What can you do with a Grid Certificate?

1
What can you do with a Grid Certificate?

• Andrew McNab
• High Energy Physics
• University of Manchester

2
Overview

• Public Key Cryptography
• Encrypting and Signing with a public key
• Proving its MY public key - CAs
• Connecting with a key - ssh
• Connecting with a certificate - https
• Delegating - Globus proxies
• Passports vs Visas
• Access control lists - GGF
• Putting the grid into the OS - SlashGrid
• Extending HTTPS - G-HTTPS

3
Public Key Cryptography

• This is one of the most interesting and downright
  useful areas of applied maths
• Invented twice thanks to Official Secrets Act
• by people at GCHQ 1970-4 (published 1998)
• again by Diffie and Hellman at Stanford, 1976
• Various algorithms exist
• Most common is RSA, invented by Rivest, Shamir
  and Adelman in 1977
• Initially patented (expired in 2000)
• Also subject to US export legislation, despite
  being simple enough to put on a T-Shirt!

4
RSA algorithm (simplified a bit)

• Say have public key n pq, p and q are prime.
• Private key d, 3d 1 (mod p-1q-1)
• Encrypt message M (lt n) as C (M3) mod n
• Decrypt message M (Cd) mod n
• For example, n 5 x 3 15, M12
• d 3
• C 123 mod 15 3
• M 33 mod 15 12 !!
• However, if I dont know p and q, I cant get d.
• If npq is very big, I cant easily find prime
  numbers such that p q n

5
Encrypting with public key

• I can generate public and private keys
• I publish my public key
• You can turn a message into a number and encrypt
  it
• Only I, who also know the private key, can
  decrypt it
• This solves one of the ancient problems of
  cryptography, going back to Greeks etc
• how to first get the encryption secret from the
  recipient to the sender in a secure way

6
Simple application secret emails

• Internet email is pretty insecure
• Anyone who can listen on the network can see
  whats in the emails as they go past
• But using public and private keys, people can
  encrypt a message and include it in an email
• Keys and messages are base64-encoded blobs of
  text like this

-----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAOd5Zs
tqePGkfg4T8e3tDAr3ykv79ErTvERwFlO64/6IA5KkpMK Fiz
FR3hZmnC8lrS5DItxdGkUo7y03mMMUsCAwEAAQJBAKQv0qA62
cHJGcTtfHl3 bpI0rEg0vnCpvYb1RnCSsDggo4Banb7/ak2a/Q
rvfWoyt4Y60PE/6ypGvgiy6eqM dECIQD888SCzXjDoNHxfj
ceTdeS2ZcA2xHdoL9179guWUM0wIhAOo78FEVh45/ DagJRqXW
No81Sp1fk5LaIkmVXx2akh6pAiEAj2PCeH22K14cdt/1MDHcei
vOdrTR Kdpk6tno9ExP1UCIQChLwHeKjyPCpDma596/y7a2a
fCOgaQ/UYQaukSXuHkQIg ZQFJimvH4ZZjErleQKsmyI2NuTk
2/EDQxbnpyN35g -----END RSA PRIVATE KEY-----
7
Signing emails

• This technology doesnt only allow us to encrypt
  messages
• I can use my private key to generate a digital
  signature
• Using my public key, you can verify that only I
  could have generated it
• This gives both simple signing (you can verify
  the source) and non-repudiation (you can prove
  the same key signed a group of messages and I
  cant deny it)
• Signature is another block of text at the end of
  the original message in plaintext

8
Proving its MY public key

• However, other people still have to verify it
  really is MY public key they are using
• What if I cant physically give you the key?
• Certificate Authorities (CAs) / Trusted 3rd
  Parties resolve this
• They sign other peoples public keys, along with
  a unique name -gt a certificate
• You still have to get the CA public key somehow
• So I can get my public key signed, put it on my
  webpage and you can verify its really mine
• its hasnt been replaced by a hacker, say

9
Certificate Authority namespaces

• CA needs to have some unique naming for
  individuals
• Could use Name Postal Address, or Email
  Address.
• In practice, use an X500 hierarchy
• /CUK/OeScience/OUManchester/LHEP/CNAndrew
  McNab
• We use the UK HEP CA and now also the general
  e-Science CA at RAL
• We are now directly responsible for names under
  /CUK/OeScience/OUManchester/LHEP/
• New CA requires us to check some photo ID

10
Connecting with a key

• ssh uses RSA and similar algorithms
• Server generates a key pair to identify itself
• Users can generate key pairs to use instead of
  passwords
• At CERN, SLAC etc, put your public key in
  /.ssh/authorized_keys
• When you connect, ssh checks if server key pair
  is the same as last time
• but, the first time, it has to take it on trust
• would be better to use a signed certificate,
  rather than just a public key

11
Connecting with a certificate

• Youre probably familiar with https websites
• eg for credit card orders from Easyjet
• These use RSA etc to secure the connection
• Hosts have certificates rather than just public
  keys
• in cert name have /CNwww.easyjet.com
• So web browser can verify youre really giving
  your credit card number to Easyjet
• Also, if you put a user certificate into the
  browser, webserver can verify who you are

12
GridSite

• GridSite system has user authentification
• Written here and used for www.gridpp.ac.uk
• Maintains lists of users in different groups
• Each directory has a list of groups who can
  modify its webpages
• Tools on website allow you to upload files, edit
  pages
• Group admins can modify the membership of their
  group too
• Devolves the work of maintaining the site down to
  each subgroup

13
Other services using certificates

• Globuss grid services use the same idea
• GridFTP for bulk file transfers
• GRAM for job submission
• GSI-ssh normal ssh modified to use server and
  user certificates rather than just key pairs
• Since both Globus and https use the same, X509
  format certificates, Grid/Web can be integrated
• Only need to get 1 user certificate, both for
  purely Grid and https Web sites.

14
Globus Delegation

• In normal https, I can prove who I am to the
  website, but thats it
• Globus extended this idea with delegation
• When I contact a remote host, it also makes a
  new, temporary key pair with my name
• I agree to sign the public key, like a CA does
• My programs on the host can then contact other
  hosts with the proxy chain of certs
• A 2nd remote host can check I authorised all
  this, by checking the chain of certs one by one
• no need to take 1st hosts word for it!

15
Single sign-on

• Delegation allows you to just sign on once
• Do grid-proxy-init command once each day
• locally delegates proxy as /tmp/x509up_uXX
• Each Globus program looks for this when
  connecting
• globus-job-run for job submission
• globus-url-copy for file copying
• gsi-ssh for getting a remote command line
• EU DataGrid programs built with this do too
• dg-job-submit
• dg-job-get-output

16
Delegation in jobs

• As the Grid becomes more complex, delegation
  becomes vital
• User at Site A submits a job
• Job goes to Resource Broker at Site B
• RB sends job to Site C which has spare CPUs
• Job running at C reads data catalog at Site D
• Job at C reads closest data replica from Site E
• Job finishes hours later and sends output to file
  server back at Site A
• Delegation means not having to take other sites
  word for it - which wouldnt scale up

17
Passports vs Visas

• Globus uses grid-mapfile - lists mapping of
  certificate name to local unix user ID
• if youre on the list then you are in
• This is equivalent to a Passport a Ban /
  Invitation List
• New systems being built with a Visa model
• when I make my initial proxy, I also include a
  signed statement from my organisation
• this attribute cert proves my membership
• since I cant forge the Atlas signature, each
  site doesnt need the list of all Atlas Users

18
Grid Access Control Lists

• Our GACL format provides a way of writing ACLs
  using Grid credentials
• user certificate names, group certificates etc
• GridSite uses this format already
• Other projects (eg EDG Storage Element) taking it
  up
• Now part of the authorisation work in Global Grid
  Forum (GGF)
• GGF world wide standards body for Grids
• I co-chair the Authorisation Working Group

19
SlashGrid Grid filesystems

• Almost all EDG sites use Manchesters pool
  accounts system
• get a temporary Unix UID when you run a job
• SlashGrid adds to this by controlling disk access
  and file ownership
• use GACL access control lists to say who owns
  each directory
• enforced at kernel level so all programs see it
• Unix ID doesnt matter Grid ID does
• Also provides a remote filesystem using https
• Like AFS, but Grid credentials and web servers

20
Extending HTTPS - G-HTTPS

• Normal HTTPS is already very Grid-like
• Work now underway to add more Grid features
• need to avoid breaking existing HTTPS
• our G-HTTPS proposal designed to do this
• Delegation from client to server
• so get all the benefits discussed already
• Servers can return the ACL along with the file
• so if I cache a copy locally, I know who I can
  share the copy with
• Relevant EDG groups involved taking it to GGF

21
fileGridSite

• fileGridSite is a cut down version of GridSite
• just does plain text/binary files
• group/webpage management features removed
• A testbed for new HTTPS extensions
• Made possible by Mike Jones mod_ssl-GSI
• this makes web servers understand Globus
  delegated proxies
• G-HTTPS lets the server get a delegated proxy
  itself
• fileGridSite aims to offer the same functions as
  a GridFTP server, but with HTTP/HTTPS

22
Summary

• Public key cryptography provides privacy and
  authentification
• Certificate Authority infrastructure makes it
  scalable
• Lots of Web and now Grid tools have been built to
  use it
• Delegation makes Grids practical
• New tools for group membership, and disk/web
  access control being developed
• much of it here at Manchester
• All this feeding into new Grid-wide standards