Introduction to Grid Security

1
Introduction to Grid Security

• B649
• Gannon Plale

2
Outline

• A Tiny Introduction to Cryptography
• Try to solve three problems.
• 1. Authentication
• How can I securely identify myself to somebody
  else? How do I know I am communicating with the
  person/service I think I am communicating with?
  
• 2. Delegation
• How can I pass my identity to somebody else so
  that they can act on my behalf?
  
• 3. Authorization
• How do I control who is authorized to use my
  service?
  

3
Security An introduction

• Cryptography, Cipher, Cryptoanalysis
• Cryptography science of developing ciphers
• Cipher data transfer that is useful for
  security
  
• Cryptoanalysis science of breaking ciphers
• Classes of ciphers
• Secret key cryptography
• Public key cryptography

4
Policy vs Mechanism

• Policy who is supposed to do what
• who is allowed to do what
• Mechanism way to enforce the policy
• Example
• Policy Only grid students can enter the room
• Mechanism all grid students have a key

5
Security some terms

• Accountability/non-repudiation
• the principal cannot successfully deny
  (repudiate) its actions
  
• Example
• X sends a msg Buy 1000 shares of S. to broker
  B.
  
• Next day the stock crashes
• X then denies having sent the message
• B should have a way to prove X sent it
• Integrity
• information/resources can be modified only by
  authorized principals
  
• Authentication
• Is that really Bill Gates transferring 20
  billion to my bank?
  

6
Types of attack

• Terms Adversary, attacker,
• Eavesdropping, Masquerading, Message
  Fabrication, DoS
  
• Eavesdropping attack on secrecy
• unauthorized access to message (eg wire
  tapping)
  
• Masquerading attack on authorization
• pretending to be a different principal
• false login program
• Message Fabrication tampering, modifying
• attack on integrity
• Denial of Service attack on availability
• network disruption

7
Types of Attack

• Repudation, Replay
• Repudiation attack on accountability
• X posts her passwd to a newsgroup
• Y picks it up and sends a message to the
  broker
  
• Replay eavesdropping on a message and then
  sending it again
  
• Motivation for session keys
• Good example?

8
Secret Key Cryptography

• Also called symmetric key cryptography
• Same key can be used for encryption and
  decryption
  
• Generally faster than public key cryptography
• Problem getting sender and receiver to agree on
  the same key
  
• if they are in different locations, need to
  trust the communication system.
  
• What is the solution?

9
DES

• Data Encrpytion Standard
• IBM NSA , 1977
• Cipher text is in 64-bit blocks
• Key is of 56 bits

10
Triple DES

• DES The key length was reduced from 128 to 56 by
  NSA
  
• Algorithm is supposed to be sound
• However brute force can break it!
• Triple DES
• apply DES three times using different keys
• effectively lengthens the key

11
Public Key Cryptography

• Relies on two keys
• These are two numbers, mathematically related
• if one is used to encrypt, the other can
  decrypt
  
• Given a key obtaining the other one
• is almost mathematically impossible
• cant be obtained with the current knowledge of
  mathematics
  
• and computing power
• Two keys are public and private key
• encrypt with private key
• can be decrypted with the public key
• proves possession of the private key
• Public key is known to everyone
• private key should really be private

12
Public Keys and Private Keys

• What is PKI? A symmetric pair of encryption
  keys.
  
• use one key to encode a message which may only be
  decoded by the other key.
  
• I keep one key private and never share it.
• I give the other key to everybody I know.
• Somebody can send me a secret message by encoding
  it with my public key. Only I can decode it.

My Public key
My private key
me
you
PKI algorithm
PKI algorithm
message
Encrypted message
message
My private key
My public key
you
me
PKI algorithm
PKI algorithm
message
Encrypted message
message
13
RSA

• Rivest, Shamir and Adelman, 1978
• the key can be unlimited
• typically 512, 768, 1024, 2048 bits
• Security based on perceived difficulty of
  factoring large numbers
  
• no easy method known
• based on two large prime numbers
• not mathematically proven
• RSA vs DSA (From what I remember)
• encryption is slower by 1000 times
• decryption is slower by 100 times
• Need to verify these numbers though!

14
Security Public Key Infrastructure

• Certificate based
• Certificates assert identity
• Require trust
• Trust through digital signature
• Trusted certificate authorities
• Host certificates, user certificates signed by
  certificate authority
  
• Mutual authentication
• Both host and user verify each others
  certificate (by presenting signed public keys)

15
Digital Signatures

• Create a crypto hash (a unique small code
  derived from the message).
  
• I encrypt this with my private key.
• I append this signature to my message.
• To verify message repeat the crypto hash on the
  message.
  
• Use my public key to decrypt my version of the
  hash.
  
• If they agree message is from me and it has not
  been tampered with.

Message Digest
signature
My message
Crypto Hash function
Encryption Engine
My private key
Append to message
16
Digital Signatures

• There is a need to digitally sign a piece of
  information
  
• Assuring the recipient that the content has not
  been tampered with
  
• Steps for digital signature
• Compute a hash of the information
• Hash algorithm is known to both sides
• Encrypt the hash with the private key
• Send the encrypted hash with the message
• Recipient will use the public key to compute the
  hash
  
• Decrypt the hash and compare
• Remember that the message is not encrypted

17
Certificates

• Certificate Authority
• a neutral and trusted introduction service
• Provides a service
• Will generate a public-private key pair for you.
• Puts the public key into a document that is
  signed by the CA.
  
• Gives you the private key to save in a safe place.

18
What is a certificates?

• As a way to convey our Public Keys to people.
• It contains my name and my public key
• It is signed by somebody we both trust the
  Certificate Authority.
  
• In case you dont know my CA
• Send along CA cert which issigned by a higher
  authority.
  
• Establish a chain of trust.
• How do I authenticate?
• If you have my cert, I can send you a message
  encodedwith my private key. If you candecode
  it and recognize themessage, it must be me
  whosent it.

My name is Yiming Sun My public key is
My pub key
Signed by a Trusted CA
19
X.509 Certificate contents

• Version version of the X.509 standard
• Serial Number
• Signature algorithm identifier
• algorithm being used by the CA to sign it
• Issuer name usually the name of the CA
• Validity period
• Subject Name
• CUS, OGlobus, OIndiana University, OUExtreme
  Lab, CNMadhusudhan Govindaraju
  
• Subject Public Key Information
• algorithm specifier
• Also the above information signed

20
Example of a certificate

• cgrid-cert-info -all
• certificate
• Version 3
• SerialNumber 347
• IssuerDN CUS,OIndiana University,OUCertificati
  on Authority
  
• Start Date Fri Sep 06 135314 CDT 2005
• Final Date Sun Sep 05 135314 CDT 2008
• SubjectDN CUS,OIndiana University,CNYiming
  Sun
  
• Public Key RSA Public Key
• modulus ac3ddf4366c6f15be4d9aaa0bfe72532f5815cfea
  217d5273e6cae4b0e0
  
• 58d7f36db417921aa2e5eaadcb802eafdc6dbb9196fe5e7601
  aa429721f632066514859b3ba358a4
  
• 7cce266b579ea7b82e4532c29da0a99ba783e88d56a136fe9c
  efd1c3e1337a648383aca5b8d8c64f
  
• a4f3201a7f86ff381b129d443d8bdb94066e9
• public exponent 10001

21
Globus Project

• A Large project to provide the foundations for
  Grid computing
  
• Three areas of support
• Resource Management (job submission)
• Data Management (data transport)
• Information Management
• Key to this security architecture
• Goal better security than normally implemented
  at participating sites
  
• Public Key Infrastructure
• We will use their tools for PKI.
• It is based on a standard called Grid Security
  Infrastructure (GSI)

22
Working with the Globus CA

• Suppose Elvis Presley has an account on my
  computer (where I have installed the globus CA)

elvis setenv GLOBUS_LOCATION /Users/globus/gt4
elvis source GLOBUS_LOCATION/etc/globus-user-env
.csh elvis grid-cert-request A certificate requ
est and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account
password, and is used to protect your key file.
If you forget your pass phrase, you will need
to obtain a new certificate. Generating a 1024
bit RSA private key . ... writing
new private key to '/Users/elvis/.globus/userkey.p
em' Enter PEM pass phrase
23
Response from CA
You are about to be asked to enter information
that will be incorporated into your certificate r
equest. What you are about to enter is what is ca
lled a Distinguished Name or a DN.
There are quite a few fields but you can leave
some blank For some fields there will be a defaul
t value, If you enter '.', the field will be left
blank. ----- Level 0 Organization GridLevel
0 Organizational Unit GlobusTest
Level 1 Organizational Unit simpleCA-dennis-ganno
ns-computer Level 2 Organizational Unit local
Name (e.g., John M. Smith)
A private key and a certificate request has been
generated with the subject /OGrid/OUGlobusTest
/OUsimpleCA-dennis-gannons-computer
/OUlocal/CNElvis Presley If the CNElvis Presle
y is not appropriate, rerun this
script with the -force -cn "Common Name"
options. Your private key is stored in /Users/elv
is/.globus/userkey.pem Your request is stored in
/Users/elvis/.globus/usercert_request.pem
Please e-mail the request to the Globus Simple CA
globus You may use a command similar to the follo
wing cat /Users/elvis/.globus/usercert_request.p
em mail globus
24
When globus gets the email
globus grid-ca-sign -in elvis-request.pem -out
signed.out To sign the request please enter the
password for the CA key
The new signed certificate is at
/Users/globus/.globus/simpleCA//newcerts/05.pem
globus cat signed.pem mail elvis
When Elvis gets the e-mail he saves it to file
signed.pem
elvis cp signed.pem .globus/usercert.pem
ls -l .globus total 24 -rw-r--r-- 1 elvis e
lvis 3342 Sep 4 2224 usercert.pem
-rw-r--r-- 1 elvis elvis 1460 Sep 4 2157
usercert_request.pem -r-------- 1 elvis elvis
963 Sep 4 2157 userkey.pem elvis
25
Looking into the Cert
elvis grid-cert-info -all Certificate Data
Version 3 (0x2) Serial Number
6 (0x6) Signature Algorithm md5WithRSA
Encryption Issuer OGrid, OUGlobusTest,
OUsimpleCA-dennis-gannons-computer,
CNGlobus Simple CA Validity
Not Before Sep 5 105534 2006 GMT
Not After Sep 5 105534 2007 GMT
Subject OGrid, OUGlobusTest,
OUsimpleCA-dennis-gannons-computer,
OUlocal, CNElvis Presley
Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (1024 bit)
Modulus (1024 bit)
00d3ae4d9375cdf41103d
2d16dda04 68587d2df8e9c4851
17fff72409b66 154563c49b406
7df1e295baa987d7e
26
e7071870a2e2d83470917
c60141898 c37327a18b4bf2bf4
8a4e1380abb01 011331964c195
c3ad5ce499a7f56d0 e320b9e4c
80820ecb44031dbe817bb
2e9e88866592ff53d86e3bae4055
62 9399dc0590aa9f53f5
Exponent 65537 (0x10001)
X509v3 extensions Netscape C
ert Type SSL Client, SSL Server
, S/MIME, Object Signing Signature Algorithm
md5WithRSAEncryption 1f66b7ceac6afb
dc5f4f06b76b8cc34f587f
cf357c91b8061c464f870bbde80cea11
13f1 b2ceaa966df73d83c33a0c5a9a
38aa824c9c fa68cece11fd8c56b017
bf53d0866512f0ed 6e2c80b3d17aae
452cef75c708b71bad61f8
509570fe42d847046fcdd418be403d3a
cf39 877f672d4453e121cbcc1fe73f
e803efc803 d781
27
Protocols and Tools using Certs

• Security defined in two protocols
• Job submission GRAM
• File Transfer GridFTP
• Implemented as system level daemons
• Gatekeeper for GRAM
• GridFTP server for GridFTP
• Globus gives you a bag of tools to use at the
  command line to submit jobs and move files
  
• Eg, globusrun, globus-url-copy
• All use the cert or proxy cert to authenticate
  the user.

28
Grid Security Infrastructure

• How do we delegate our identity to a remote
  agent/program to act on our behalf?
  
• GSI Solution Create a Proxy certificate
• A new public-private key pair that is to be used
  only for a limited time. Never use this key pair
  again.
  
• Give this proxy cert and its private key to a
  trusted agent to work on your behalf

My name is Yiming Suns proxy My public key is
My name is Yiming Sun My public key is
My new pub key
Do not use after 500 pm today
My pub key
Signed by a Trusted CA
Signed by Yiming Sun
My new private key
29
Creating a proxy cert
elvis grid-proxy-init Your identity /OGrid/OU
GlobusTest/OUsimpleCA-dennis-gannons-computer
/OUlocal/CNElvis Presley Enter GRID pass phrase
for this identity Creating proxy ..............
...............................................
Done Your proxy is valid until Wed Sep 6 0107
09 2006 elvis cd /tmp elvis ls -l drwxr-xr-x
2 root wheel 68 Sep 3 1806
hsperfdata_root -rw------- 1 gannon wheel
2320 Sep 4 0811 x509up_u501 -rw------- 1 elvi
s wheel 2316 Sep 5 0807 x509up_u503
elvis cat x509up_u503 -----BEGIN CERTIFICATE----
- MIICazCCAdSgAwIBAgIEG3OVYzANBgkqhkiG9w0BAQQFADB
/MQ0wCwYDVQQKEwRH many lines ommited 9kN
dEVlu7rXKtgJUAgxuYgu09qZb3/5ekSJlFsWtgnl/i8CDYeZy
HGCP05Tno -----END CERTIFICATE----- -----BEGIN
RSA PRIVATE KEY----- MIIBOgIBAAJBAK/Tso0SzGCdCKe
bJnTN7mJwhdrq4nD7K2h0YZJJjlOJYcKvt4nW
many lines ommited j/ifyJjifgXHjUnNVBjq7/K
nspQsg9kX7kmG -----END RSA PRIVATE KEY----- ---
--BEGIN CERTIFICATE----- MIICfDCCAeWgAwIBAgIBBjAN
BgkqhkiG9w0BAQQFADByMQ0wCwYDVQQKEwRHcmlk
-----END CERTIFICATE-----
Elviss proxy cert
Elviss proxy Private key
Elviss cert
30
Look inside the proxy cert
elvis grid-cert-info -all -file x509up_u503
Certificate Data Version 3 (0x2)
Serial Number 460559715 (0x1b739563)
Signature Algorithm md5WithRSAEncryption
Issuer OGrid, OUGlobusTest,
OUsimpleCA-dennis-gannons-computer, OUlocal,
CNElvis Presley Validity No
t Before Sep 5 120209 2006 GMT
Not After Sep 6 000709 2006
GMT Subject OGrid, OUGlobusTest, OUsi
mpleCA-dennis-gannons-computer, OUlocal,
CNElvis Presley, CN460559715
Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (512 bit)
Modulus (512 bit)
00afd3b28d12cc609d08a
79b2674cd ee627085daeae270f
b2b6874619249 8e538961c2afb
789d6b6be9647e985 3ccaa1d7a
ed2e82162d8e385aa08ff
688e942d89 Exponent
65537 (0x10001) X509v3 extensions
1.3.6.1.4.1.3536.1.222 critical
0.0 Signature Algorithm md
5WithRSAEncryption ccb76bb3e255a13
bdf5ea7561ea477005022
b0ed773263c3a9ace3379e8143fd168
65410 65eee891fbb01abcc751f453
63179205c543 3f3e0592afa3f50035
0de355aabf9655972e
31
Grid Resource Allocation Manager

• Gram and the Gatekeeper
• 1. Create a proxy on your workstation or grab the
  proxy from a proxy store (next topic)
  
• 2. Establish a secure connection to the
  gatekeeper on the remote host. Use proxy for
  authentication.
  
• 3. send your proxy and its private key to remote
  host.
  
• This enables the gate keeper to start something
  which has your identity and uses your account.

Your workstation
Remote host
Your cert
2
gatekeeper
proxy
3
proxy
1
Proxy Its private key acting as you
Your private key
32
Using the MyProxy Server

• The Myproxy server is a vault for proxy certs.
• You can create a proxy and store it in a myproxy
  server.
  
• Pick a password to later fetch the proxy cert and
  private key.
  
• If you want, you can store you cert there and let
  the myproxy server generate the proxy for you
  
• You then provide another entity (such as a
  portal) with the password and it can fetch the
  proxy and key and act on your behalf.

Your workstation
1. Save with key foobar
3. Fetch proxy with key foobar
foobar
proxy
Your cert
Portal
proxy
MyProxy server
1
2. Login to portal And give it password foobar
Your private key
33
Grid Security Infrastructure GSI

• GSI certificate has four important pieces of
  info
  
• subject name identifies the person
• public key of the subject
• identity of the CA who has signed the
  certificate
  
• digital signature of the CA
• How or why should you trust the CA?
• How can you get the CA certificate
• bootstrap problem

34
Mutual Authentication in GSI

• Based on the SSL (now called TLS) protocol
• For two parties A and B to do authentication
• first trust the CAs that signed each others
  certificate
  
• practice posses a copy of the CA certificate
• the certificate has the CAs public key
• Protocol
• A establishes a connection with B
• A gives his certificate to B
• B checks the validity of the certificate
• how?
• B doesnt know that A is who she claims to
  be.
  
• not authenticated yet. Why?

35
Authentication protocol contd

• B sends a random message to A
• A encrypts using its private key, sends it
  back
  
• B compares to confirm that the message is the
  same
  
• Now, A does the same to verify Bs identity

36
GSI more about it

• Confidential Communication
• By default after the mutual authentication phase
  the data is not encrypted
  
• However, it is present as an optional feature
• Securing Private Keys
• The private keys are typically stored in a
  standard place
  
• The file with the private key is encrypted
• A pass-phrase is used to decrypt it

37
GSI Delegation

• Extension of the standard SSL protocol
• Motivation reduce the number of times
  pass-phrase needs to be entered
  
• Suppose several Grid resources are needed
• each requiring mutual authentication
• there are agents requesting services on your
  behalf
  
• Solution
• Creation of a proxy
• number of hops is fixed? (Need to verify this)
• time period of validity is fixed

38
GSI proxy

• New certificate
• new public and private keys for it
• The certificate is modified to indicate that it
  is a proxy
  
• It is signed by the owner
• Time notation so that it is not used after that
• proxies have limited lifetime
• why?

39
GSI proxy

• The private key is kept in a local file
• not encrypted. Why?
• file permissions such that only user can access
  
  
• The proxy and the new private key can be used
  for mutual authentication
  
• The authentication process differs
• the proxy and the original certificate are sent
• the original certificate is used to verify the
  proxy
  
• the proxy is digitally-signed by the owner
• the owners certificate is verified using the CA
  cert