Grid Security

1
Grid Security
EMBRACE Grid Tutorial, Helsinki, 16 June 2006
Heinz Stockinger Swiss Institute of
Bioinformatics Lausanne, Switzerland
2
I guess you all know that
3
How about that one?
4
What does this have to do with computing?

• Well, its all about codes and access to
  information
• In Grid computing
• Limit access to resources
• Use standard computer security

5
Motivation Security in the Grid

• In industry, several security standards exist
• Public Key Infrastructure (PKI)
• PKI keys
• SPKI keys (focus on authorisation rather than
  certificates)
• RSA
• Secure Socket Layer (SSL)
• SSH keys
• Kerberos
• Need for a common security standard for Grid
  services
• Above standards do not meet all Grid requirements
  (e.g. delegation, single sign-on etc.)
• Grid community mainly uses X.509 PKI for the
  Internet
• Well established and widely used (also for www,
  e-mail, etc.)

6
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

7
Introduction

• Distribution of resources secure access is a
  basic requirement
• secure communication, secure data, resources etc.
  
• security across organisational boundaries
• single sign-on for users of the Grid
• Three basic concepts
• Secure communication
• Data Encryption
• Authentication Who am I?
• Equivalent to a pass port, ID card etc.
• Authorisation What can I do?
• Certain permissions, duties etc.

8
Data Encryption

• Symmetric encryption same key (secret) used
  for encryption and decryption
• Kerberos, DES / 3DES, IDEA

• Asymmetric encryption different keys used for
  encryption and decryption
• RSA, DSA

9
Authentication

• Do we want authorised users or anonymous access
  to our service?
• How can I prove how I am?
• In private life people have passports, identity
  cards
• Issued by a certain authority
• In office life we use ids and passwords to
  access computers

10
Certificate Grid Passport

• Public Key Infrastructure
• Use a public and private key
• Grid Certificate
• Name
• Issuer (Certificate Authority)
• Valitidy

A passport has several important items
11
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

12
Public Key Infrastructure (PKI)

• Asymmetric encryption
• Digital signatures
• A hash derived from the message and encrypted
  with the signers private key
• Signature checked decrypting with the signers
  public key
• Allows key exchange in an insecure medium using a
  trust model
• Keys trusted only if signed by a trusted third
  party (Certification Authority)
• A CA certifies that a key belongs to a given
  principal
• Certificate
• Public key information about the principal CA
  signature
• X.509 format most used
• PKI used by SSL, PGP, GSI, WS security, S/MIME,
  etc.

13
PKI Example
Entity B (Bob)
Entity A (Alice)
public key private key
public key e private key d
wishing to send a message m to A
ciphertext c Ee(m)
applies the decryption transformation
m Dd(c).
encryption transformation Ee
decryption transformation Dd
14
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

15
X.509 certificates and authentication
B
A
A
As certificate
Verify CA signature
Random phrase
Encrypt with A s private key
Encrypted phrase
Decrypt with A s public key
Compare with original phrase
Performace !
16
X.509 alias ISO/IEC/ITU 9594-9

• X.509 is ITU Standard
• ITU-T Recommendation X.509 (1997 E). Information
  technology - Open Systems Interconnection - The
  Directory Authentication Framework
• Defines a certificate format (originally based on
  X.500 Directory Access Protocol)
• Latest standard X.509 version 3 certificate
  format
• X.509 certificate includes
• User identification (someones subject name)
• Public key
• A signature from a Certificate Authority (CA)
  that
• Proves that the certificate came from the CA.
• Vouches for the subject name
• Vouches for the binding of the public key to the
  subject

17
Involved entities
Certificate Authority
User
Public key Private key certificate
Resource (site offering services)
18
Certification Authorities

• Issue certificates for users, programs and
  machines
• Check the identity and the personal data of the
  requestor
• Registration Authorities (RAs) do the actual
  validation
• Manage Certificate Revocation Lists (CRLs)
• They contain all the revoked certificates yet to
  expire
• CA certificates are self-signed
• In Grid projects on certain CAs are mutually
  recognised

19
Certificate classification

• User certificate
• issued to a physical person
• DN CCH, OCERN, OUGRID, CN John Smith
• the only kind of certificate good for a client,
  i.e. to send Grid jobs etc.
• Host certificate
• issued to a machine (i.e. a secure web server,
  etc.)
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNhost1.cern.ch
• Grid host certificate
• issued to a Grid service (i.e. a Resource Broker,
  a Computing Element, etc.)
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNhost/host1.cern.ch
• Service certificate
• issued to a program running on a machine
• request signed with a user certificate
• DN CCH, OCERN, OUGRID, CNldap/host1.cern.ch

20
Grid Certificate

• A certificate needs to be requested from a
  Certificate Authority
• When using the Grid Security Infrastructure
  (GSI), the certificate consists of two parts
• usercert.pem
• userkey.pem

21
X.509 Certificate Example (1)

• openssl x509 in /.globus/usercert.pem text
• Certificate
• Data
• Version 3 (0x2) X509.3 with
  extensions
• Serial Number 199 (0xc7)
• Signature Algorithm md5WithRSAEncryption
  
• Issuer CCH, OCERN, OUGRID, CNCERN CA
  Issuer CA
• Validity
• Not Before Sep 25 103305 2005 GMT
  long term certificate
• Not After Sep 24 103305 2006 GMT
• Subject OGrid, OCERN, OUcern.ch,
  CNJoe User user identification
• Subject Public Key Info
• Public Key Algorithm rsaEncryption public key
• RSA Public Key (1024 bit)
• Modulus (1024 bit) 00d66af3ade3b22e983
  27fdd448938

22
X.509 Certificate Example (2)

• X509v3 extensions
• X509v3 Basic Constraints critical
  Certificate extensions
• CAFALSE
• X509v3 Subject Key Identifier
• 71BCFC294EE94E7CC9E4F9A26C774AE4
  55828653
• X509v3 CRL Distribution Points
  Certificate Revocation List
  URIhttp//service-grid-ca.web.cern.ch/service-g
  rid-ca/cgi-bin/getCRL
• X509v3 Issuer Alternative Name
• emailservice-grid-ca_at_cern.ch
• X509v3 Certificate Policies
• Policy 1.3.6.1.4.1.96.10.1.2.1
• Netscape Cert Type
• SSL Client, S/MIME, Object
  Signing client/user Certificate
• Netscape Base Url
• http//service-grid-ca.web.cern.ch/service-grid-
  ca/
• Signature Algorithm md5WithRSAEncryption
• 548b66e8dc60cde3dc43a7c93a12
  2c730513 ... Signature on the
  information

23
Private Key Example

• openssl rsa -in /.globus/userkey.pem text
• Enter PEM pass phrase
• Private-Key (1024 bit)
• modulus ...
• publicExponent ..... (0x......)
• privateExponent ...
• prime1 ... private parameters
• prime2 ...
• exponent1 ...
• exponent2 ...
• coefficient ...
• writing RSA key
• -----BEGIN RSA PRIVATE KEY----- PEM encoded
  private key
• -----END RSA PRIVATE KEY-----

24
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

25
Globus Grid Security Infrastructure (GSI)

• de facto standard for Grid middleware
• Based on PKI
• Implements some important features
• Single sign-on no need to give ones password
  every time
• Delegation a service can act on behalf of a
  person
• Mutual authentication both sides must
  authenticate to the other
• Introduces proxy certificates
• Short-lived certificates including their private
  key and signed with the users certificate

26
GSI General Overview
Proxies and delegation (GSI Extensions) for
secure single Sign-on
Proxies and Delegation
SSL/ TLS
PKI (CAs and Certificates)
SSL for Authentication and message protection
PKI for credentials
Based on Slide from Globus Tutorial
27
Virtual Organizations and authorization

• Grid users must belong to a Virtual Organization
• Sets of users belonging to a collaboration
• Each VO user has the same access privileges to
  Grid resources
• VOs maintain a list of their members
• The list is downloaded by Grid machines to map
  user certificate subjects to local pool
  accounts only mapped users are authorized in LCG
• Sites decide which VOs to accept

... "/CCH/OCERN/OUGRID/CNSimone Campana 7461"
.dteam "/CCH/OCERN/OUGRID/CNAndrea Sciaba
8968" .cms "/CCH/OCERN/OUGRID/CNPatricia
Mendez Lorenzo-ALICE" .alice ...
grid-mapfile
28
Globus command line interface certificate and
proxy management

• Get information on a user certificate
• grid-cert-info-help -file certfile
  OPTION...
• -all whole certificate
• -subject -s subject string
• -issuer -I Issuer
• -startdate -sd Start of validity
• -enddate -ed End of validity
• Create a proxy certificate
• grid-proxy-init
• Destroy a proxy certificate
• grid-proxy-destroy
• Get information on a proxy certificate
• grid-proxy-info

29
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

30
Secure your services - but how?
client program
user certificate
Security library
Security library
Server
host certificate
Authorisation
31
Different kinds of services

• Simple services with standard socket
  communication
• Any service written in C/C, Java, Python, Perl,
  etc.
• Use GSI libraries e.g. provided by Globus Toolkit
  2
• http//www.globus.org/security/
• The libraries handle certificate based
  authentication
• Often considered a 1st generation Grid services
• Web services
• Based on SOAP
• 2nd generation Grid services
• Web sites

32
API GSS-API and GSS Assist

• GSS-API (Generic Security Services Application
  Programming Interface) is a generic API for
  client-server authentication (RFC-2743, 2744)
• Traditionally, it interfaces to Kerberos
• The Globus project interfaced it to GSI
• Communication is kept separate it just creates
  data buffers, does not move them
• Rather complicated to use
• Documentation at http//docs.sun.com/app/docs/doc/
  816-1331http//www.gnu.org/software/gss/manual/ht
  ml_node/index.html
• GSS-API as user interface to GSI
• C API
• Java API (http//www-unix.globus.org/cog/java/)
• The Globus GSS Assist routines are designed to
  simplify the use of the GSSAPI they are a thin
  layer over them

33
Globus extensions

• Credential import and export
• To pass credentials from a process to another or
  storing them in a file
• Export to 1) an opaque buffer, or 2) a file in
  GSI native format
• gss_import_cred(), gss_export_cred()
• Delegation an any time
• A lot more flexible than standard GSS-API
  delegation
• Delegation at times other than context
  establishment
• Possible to delegate credentials different than
  those used for context establishment even for
  different mechanisms!
• Ex. delegate a Kerberos credential over a
  context established with GSI
• gss_init_delegation(), gss_accept_delegation()
• Credentials extension handling
• support for credential information other than
  just the identity
• Set context options at the server side
• Documentation
• http//www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf
  
• GLOBUS_LOCATION/include/gcc32dbg/gssapi.h

34
Web Service Security

• Transport level security
• SOAP messages are transmitted encrypted
• used by some gSOAP GSI plugins
• Based on SSL/TSL
• Message level security
• WS-Security
• set of SOAP extensions to implement integrity and
  confidentiality in Web Services
• ltSecuritygt header contains the security-related
  information
• http//www-128.ibm.com/developerworks/library/ws-s
  ecure/
• WS-SecureConversation
• defines how to establish secure contexts and
  exchange keys
• Performance issue
• Used in Globus Toolkit 4

35
Performance - Mutual Authentication

• Having secure connections creates a performance
  overhead
• Lets have a look at the detailed steps Bob -
  Alice
• Bob uses proxy to create a request (incl. public
  key, about 2000 bytes)
• Alice uses private key to sign the request -
  sends signed cert. back (in addition, CAs have to
  match)
• Alices generates a random message and sends it to
  Bob, asking Bob to encrypt it.
• Bob encrypts the message using his private key,
  and sends it back to Alice. Alice decrypts the
  message using Bobs's public key. If this results
  in the original random message, then Alice knows
  that Bob is who he says he is.
• Now that Alice trusts Bob's identity, the same
  operation must happen in reverse.
• By default, all further message exchange is not
  encrypted !

36
Some performance numbers
Cryptography is CPU intensive WS Secure
Conversation symmetrical cryptography only
Source http//webservices.sys-con.com/read/204424
.htm
37
Securing Web sites (Portals)

• HTML web is is not a web service
• Web service provides a programmable interface via
  SOAP
• A Web page is purely HTML (potentially generated
  by tools such as JSP, etc.)
• One can still use Grid security for that purpose
• Need to load certificate into the web browser
• Server side (Web server) needs to use Grid
  security technologies
• Example http//wwww.gridsite.org provide modules
  for Apache server

38
Security Overview

• Introduction
• Public Key Infrastructure
• Grid Certificates (X.509)
• Grid Security Infrastructure (GSI)
• Securing Services
• GSI in Practice

39
GSI Authentication using Globus
CA
service
user
VO
40
Certificate Request / Obtaining a certificate
once in every year
41
Certificate Signing
42
Preparation for Registration in VO
Goal user needs to register with a certain VO
43
Registration
Account Registration
once for the lifetime of the VO (only the DN not
the keys, so they may change)
Usage guidelines
44
Starting a Session with Globus
every 12/24 hours
45
Usage

• You must have a valid certificate from a trusted
  CA!
• login grid-proxy-init
• short lifetime certificate 24 hours
• Enter PEM pass phrase
• ...........................
• ....................................
• checking the proxy grid-proxy-info -subject
• /OGrid/OCERN/OUcern.ch/CNJoe User/CNproxy
• -gt use the Grid services
• logout grid-proxy-destroy

46
Certificate Request for a Host
once in every year
47
Signing the Certificate
48
Configuration on the Server
In EDG automatically updated every night/week
49
Service

• You must have the trusted CA certificates in
  files and the VO-LDAP server(s) URL configured.
• Registering a trusted CA
• /etc/grid-security/certificates hashed cert, crl
  and url
• Generating a gridmap file mkgridmap
• /etc/grid-security/gridmap DN -gt userid/gid
  mapping
• See Authorisation
• Generating host/service certificate
  grid-cert-request host (see user certificates
  for the whole process)

info
50
Service CA Certificates

• ls /etc/grid-security/certificates
• 0ed6468a.0 c35c1972.0
  d64ccb53.0
• 0ed6468a.crl_url c35c1972.crl_url
  d64ccb53.crl_url
• 0ed6468a.r0 c35c1972.r0
  d64ccb53.r0
• 0ed6468a.signing_policy c35c1972.signing_policy
  d64ccb53.signing_policy
• 16da7552.0 cf4ba8c8.0
  df312a4e.0
• 16da7552.crl_url cf4ba8c8.crl_url
  df312a4e.crl_url
• 16da7552.r0 cf4ba8c8.r0
  df312a4e.r0
• 16da7552.signing_policy cf4ba8c8.signing_policy
  df312a4e.signing_policy
• In General
• .0 CA certificate
• .r0 Certificate Revocation List (CRL)

example
51
Service a certificate

• cat c35c1972.signing_policy
• EACL CERN CA
• access_id_CA X509 '/CCH/OCERN/CNCERN CA'
• pos_rights globus CAsign
• cond_subjects globus '"/Cch/OCERN/"
  "/CCH/OCERN/" "/OGrid/OCERN/"
  "/OCERN/OGrid/"'
• openssl x509 -in c35c1972.0 text
• Issuer CCH, OCERN, CNCERN CA ...
  the issuer and the subject are the same
• Subject CCH, OCERN, CNCERN CA ...
  self signed certificate
• X509v3 extensions
• X509v3 Basic Constraints critical
• CATRUE
  ... it may be used to sign other certificates
• Netscape Cert Type
• SSL CA, S/MIME CA, Object Signing
  CA it is a CA certificate

example
52
Certificate Revocation List (CRL)

• openssl crl -in c35c1972.r0 text
• Certificate Revocation List (CRL)
• Version 1 (0x0)
• Signature Algorithm md5WithRSAEncryption
• Issuer /CCH/OCERN/CNCERN CA the
  issuer is the CA itself
• Last Update Jul 1 175317 2002 GMT
• Next Update Aug 5 175317 2002
  GMT next update shall be checked
• Revoked Certificates
• Serial Number 5A the revoced certificates
  number
• Revocation Date May 24 164552 2002 GMT
• Signature Algorithm md5WithRSAEncryption Sign
  ature as usual

example
53
Grid-mapfile

• cat /etc/grid-security/gridmap
• "/OGrid/OGlobus/OUcern.ch/CNGeza Odor" odor
• "/OGrid/OCERN/OUcern.ch/CNPietro Paolo
  Martucci" pietro
• "/CIT/OINFN/LBologna/CNFranco
  Semeria/EmailFranco.Semeria_at_bo.infn.it" aliprod
• "/CIT/OINFN/LBologna/CNMarisa
  Luvisetto/EmailMarisa.Luvisetto_at_bo.infn.it"
  aliprod
• "/OGrid/OCERN/OUcern.ch/CNBob Jones" jones
• "/OGrid/OCERN/OUcern.ch/CNBrian Tierney"
  btierney
• "/OGrid/OCERN/OUcern.ch/CNTofigh Azemoon"
  azemoon
• "/CFR/OCNRS/OULPC/CNYannick
  Legre/Emaillegre_at_clermont.in2p3.fr" yannick

example
54
Abbreviations

• CA Certificate Authority
• CP Certificate Policy
• CPS Certificate Practice Statement
• CRL Certificate Revocation List
• GSI Grid Security Infrastructure
• GSS Generic Security Service
• PKI Public Key Infrastructure
• SSL Secure Socket Layer
• TLS Transport Layer Security
• VO Virtual Organization
• VOMS - Virtual Organization Membership Service

55
Conclusion

• Security is important for Grid middleware
• In particular in commercial use
• Security solutions need to be integrated from the
  very beginning
• Grid security relies on PKI
• Requires authentication authorisation
• Basic entities
• Users CA (Certificate Authorities) Resource
  Providers

We had a security concept from the very
beginning but decided to deal with security
later
Thanks to Andrea Sciaba (CERN) for reusing some
of his slides
The EMBRACE project is funded by the European
Commission within its FP6 Programme, under the
thematic area "Life sciences, genomics and
biotechnology for health,"contract number
LHSG-CT-2004-512092.