Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

Similar documents
Digital Certificates Demystified

Overview. SSL Cryptography Overview CHAPTER 1

Grid Security Infrastructure

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

GSI Online Credential Retrieval Requirements. Jim Basney

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

GLOBUS TOOLKIT SECURITY

Using the MyProxy Online Credential Repository

CSE 565 Computer Security Fall 2018

An Example Grid Middleware - The Globus Toolkit. MCSN N. Tonellotto Complements of Distributed Enabling Platforms

IBM i Version 7.2. Security Digital Certificate Manager IBM

Configuring SSL CHAPTER

Security Digital Certificate Manager

IBM. Security Digital Certificate Manager. IBM i 7.1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Configuring SSL. SSL Overview CHAPTER

Using Cryptography CMSC 414. October 16, 2017

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Chapter 9: Key Management

Kerberized Certificate Issuance Protocol (KX509)

Configuring SSL. SSL Overview CHAPTER

SMart esolutions Information Security

Deploying the TeraGrid PKI

Lecture Notes 14 : Public-Key Infrastructure

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

User Authentication Principles and Methods

Network Security Essentials

CS November 2018

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Managing Certificates

Cryptography (Overview)

(2½ hours) Total Marks: 75

Lesson 13 Securing Web Services (WS-Security, SAML)

Public Key Infrastructure

Key management. Pretty Good Privacy

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Introduction to Cryptography Lecture 10

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Cryptographic Concepts

SSL Certificates Certificate Policy (CP)

Verteilte Systeme (Distributed Systems)

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

CERTIFICATE POLICY CIGNA PKI Certificates

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

XenApp 5 Security Standards and Deployment Scenarios

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CERN Certification Authority

Key Management and Distribution

Information Security CS 526

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Authentication CHAPTER 17

Crypto meets Web Security: Certificates and SSL/TLS

CS Computer Networks 1: Authentication

Apple Inc. Certification Authority Certification Practice Statement

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Most Common Security Threats (cont.)

Public Key Infrastructures. Using PKC to solve network security problems

A Dynamic and Flexible Security Framework for Large Scale Distributed Systems. SUMMARY 1. Introduction... 2

UNIT - IV Cryptographic Hash Function 31.1

OCSP Client Tool V2.2 User Guide

Axway Validation Authority Suite

Network Security and Cryptography. December Sample Exam Marking Scheme

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Certificate Profile: Extensions. 5/7/2002 2:46 PM Some sample certificates provided by Jason Novotny DOE PKI certificate provided by John Long

Content and Purpose of This Guide... 1 User Management... 2

U.S. E-Authentication Interoperability Lab Engineer

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Security in the CernVM File System and the Frontier Distributed Database Caching System

IBM Systems and Technology Group

DRAFT REVISIONS BR DOMAIN VALIDATION

SSH PK Authentication and Auto login configuration for Chassis Management Controller

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Hardware Tokens in META Centre

Manage Certificates. Certificates Overview

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Pretty Good Privacy (PGP

Authentication & Authorization

Implementing Secure Socket Layer

An Overview of Secure and Authenticated Remote Access to Central Sites

Lecture III : Communication Security Mechanisms

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Validation Working Group: Proposed Revisions to

Security. Communication security. System Security

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

TELIA MOBILE ID CERTIFICATE

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Displaying SSL Configuration Information and Statistics

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Transcription:

Grid Computing 7700 Fall 2005 Lecture 16: Grid Security Gabrielle Allen allen@bit.csc.lsu.edu http://www.cct.lsu.edu/~gallen

Required Reading Chapter 16 of The Grid (version 1), freely available for download on the web GSI Grid Security Infrastructure http://www.globus.org/toolkit/docs/4.0/security/ Recommended: Chapter 21 of the Grid (version 2) Different aspects brought in by considering web/grid services

GSI: Grid Security Infrastructure Security solution from Globus http://www.globus.org/toolkit/docs/4.0/security/ Based on public key cryptography (asymmetric cryptography) Motivations: Secure communication Security across organization boundaries Single sign on and delegation of credentials Standards based

Terminology Authentication: Establishing who you are Authorization: Establishing what you are allowed to do Assurance/accreditation Validating authority of a service provider Accounting and auditing Tracking, limiting and charging for resources Messages Message integrity Message confidentiality Non-repudiation Proof that you got the message Digital signature Assurance about the message Certificate authority A body which issues and manages security credentials Delegation Authority to act as someone else Balance with impact on performance, implementation and administrative costs

TLS/SSL TLS: Transport Layer Security Protocol is the successor to SSL: Secure Socket Layer. Secured Sockets Layer is a protocol that transmits your communications over the Internet in an encrypted form. SSL ensures that the information is sent, unchanged, only to the server you intended to send it to. Lies above TCP/IP layer and below HTTP layer. Developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:. http://wp.netscape.com/eng/ssl3/ http://www.ietf.org/html.charters/tls-charter.html Requires a direct transport layer between endpoints

Public Key Encryption Entity generates two keys, one is designated as the public key, one is the private key. The private key must be kept private! Public key is given out (eg in an X.509 certificate) If one key is used to encrypt a message, the other key must be used to decrypt it. Possession of private key (and ability to encrypt/decrypt challenge messages) proves ownership.

Public Key Encryption How B sends an encrypted message to A 4. A uses d to decrypt c, m=d(d,c) A 1. Public key e defines encryption transformation E(e) 2. Private key d defines decryption transformation D(d) 3. B sends c to A B 1. A sends public key e 2. B uses e to encrypt message m, c=e(e,m)

Public Key Encryption Encryption method is public knowledge so does not provide data integrity or authentication of data origin Slower than other methods (not so good for bulk transfer or lots of small items) Based on belief that it is not possible to determine the decryption mechanism from the encryption mechanism. More secure than username/password (requires passphrase and possession of private key. Security relies on identify establishment.

Public Key Authentication PRIVATE KEY A 1. Send public key PUBLIC KEY B A 2. Send challenge encrypted with public key B A A 3. Decode challenge with private key 4. Send encrypted answer back B B A 5. Decrypt answer and verify B

Non-Repudiation In general, nonrepudiation is the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. On the Internet, a digital signature is used not only to ensure that a message or document has been electronically signed by the person that purported to sign the document, but also, since a digital signature can only be created by one person, to ensure that a person cannot later deny that they furnished the signature.

Digital Signature An electronic signature that authenticates the identity of the sender of a message, the signer of a document, or ensures that the contents of a message are intact. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot repudiate it later. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

Digital Signature To sign a piece of information, compute its mathematical hash. (The algorithm used to compute this hash must be known to the recipient of the information, but it isn't a secret.) Using your private key, encrypt the hash, and attach it to the message. Make sure that the recipient has your public key.to verify that your signed message is authentic, the recipient of the message will compute the hash of the message using the same hashing algorithm you used, and then decrypt the encrypted hash. If the newly-computed hash and the decrypted hash match, it proves that you signed the message and it has not been changed.

Hashes Public key encryption is relatively slow, so using it for digital signing by encrypting messages is not efficient Instead sign a much smaller (redundant) proxy (or digest or hash) for the message to guarantee origin (authenticity) and genuineness (integrity) Other names digital fingerprint, message finger print, cryptographic hash, cryptographic checksum SHA-1: Secure Hash Algorithm compresses Microsoft Office to disk space used for xxxxxxxxxxxxxxxxxxxx

Digital Certificate Public documents which identifies (authenticates) users and services on a Grid. The signer of a digital certificate says something like I attached G.Allen s public key to this digital certificate and then signed it with my private key Any user of G.Allens digital certificate must completely trust the competency and honesty of the person/organization who signed the certificate For anyone to confidently use G.Allens digital certificate they must also trust that they have a validated copy of the signers public key There is nothing secret about the contents of a digital certificate Has expiration date Analogy e.g. with driving license, issued by DMV and trusted by other countries and states, or my PhD certificate.

Managing Digital Certificates Digital certificate administrative frameworks are called public key infrastructures (PKIs). Two major ones (sometime interoperable) X.509 (standardized by IETF) Pretty Good Privacy (PGP)

Certificate Authority Centrally controlled system for managing digital certificates in X.509 talk is a certificate authority Trusted third party (CA) which manages digital certificate application, certification, issuance and revocation X.509 trust networks (e.g. Mississippi will trust driving licenses issued in LA) Each X.509 PKI implementation has a root CA, which produces a self signed or root certificate

Distinguished Name (DN) Unique identifier for the owner (and issuer) of a certificate (with respect to the CA) Analogy: social security number seems to be the main identifier in US With GSI, the gridmap file is used to map DNs to local user names /O=LSU/OU=CCT/OU=CSC7700/OU=cct.ls u.edu/cn=user05

GSI Grid Certificates On the Grid, each user and service is identified via a GSI certificate, which includes A subject name, which identifies the person or object that the certificate represents. The public key belonging to the subject. The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject. The digital signature of the named CA GSI certificates are encoded in the X.509 certificate format. GSI provides single-sign-on and users have identity certificates with private/public keys instead of using username/password.

My Alliance Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 338 (0x152) Signature Algorithm: md5withrsaencryption Issuer: C=US, O=National Computational Science Alliance, OU=Certification Authority Validity Not Before: Aug 31 10:16:51 2002 GMT Not After : Aug 30 10:16:51 2004 GMT Subject: C=US, O=National Computational Science Alliance, CN=Gabrielle Allen Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b6:ad:2f:fc:20:f3:45:8e:a0:9c:e2:a8:a5:1d: ETC ETC ff:f4:b7:2a:ce:d4:f8:e3:cd Exponent: 65537 (0x10001)

My Alliance Certificate X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier: keyid:9f:2d:dc:82:f0:cc:81:b2:fe:9d:ac:8e:23:47:1b:b6:d5:be:b9:e2 X509v3 CRL Distribution Points: URI:https://ca.ncsa.edu/5aba75cb.r0 Signature Algorithm: md5withrsaencryption a8:0f:c5:d6:ea:18:d7:6a:f6:76:61:a0:19:2e:3c:db:66:a6: ETC ETC 1b:7f:39:61:14:77:41:44:0d:15:70:cc:12:01:3b:79:29:66: 52:b9:a5:e0:6e:01:09:70:e8:4e:ac:0d:48:c8:31:ba:62:f1: cd:ac:c8:73:82:79:18:8b:5d:0d:d1:78:cc:2b:85:ff:92:95: 37:26:1c:f0

Certificate Authorities and For example: Policies DOE http://www.doegrids.org/docs/cp-cps.pdf Alliance http://archive.ncsa.uiuc.edu/scd/alliance/gridsecurity/certificates/alliancecp 9.1.html In Louisiana?

Globus Grid Certificates grid-cert-request is usually used to request a certificate grid-cert-request -ca Certificate is usually stored in.globus directory: usercert.pem userkey.pem is private key Private key is encrypted with a passphrase.

User GSI in Action Create Processes at A and B that Communicate & Access Files at C Single sign-on via grid-id & generation of proxy cred. Or: retrieval of proxy cred. from online repository User Proxy Proxy credential Remote process creation requests* Site A (Kerberos) Computer Process Kerberos ticket GSI-enabled GRAM server Local id Restricted proxy * With mutual authentication Authorize Map to local id Create process Generate credentials Remote file access request* Communication* Site C (Kerberos) Storage system Ditto GSI-enabled GRAM server GSI-enabled FTP server Authorize Map to local id Access file Computer Process Local id Restricted proxy Site B (Unix)

User View 1) Easy to use 2) Single sign-on 3) Run applications ftp,ssh,mpi,condor,web, 4) User based trust model 5) Proxies/agents (delegation) Developer View Grid Security Requirements Resource Owner View 1) Specify local access control 2) Auditing, accounting, etc. 3) Integration w/ local system Kerberos, AFS, license mgr. 4) Protection from compromised resources API/SDK with authentication, flexible message protection, flexible communication, delegation,... Direct calls to various security functions (e.g. GSS-API) Or security integrated into higher-level SDKs: E.g. GlobusIO, Condor-G, MPICH-G2, HDF5, etc.

Candidate Standards Kerberos 5 Fails to meet requirements: > Integration with various local security solutions > User based trust model Transport Layer Security (TLS/SSL) Fails to meet requirements: > Single sign-on > Delegation

Grid Aspects Single sign-on Delegation Firewalls Distributed systems (intermediate components): Message projection must be moved from transport layer to message layer Group authentication and authorisation (for dynamic Vos)

Grid Security Infrastructure (GSI) Extensions to standard protocols & APIs Standards: SSL/TLS, X.509 & CA, GSS-API Extensions for single sign-on and delegation Globus Toolkit reference implementation of GSI SSLeay/OpenSSL + GSS-API + SSO/delegation Tools and services to interface to local security > Simple ACLs; SSLK5/PKINIT for access to K5, AFS; Tools for credential management > Login, logout, etc. > Smartcards > MyProxy: Web portal login and delegation > K5cert: Automatic X.509 certificate creation

GSS-API Generic Security Services Application Programming Interface. The GSS-API is a generic API for doing client-server authentication. (calls for authentication, confidentiality, integrity independent of underlying security systems) The motivation behind it is that every security system has it's own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems.

GSI: Mutual Authentication Services mutually authenticate against each other on the Grid Trust relationships have to be set up beforehand which certificate authorities does LSU trust? (DOE, NCSA, GridLab,.) Admins and policy makers involved Exchange of certificates and public keys Look in /etc/grid-security/certificates/

Mutual Authentication If entity X wants to invoke entity Y: X provides certificate to Y Y validates certificate Y challenges X: send a message to X, X encrypts it with private key, and sends it back, Y decodes it with public key from certificate Y provides certificate to X Etc Finally they both trust each other

User Proxies Minimize exposure of user s private key A temporary, X.509 proxy credential for use by our computations We call this a user proxy certificate Allows process to act on behalf of user User-signed user proxy cert stored in local file Created via grid-proxy-init command Proxy s private key is not encrypted Rely on file system security, proxy certificate file must be readable only by the owner

Delegation Remote creation of a user proxy Results in a new private key and X.509 proxy certificate, signed by the original key Allows remote process to act on behalf of the user Avoids sending passwords or private keys across the network

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback