Grid Security Infrastructure

1
Grid Security Infrastructure

• Original Source The Globus Project
• Argonne National LaboratoryUSC Information
  Sciences Institute
• http//www.globus.org/
• Some slides are being added and/or localised by
  Rajkumar Buyya

2
Grid Security Authentication Infrastructure

• Based on PKI (Public Key Infrastructure)

3
Security

• As Grid Resources and Users are Distributed and
  Owned by different organizations, only authorized
  users should be allowed to access them.
• A simple authentication infrastructure is needed.
• Also, both users and owners should be protected
  from each other.
• The Users need be assured about security of
  their
• Data
• Code
• Message

4
Globus/Grid Security Infrastructure (GSI) based
on PKI

• GSI is

Proxies and delegation (GSI Extensions) for
secure single Sign-on
Proxies and Delegation
SSL/ TLS
PKI (CAs and Certificates)
SSL for Authentication And message protection
PKI for credentials
PKI Public Key Infrastructure, SSH Secure
Socket Layer TLS Transport Level Security
5
Public Key Infrastructure (PKI)

• PKI allows you to know that a given public key
  belongs to a given user
• PKI builds off of asymmetric encryption
• Each entity has two keys public and private
• Data encrypted with one key can only be decrypted
  with other.
• The private key is known only to the entity
• The public key is given to the world encapsulated
  in a X.509 certificate

6
Public Key Infrastructure (PKI) Overview

• X.509 Certificates
• Certificate Authorities (CAs)
• Certificate Policies
• Namespaces
• Requesting a certificate
• Certificate Request
• Registration Authority

7
Certificates

• A X.509 certificate binds a public key to a name
• It includes a name and a public key (among other
  things) bundled together and signed by a trusted
  party (Issuer)

8
Certificates

• Similar to passport or drivers license

9
Certificates

• By checking the signature, one can determine that
  a public key belongs to a given user.

Hash
Hash
?
Decrypt
Hash
Public Key from Issuer
10
Certificate Authorities (CAs)

• A small set of trusted entities known as
  Certificate Authorities (CAs) are established to
  sign certificates
• A Certificate Authority is an entity that exists
  only to sign user certificates
• The CA signs its own certificate which is
  distributed in a trusted manner

11
Certificate Authorities (CAs)

• The public key from the CA certificate can then
  be used to verify other certificates

Hash
Hash
?
Decrypt
Hash
12
Requesting a Certificate

• To request a certificate a user starts by
  generating a key pair
• The private key is stored encrypted with a pass
  phrase the user gives
• The public key is put into a certificate request

Encrypted On local disk
Certificate Request Public Key
13
Certificate Issuance

• The user then takes the certificate to the CA
• The CA usually includes a Registration Authority
  (RA) which verifies the request
• The name is unique with respect to the CA
• It is the real name of the user
• Etc.

Certificate Authority
Certificate Request Public Key
State of Victoria
ID
14
Certificate Issuance
Certificate Request Public Key

• The CA then signs the certificate request and
  issues a certificate for the user

Certificate Authority
Sign
15
Secure Socket Layer (SSL)

• Also known as TLS (Transport Layer Security)
• Uses certificates and TCP sockets to provide a
  secured connection
• Authentication of one or both parties using the
  certificates
• Message protection
• Confidentiality (encryption)
• Integrity

SSL/TLS
Certificates
TCP Sockets
16
Mutual Authentication

• A and B are two parties Both need to trust each
  others CA.
• A ? B (A establishes connection to B and gives
  his certificate (name,pub. Key) to B).
• B makes sure that it can trust CA of A.
• B generates random message? A and asks it encrypt
  it.
• A encrypts it and send to B
• B decrypts using As public key. If the msg. is
  same as what B has sent, then A is who it is
  claiming to be.

17
Globus Security Review

• GSI extends existing standard protocols APIs
• Based on standards SSL/TLS, X.509, GSS-API
• Extensions for single sign-on and delegation
• The Globus Toolkit provides
• Generic Security Services API (GSS-API) on GSI
  protocols
• The GSS-API is the IETF standard for adding
  authentication, delegation, message integrity,
  and message confidentiality to applications.
• Various tools for credential management,
  login/logout, etc.

18
Kerberos Security

• Some Grids use a Kerberos GSS-API.
• As far as tools and APIs go, this is not visible.
  (Thats the point of GSS-API!)
• However, it is NOT interoperable with GSI based
  versions of the Globus Toolkit
• Various differences of Kerberos vs GSI
• The security files created under the covers are
  different
• Different commands to login, logout, etc.
• We will discuss security using GSI (PKI).

19
Obtaining a Certificate

• The program grid-cert-request is used to create a
  public/private key pair and unsigned certificate
  in /.globus/
• usercert_request.pem Unsigned certificate file
• userkey.pem Encrypted private key file
• Must be readable only by the owner
• Mail usercert_request.pem to ca_at_globus.org
• Receive a Globus-signed certificate
• Place in /.globus/usercert.pem
• Other organizations use different approaches
• NCSA, NPACI, NASA, etc. have their own CA

20
Your New Certificate
Certificate Data Version 3 (0x2)
Serial Number 28 (0x1c) Signature
Algorithm md5WithRSAEncryption Issuer
CUS, OGlobus, CNGlobus Certification
Authority Validity Not
Before Apr 22 192150 1998 GMT Not
After Apr 22 192150 1999 GMT Subject
CUS, OGlobus, ONACI, OUSDSC, CNRichard
Frost Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (1024 bit)
Modulus (1024 bit)
00bf4c9bae51e5adac544f12523a69
ltsnipgt
b4e154e78757b7d061
Exponent 65537 (0x10001) Signature Algorithm
md5WithRSAEncryption 59866edfdd945d
26f523c189838e3c97fcd8 ltsnipgt
8dcd7c7e4968157e5f242354caa22
7f13517
21
Certificate and Key Data
22
Certificate Information

• To get cert information run grid-cert-info
• grid-cert-info -subject
• /OGrid/OGlobus/OUcs.mu.oz.au/CNRajkumar Buyya
• Options for printing cert information-all -sta
  rtdate-subject -enddate-issuer -help

23
Logging on to the Grid

• To run programs, authenticate to Globus
• grid-proxy-init
• Enter PEM pass phrase
• Creates a temporary, local, short-lived proxy
  credential for use by our computations
• Options for grid-proxy-init
• -hours ltlifetime of credentialgt
• -bits ltlength of keygt
• -help

24
grid-proxy-init Details

• grid-proxy-init creates the local proxy file.
• User enters pass phrase, which is used to decrypt
  private key.
• Private key is used to sign a proxy certificate
  with its own, new public/private key pair.
• Users private key not exposed after proxy has
  been signed
• Proxy placed in /tmp, read-only by user
• NOTE No network traffic!
• grid-proxy-info displays proxy details

25
Grid Sign-On With grid-proxy-init
User certificate file
User Proxy certificate file
Private Key (Encrypted)
Pass Phrase
26
Destroying Your Proxy (logout)

• To destroy your local proxy that was created by
  grid-proxy-init
• grid-proxy-destroy
• This does NOT destroy any proxies that were
  delegated from this proxy.
• You cannot revoke a remote proxy
• Usually create proxies with short lifetimes

27
Proxy Information

• To get proxy information run grid-proxy-info
• grid-proxy-info -subject
• /OGrid/OGlobus/OUcs.mu.oz.au/CNRajkumar Buyya
• Options for printing proxy information-subject
  -issuer-type -timeleft-strength -help
• Options for scripting proxy queries-exists
  -hours ltlifetime of credentialgt-exists -bits
  ltlength of keygt
• Returns 0 status for true, 1 for false

28
Important Files

• /etc/grid-security
• hostcert.pem certificate used by the server in
  mutual authentication
• hostkey.pem private key corresponding to the
  servers certificate (read-only by root)
• grid-mapfile maps grid subject names to local
  user accounts (really part of gatekeeper)
• /etc/grid-security/certificates
• CA certificates certs that are trusted when
  validating certs, and thus neednt be verified
• ca-signing-policy.conf defines the subject names
  that can be signed by each CA

29
Important Files

• HOME/.globus
• usercert.pem Users certificate (subject name,
  public key, CA signature)
• userkey.pem Users private key (encrypted using
  the users pass phrase)
• /tmp
• Proxy file(s) Temporary file(s) containing
  unencrypted proxy private key and certificate
  (readable only by users account)
• Same approach Kerberos uses for protecting
  tickets

30
Secure Services

• On most unix machines, inetd listens for incoming
  service connections and passes connections to
  daemons for processing.
• On Grid servers, the gatekeeper securely performs
  the same function for many services
• It handles mutual authentication using files in
  /etc/grid-security
• It maps to local users via the gridmap file

31
Sample Gridmap File

• Gridmap file maintained by Globus administrator
• Entry maps Grid-id into local user name(s)

Distinguished name
Local

username /OGrid/OGlobus/OU
cs.mu.oz.au/CNRajkumar Buyya raj "/CUS/OGlobus/
ONPACI/OUSDSC/CNRichard Frost
frost "/CUS/OGlobus/OUSC/OUISI/CNCarl
Kesselman u14543 "/CUS/OGlobus/OANL/OU
MCS/CNIan Foster itf
32
ExampleSecure Remote Startup

• 1. Exchange certificates, authenticate,
  delegate
• 2. Check gridmap file
• 3. Lookup service
• 4. Run service program (e.g. jobmanager)

4.
2.
3.
1.
gatekeeper
client
33
Simple job submission

• globus-job-run provides a simple RSH compatible
  interface grid-proxy-init Enter PEM pass
  phrase globus-job-run host program
  args
• Job submission will be covered in more detail
  later

34
Delegation

• Delegation remote creation of a (second level)
  proxy credential
• New key pair generated remotely on server
• Proxy cert and public key sent to client
• Clients signs proxy cert and returns it
• Server (usually) puts proxy in /tmp
• Allows remote process to authenticate on behalf
  of the user
• Remote process impersonates the user

35
Limited Proxy

• During delegation, the client can elect to
  delegate only a limited proxy, rather than a
  full proxy
• GRAM (job submission) client does this
• Each service decides whether it will allow
  authentication with a limited proxy
• Job manager service requires a full proxy
• GridFTP server allows either full or limited
  proxy to be used

36
Restricted Proxies

• A generalization of the simple limited proxies
• Desirable to have fine-grained restrictions
• Reduces exposure from compromised proxies
• Embed restriction policy in proxy cert
• Policy is evaluated by resource upon proxy use
• Reduces rights available to the proxy to a subset
  of those held by the user
• A proxy no longer grants full impersonation
  rights
• Extensible to support any policy language
• Will be in future version gt GT 2.0

37
ExerciseSign-On Remote Process Creation

• Use grid-cert-info to examine your cert
  grid-cert-info -all
• Use grid-proxy-init to create a proxy
  certificate
• grid-proxy-init
• Enter PEM pass phrase
• ......................................
• .....
• Use grid-proxy-info to query proxy
  grid-proxy-info -subject
• Use globus-job-run to start remote programs
  globus-job-run jupiter.isi.edu /usr/bin/ls -l
  /tmp

38
Generic Security Service API

• The GSS-API is the IETF draft standard for adding
  authentication, delegation, message integrity,
  and message confidentiality to apps
• For secure communication between two parties over
  a reliable channel (e.g. TCP)
• GSS-API separates security from communication,
  which allows security to be easily added to
  existing communication code.
• Filters on each end of the communications link
• GSS-API Extensions defined in GGF draft
• Globus Toolkit components all use GSS-API

39
Building Secure Applications

1. Embed Security Code into Application --
   including (A) authentication logic (B) Use Globus
   IO calls (instead of plain socket I/O).
2. Use Cryptography for secure communication

40
gss_acquire_cred()

• Loads security credentials into program
• User proxy certificate and private key are loaded
  at this point

gss_release_cred()
Removes security credentials into program User
proxy certificate and private key remain on disk
for later use
41
gss_inquire_cred()

• Extract information (e.g. the subject name) from
  a credential

gss_inquire_cred_by_oid()
Extract information associated with a OID from a
credential (e.g. information in certificate
extensions) Will be in future version gt GT 2.0
42
gss_export_cred()

• Export a credential either to a opaque buffer or
  to a file
• New in GT 2.0

gss_import_cred()
Import a credential in either one of the formats
used by gss_export_cred New in GT 2.0
43
gss_init_sec_context()gss_accept_sec_context()

• Establish a security context between two
  processes
• Tokens are fed into and out of these routine
• Application can pass tokens between processes in
  any way desired
• One side calls init, the other accept

while (!done) gss_init_sec_context(
in_t, out_t, done) if (out_t)
send(out_t) if (!done) receive(in_t)
while (!done) receive(in_t)
gss_accept_sec_context( in_t, out_t,
done) if (out_t) send(out_t)
44
gss_delete_sec_context()

• Discard a security context

gss_context_time()
Determine how long a context will remain valid
45
gss_inquire_context()

• Extract information (e.g. the target subject
  name) from a security context

gss_inquire_sec_context_by_oid()
Extract information associated with a OID from a
security context (e.g. information in certificate
extensions) Will be in future version gt GT 2.0
46
gss_export_context()

• Export a security context to a opaque buffer

gss_import_context()
Import a opaque buffer containing a security
context exported by gss_export_context
47
gss_set_sec_context_option()

• Set options on a security context prior to
  establishing it
• Will be in future version gt GT 2.0

gss_wrap_size_limit()
Returns the maximum token size gss_wrap can deal
with
48
gss_wrap()gss_unwrap()

• gss_wrap()
• consumes an user input buffer
• performs cryptographic checksum and/or encryption
  on it
• produces a token, which application sends
• gss_unwrap()
• consumes a token produced by gss_wrap()
• decrypts and/or verifies the checksum
• produces a user output buffer

49
gss_get_mic()gss_verify_mic()

• gss_get_mic()
• Produces a cryptographic checksum on a user input
  buffer
• gss_verify_mic()
• Verifies a cryptographic checksum on a user buffer

50
gss_import_name()

• Import a subject name into GSS

gss_export_name()
Export a GSS name into a buffer
51
gss_display_name()

• Convert GSS name to text

gss_compare_name()
Compare two GSS names
52
gss_release_name()

• Discard a GSS name

53
gss_add_oid_set_member()

• Add a OID to a OID set

gss_test_oid_set_member()
Checks whether a OID is in a OID set
gss_create_empty_oid_set()

• Creates a empty OID set

gss_release_oid_set()
Discard a OID set
54
gss_indicate_mech()

• Determine available underlying security mechanisms

55
gss_release_buffer()

• Discard a GSS buffer

gss_release_buffer_set()
Discard a GSS buffer set Will be in future
version gt GT 2.0
56
gss_init_delegation()gss_accept_delegation()

• Delegate a credential and optionally add
  restrictions to the delegated credential
• One side calls init, the other accept
• Can be in either direction, relative to
  gss_init,accept_sec_context()
• Tokens are fed into and come out of these
  routines
• Similar use to gss_init,accept_sec_context()
• It is up to the application to pass the tokens
  from one function to the other
• Will be in future version gt GT 2.0

57
GSSAPI exercises

• Go to the gssapi subdirectory
• Documentation
• http//www.globus.org/security
• Follow instructions in the file README

58
Whats Wrong with GSS-API

• The GSS-API works, but it is not pretty!
• GSS-API accomplishes its goal of providing an API
  that is independent of any specific security
  implementation, or communication mechanism
• Same application can use either Globus Toolkit
  GSS-API or Kerberos 5 GSS-API with almost no
  change
• It has rich feature support
• But it is not easy to use

59
globus_gss_assist

• The globus_gss_assist module is a Globus Toolkit
  specific wrapper around GSS-API which makes it
  easier to use
• Hides some of the gross details of GSS-API
• Conforms to Globus Toolkit conventions
• Still maintains separation from communication
  method

60
globus_io and security

• For even easier security integration with socket
  code, use the globus_io module
• Simple to add authentication and authorization to
  TCP socket code
• But looses separation of security from
  communication method
• Will be discussed more later...

61
Authorization

• GSI handles authentication, but authorization is
  a separate issue
• Authorization issues
• Management of authorization on a
  multi-organization grid is still an interesting
  problem.
• The grid-mapfile doesnt scale well, and works
  only at the resource level, not the collective
  level.
• Large communities that share resources
  exacerbates authorization issues, which has led
  us to CAS

62
Security Summary

• Programs for credential management
• grid-cert-info, grid-proxy-init,
  grid-proxy-destroy, grid-proxy-info
• GSS-API The Globus Toolkit Grid Security
  Infrastructure (GSI) uses this API, which allows
  programs to easily add security
• globus_gss_assist This is a simple wrapper
  around GSS-API, making it easier to use