valid until Sat Jun 23 045519
    2007

27
Summary of terms
  • Authentication
  • Establishing identity
  • Authorization
  • What you are allowed to do in the system
    (VO/site/)
  • Message level security
  • Encryption / decryption
  • Integrity
  • Non repudiation
  • Delegation
  • Delegate rights to services and processes acting
    on your behalf

28
Gergely SiposMTA SZTAKIwww.lpds.sztaki.husipos_at_
sztaki.hu www.lpds.sztaki.hu/sipos
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Session 5: Intro to security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!