ESSC October 4, 2002

1
ESSC October 4, 2002

• Bob Cowles
• Stanford Linear Accelerator Center
• bob.cowles_at_stanford.edu

2
HEP Environment

• HEP experiments use multiple physical sites
• Physical sites host multiple experiments
• Researchers caught in the middle
• For Grid to be successful, account/userid issues
  must be addressed
• By sites
• By experiments

3
Grid Vision

• Researcher
• Authenticates to Grid
• Requests job to be run
• Scheduler determines where job runs
• Data compute resources brought together
• Results are stored/returned to researcher

4
Grid Security Goals

• Preserve site control over local security
  policies
• Integrate with local authentication and
  authorization mechanisms
• Use PKI credentials for inter-site
  authentication, map to local credentials for
  authorization
• Do not weaken existing site security
• Provide a secure single sign-on environment
• Provide the ability to securely delegate to
  remote resources without direct human intervention

5
Infrastructure Requirements

• Experiment (Virtual Organization) needs to
  provide identification infrastructure (PKI)
• Certificate must provide required info for site
  to set up accounts
• Experiments and sites must agree on AUP
• Automatic enrollment/account creation
• Accept PKI for local account authorization

6
Symmetric Encryption

• Communicating parties share a secret (key)
• If Alice sends encrypted message to Bob, they
  must agree in advance on a key
• Third party distribution of keys became the
  weakest link in the system

7
Lockbox Problem

• Consider a special, universal lock for which you
  can get pairs of keys
• If locked with key A only unlocks with B and vice
  versa
• Bob makes copies of key A and distributes them --
  send him anything locked with key A and only he
  can open it with his key B

8
Asymmetric Encryption

• A different key is required to encrypt than is
  required to decrypt
• Key distribution problem is eased -- public key
  distributed far and wide
• No real-time exchange issues

9
Digital Signature

• Encrypt with private key
• Can only decrypt with public key
• Anyone can verify that you signed the document
  since only you know the corresponding private
  key.
• Signed and encrypted messages
• Encrypt with your private key
• Encrypt with recipient's public key

10
Digital Signature with Hash

• Compute hash value of a message
• Use private key to encrypt (sign) the hash
• Much faster than signing the whole message
• Common hash functions are iterated
• Init state input -gt f -gt Init state
• f is some non-linear function
• MD4, MD5, SHA1

11
PKI Certificate Authority

• The Certificate Authority plays a central role in
  providing credentials needed for a
  system/resource to trust a remote user entity
• Establishes the binding of human identity to the
  X.509 identity certificate which binds a
  distinguished name to the public key part of a
  public/private key pair
• Provides for recovery from loss of control of the
  identity token

12
Obtaining a Certificate

• The program grid-cert-request is used to create a
  public/private key pair and unsigned certificate
  in /.globus/
• usercert_request.pem Unsigned certificate file
• userkey.pem Encrypted private key file
• Must be readable only by the owner
• Receive a signed certificate
• Place in /.globus/usercert.pem

13
Your New Certificate
Certificate Data Version 3 (0x2)
Serial Number 28 (0x1c) Signature
Algorithm md5WithRSAEncryption Issuer
CUS, OGlobus, CNGlobus Certification
Authority Validity Not
Before Apr 22 192150 1998 GMT Not
After Apr 22 192150 1999 GMT Subject
CUS, OGlobus, ONACI, OUSDSC, CNRichard
Frost Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (1024 bit)
Modulus (1024 bit)
00bf4c9bae51e5adac544f12523a69
ltsnipgt
b4e154e78757b7d061
Exponent 65537 (0x10001) Signature Algorithm
md5WithRSAEncryption 59866edfdd945d
26f523c189838e3c97fcd8 ltsnipgt
8dcd7c7e4968157e5f242354caa22
7f13517
14
Single Sign-on

• To support single sign-on GSI adds the following
  functionality to SSL
• Proxy credentials
• Credential delegation
• User
• authenticates once
• performs multiple actions without reauthentication

15
Proxy Credentials

• Proxy credentials are short-lived credentials
  created by user
• Short term binding of users identity to
  alternate private key
• Stored unencrypted for easy repeated access
• Short lifetime in case of theft
• Enables user to authenticate once then perform
  multiple actions without reauthenticating

16
grid-proxy-init Details

• grid-proxy-init creates the local proxy file.
• Passphrase, used to decrypt private key.
• Private key is used to sign a proxy certificate
  with its own, new public/private key pair.
• Users private key not exposed after proxy has
  been signed
• Proxy placed in /tmp, read-only by user
• NOTE No network traffic!

17
Services - Gatekeeper

• On Grid-enabled servers, the gatekeeper process
• handles mutual authentication using files in
  /etc/grid-security
• maps to local users via the gridmap file

18
Sample Gridmap File

• Gridmap file maintained by grid administrator for
  the system
• Each entry maps Grid-id into local user name(s)

Distinguished name
Local

username "/CUS/OGlobus/ONP
ACI/OUSDSC/CNRich Gallup
rpg "/CUS/OGlobus/ONPACI/OUSDSC/CNRichard
Frost frost "/CUS/OGlobus/OUSC/OUISI/CNC
arl Kesselman u14543 "/CUS/OGlobus/OAN
L/OUMCS/CNIan Foster itf
19
Simple job submission

• globus-job-run provides a simple RSH compatible
  interface grid-proxy-init Enter PEM pass
  phrase globus-job-run host program args

20
Delegation

• Enables creation and delegation of proxy
  credentials for processes running on remote
  resources
• Allows remote process to authenticate on behalf
  of the user
• Important for complex applications that need to
  use Grid resources
• E.g. jobs that needs to access data storage

21
Delegation (2)

• Delegation remote creation of a (second level)
  proxy credential
• New key pair generated remotely on server
• Proxy cert with public key sent to client
• Clients signs proxy cert and returns it
• Server (usually) puts proxy in /tmp

22
GSI Overview
From A National-Scale Authentication
Infrastructure, IEEE Computer, December 2000
23
(Some) Authentication Issues

• Scalability
• User control of private key without compromise
• Trust model
• Unknown risk model
• Requirement for re-authenticate interface from
  authorization system

24
Authorization

• GSI handles authentication, but authorization is
  a separate issue
• Authorization issues
• Management of authorization on a
  multi-organization grid is still an unsolved
  problem.
• The grid-mapfile doesnt scale well, and works
  only at the resource level, not the collective
  level.

25
Limited Proxy

• During delegation, the client can elect to
  delegate only a limited proxy, rather than a
  full proxy
• GRAM (job submission) client does this
• Each service decides whether it will allow
  authentication with a limited proxy
• Job manager service requires a full proxy
• GridFTP server allows either full or limited
  proxy to be used

26
Summary

• GSI is
• X.509 Certificates for authentication
• PKI for verifying identities in Certificates
• SSL as the protocol for authentication,
  confidentiality and integrity
• Proxy certificates and delegation to support
  single sign-on

27
GGF Security Working Groups

• http//www.gridforum.org/security/
• Grid Security Infrastructure (GSI)http//www.grid
  forum.org/security/ggf1_2001-03/drafts/draft-ggf-g
  si-roadmap-02.pdf
• Grid Certificate Policy Design
• http//www.gridcp.es.net/

28
Working Group Documents

• Grid Security Infrastructure (GSI)
• Grid Certificate Policy Design
• Security Implications of Typical Grid Computing
  Usage Scenarioshttp//www.gridforum.org/security/
  gf5_2000-10/drafts/draft-gridforum-security-implic
  ations-01.pdf