Grid security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 55

Grid Security PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

Grid Security. EMBRACE Grid Tutorial, Helsinki, 16 June 2006. Heinz Stockinger Swiss Institute of Bioinformatics Lausanne, Switzerland. I guess you all know that …. How about that one?. What does this have to do with computing?. Well, it’s all about codes and access to information

Download Presentation

Grid Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Grid security

Grid Security

EMBRACE Grid Tutorial,

Helsinki, 16 June 2006

Heinz Stockinger

Swiss Institute of Bioinformatics

Lausanne, Switzerland


I guess you all know that

I guess you all know that …


How about that one

How about that one?


What does this have to do with computing

What does this have to do with computing?

  • Well, it’s all about codes and access to information

  • In Grid computing:

    • Limit access to resources

    • Use standard computer security


Motivation security in the grid

Motivation: Security in the Grid

  • In industry, several security standards exist:

    • Public Key Infrastructure (PKI)

      • PKI keys

      • SPKI keys (focus on authorisation rather than certificates)

      • RSA

    • Secure Socket Layer (SSL)

      • SSH keys

    • Kerberos

  • Need for a common security standard for Grid services

    • Above standards do not meet all Grid requirements (e.g. delegation, single sign-on etc.)

  • Grid community mainly uses X.509 PKI for the Internet

    • Well established and widely used (also for www, e-mail, etc.)


Security overview

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Introduction

Introduction

  • Distribution of resources: secure access is a basic requirement

    • secure communication, secure data, resources etc.

    • security across organisational boundaries

    • single sign-on for users of the Grid

  • Three basic concepts:

    • Secure communication:

      • Data Encryption

    • Authentication: Who am I?

      • “Equivalent” to a pass port, ID card etc.

    • Authorisation: What can I do?

      • Certain permissions, duties etc.


Data encryption

Clear text message

Clear text message

Encryption

Encryption

Key B

Encrypted text

Encrypted text

Decryption

Decryption

Shared key

Key A

Clear text message

Clear text message

Data Encryption

  • Symmetric encryption: same key (“secret”) used for encryption and decryption

    • Kerberos, DES / 3DES, IDEA

  • Asymmetric encryption: different keys used for encryption and decryption

    • RSA, DSA


Authentication

Authentication

  • Do we want authorised users or anonymous access to our service?

  • How can I prove how I am?

    • In private life: people have passports, identity cards

      • Issued by a certain authority

    • In office life: we use ids and passwords to access computers


Certificate grid passport

Certificate = “Grid Passport”

  • Public Key Infrastructure:

    • Use a public and private key

  • Grid Certificate:

    • Name

    • Issuer (Certificate Authority)

    • Valitidy

A passport has several important

items


Security overview1

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Public key infrastructure pki

Clear text message

Clear text message

Encrypted text

Public Key

Private Key

Public Key Infrastructure (PKI)

  • Asymmetric encryption

  • Digital signatures

    • A hash derived from the message and encrypted with the signer’s private key

    • Signature checked decrypting with the signer’s public key

  • Allows key exchange in an insecure medium using a trust model

    • Keys trusted only if signed by a trusted third party (Certification Authority)

    • A CA certifies that a key belongs to a given principal

  • Certificate

    • Public key + information about the principal + CA signature

    • X.509 format most used

  • PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.


Pki example

PKI – Example

Entity B (Bob)

Entity A (Alice)

public key

private key

public keye

private keyd

wishing to send a message m to A:

ciphertextc = Ee(m)

applies the decryption transformation

m = Dd(c).

encryption transformation Ee

decryption transformation Dd


Security overview2

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


X 509 certificates and authentication

Structure of a X.509 certificate

Public key

Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968

Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA

Expiration date: Aug 26 08:08:14 2005 GMT

Serial number: 625 (0x271)

CA Digital signature

X.509 certificates and authentication

B

A

A

A’s certificate

Verify CA signature

Random phrase

Encrypt with A’ s private key

Encrypted phrase

Decrypt with A’ s public key

Compare with original phrase

Performace !


X 509 alias iso iec itu 9594 9

X.509 alias ISO/IEC/ITU 9594-9

  • X.509 is ITU Standard:

    • ITU-T Recommendation X.509 (1997 E). Information technology - Open Systems Interconnection - The Directory: Authentication Framework

    • Defines a certificate format (originally based on X.500 Directory Access Protocol)

      • Latest standard: X.509 version 3 certificate format

  • X.509 certificate includes:

    • User identification (someone’s subject name)

    • Public key

    • A “signature” from a Certificate Authority (CA) that:

      • Proves that the certificate came from the CA.

      • Vouches for the subject name

      • Vouches for the binding of the public key to the subject


Involved entities

CA

Involved entities

Certificate Authority

User

Public key

Private key

certificate

Resource

(site offering services)


Certification authorities

Certification Authorities

  • Issue certificates for users, programs and machines

  • Check the identity and the personal data of the requestor

    • Registration Authorities (RAs) do the actual validation

  • Manage Certificate Revocation Lists (CRLs)

    • They contain all the revoked certificates yet to expire

  • CA certificates are self-signed

  • In Grid projects on certain CAs are mutually recognised


Certificate classification

Certificate classification

  • User certificate

    • issued to a physical person

    • DN= C=CH, O=CERN, OU=GRID, CN =John Smith

    • the only kind of certificate good for a client, i.e. to send Grid jobs etc.

  • Host certificate

    • issued to a machine (i.e. a secure web server, etc.)

    • request signed with a user certificate

    • DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch

  • Grid host certificate

    • issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.)

    • request signed with a user certificate

    • DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch

  • Service certificate

    • issued to a program running on a machine

    • request signed with a user certificate

    • DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch


Grid certificate

Grid Certificate

  • A certificate needs to be requested from a Certificate Authority

  • When using the Grid Security Infrastructure (GSI), the certificate consists of two parts:

    • usercert.pem

    • userkey.pem


X 509 certificate example 1

X.509 Certificate Example (1)

  • openssl x509 –in ~/.globus/usercert.pem –text

    Certificate:

    Data:

    Version: 3 (0x2)X509.3 – with extensions

    Serial Number: 199 (0xc7)

    Signature Algorithm: md5WithRSAEncryption

    Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAIssuer CA

    Validity

    Not Before: Sep 25 10:33:05 2005 GMT long term certificate

    Not After :Sep 24 10:33:05 2006 GMT

    Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe Useruser identification

    Subject Public Key Info:

    Public Key Algorithm: rsaEncryption public key

    RSA Public Key: (1024 bit)

    Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38:

    […]


X 509 certificate example 2

X.509 Certificate Example (2)

X509v3 extensions:

X509v3 Basic Constraints: critical Certificate extensions

CA:FALSE

X509v3 Subject Key Identifier:

71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53

X509v3 CRL Distribution Points: Certificate Revocation ListURI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL

X509v3 Issuer Alternative Name:

email:[email protected]

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.96.10.1.2.1

Netscape Cert Type:

SSL Client, S/MIME, Object Signingclient/user Certificate

Netscape Base Url:

http://service-grid-ca.web.cern.ch/service-grid-ca/

Signature Algorithm: md5WithRSAEncryption

54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13:[...]Signature on the information


Private key example

Private Key Example

  • openssl rsa -in ~/.globus/userkey.pem –text

    Enter PEM pass phrase:

    Private-Key: (1024 bit)

    modulus: [...]

    publicExponent: ..... (0x......)

    privateExponent: [...]

    prime1: [...]private parameters

    prime2: [...]

    exponent1: [...]

    exponent2: [...]

    coefficient: [...]

    writing RSA key

    -----BEGIN RSA PRIVATE KEY-----PEM encoded private key

    -----END RSA PRIVATE KEY-----


Security overview3

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Globus grid security infrastructure gsi

Globus Grid Security Infrastructure (GSI)

  • de facto standard for Grid middleware

  • Based on PKI

  • Implements some important features

    • Single sign-on: no need to give one’s password every time

    • Delegation: a service can act on behalf of a person

    • Mutual authentication: both sides must authenticate to the other

  • Introduces proxy certificates

    • Short-lived certificates including their private key and signed with the user’s certificate


Gsi general overview

GSI General Overview

Proxies and delegation (GSI

Extensions) for secure single

Sign-on

Proxies and Delegation

SSL/

TLS

PKI

(CAs and

Certificates)

SSL for

Authentication

and message

protection

PKI for

credentials

Based on Slide from Globus Tutorial


Virtual organizations and authorization

Virtual Organizations and authorization

  • Grid users must belong to a Virtual Organization

    • Sets of users belonging to a collaboration

    • Each VO user has the same access privileges to Grid resources

  • VOs maintain a list of their members

    • The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts: only mapped users are authorized in LCG

    • Sites decide which VOs to accept

...

"/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam

"/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms

"/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice

...

grid-mapfile


Globus command line interface certificate and proxy management

Globus command line interface: certificate and proxy management

  • Get information on a user certificate

    • grid-cert-info[-help] [-file certfile] [OPTION]...

      -allwhole certificate

      -subject | -ssubject string

      -issuer | -IIssuer

      -startdate | -sdStart of validity

      -enddate | -edEnd of validity

  • Create a proxy certificate

    • grid-proxy-init

  • Destroy a proxy certificate

    • grid-proxy-destroy

  • Get information on a proxy certificate

    • grid-proxy-info


Security overview4

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Secure your services but how

Secure your services - but how?

client program

user certificate

Security library

Security library

Server

host certificate

Authorisation


Different kinds of services

Different kinds of services

  • “Simple” services with standard socket communication

    • Any service written in C/C++, Java, Python, Perl, etc.

      • Use GSI libraries e.g. provided by Globus Toolkit 2

      • http://www.globus.org/security/

      • The libraries handle certificate based authentication

    • Often considered a 1st generation “Grid services”

  • Web services

    • Based on SOAP

    • 2nd generation “Grid services”

  • Web sites


Api gss api and gss assist

API: GSS-API and GSS Assist

  • GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-2743, 2744)

    • Traditionally, it interfaces to Kerberos

    • The Globus project interfaced it to GSI

    • Communication is kept separate: it just creates data buffers, does not move them

    • Rather complicated to use…

    • Documentation at http://docs.sun.com/app/docs/doc/816-1331http://www.gnu.org/software/gss/manual/html_node/index.html

  • GSS-API as user interface to GSI:

    • C API

    • Java API (http://www-unix.globus.org/cog/java/)

  • The Globus GSS Assist routines are designed to simplify the use of the GSSAPI: they are a thin layer over them


Globus extensions

Globus extensions

  • Credential import and export

    • To pass credentials from a process to another or storing them in a file

    • Export to 1) an opaque buffer, or 2) a file in GSI native format

    • gss_import_cred(), gss_export_cred()

  • Delegation an any time

    • A lot more flexible than standard GSS-API delegation

      • Delegation at times other than context establishment

      • Possible to delegate credentials different than those used for context establishment: even for different mechanisms!

        • Ex.: delegate a Kerberos credential over a context established with GSI

    • gss_init_delegation(), gss_accept_delegation()

  • Credentials extension handling

    • support for credential information other than just the identity

  • Set context options at the server side

  • Documentation

    • http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf

    • ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h


Web service security

Web Service Security

  • Transport level security

    • SOAP messages are transmitted encrypted

    • used by some gSOAP GSI plugins

    • Based on SSL/TSL

  • Message level security

    • WS-Security

      • set of SOAP extensions to implement integrity and confidentiality in Web Services

      • <Security> header contains the security-related information

      • http://www-128.ibm.com/developerworks/library/ws-secure/

    • WS-SecureConversation

      • defines how to establish secure contexts and exchange keys

    • Performance issue

    • Used in Globus Toolkit 4


Performance mutual authentication

Performance - Mutual Authentication

  • Having secure connections creates a performance overhead

  • Let’s have a look at the detailed steps Bob - Alice

    • Bob uses proxy to create a request (incl. public key, about 2000 bytes)

    • Alice uses private key to sign the request - sends signed cert. back (in addition, CAs have to match)

      • Alices generates a random message and sends it to Bob, asking Bob to encrypt it.

      • Bob encrypts the message using his private key, and sends it back to Alice. Alice decrypts the message using Bobs's public key. If this results in the original random message, then Alice knows that Bob is who he says he is.

    • Now that Alice trusts Bob's identity, the same operation must happen in reverse.

    • By default, all further message exchange is not encrypted !


Some performance numbers

Some performance numbers

Cryptography is CPU intensive

WS Secure Conversation symmetrical cryptography only

Source: http://webservices.sys-con.com/read/204424.htm


Securing web sites portals

Securing Web sites (Portals)

  • HTML web is is not a web service

    • Web service provides a programmable interface via SOAP

    • A Web page is purely HTML (potentially generated by tools such as JSP, etc.)

  • One can still use Grid security for that purpose

  • Need to load certificate into the web browser

  • Server side (Web server) needs to use Grid security technologies

    • Example: http://wwww.gridsite.org provide modules for Apache server


Security overview5

Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Gsi authentication using globus

GSI Authentication using Globus

CA

service

user

VO


Certificate request obtaining a certificate

CA

grid-cert-request

service

user

cert-request

VO

Certificate Request / Obtaining a certificate

once in every year


Certificate signing

CA

grid-cert-request

cert signing

service

user

cert-request

certificate

VO

Certificate Signing


Preparation for registration in vo

CA

grid-cert-request

cert signing

service

user

cert-request

certificate

convert

cert.pkcs12

VO

Preparation for Registration in VO

Goal: user needs to register with a certain VO


Registration

CA

grid-cert-request

cert signing

service

user

cert-request

certificate

convert

cert.pkcs12

registration

VO

Registration

Account Registration

once for the lifetime of the VO (only the DN not the keys, so they may change)

Usage guidelines


Starting a session with globus

CA

grid-cert-request

cert signing

service

user

cert-request

certificate

convert

cert.pkcs12

registration

VO

proxy-cert

grid-proxy-init

Starting a Session with Globus

every 12/24 hours


Usage

Usage

You must have a valid certificate from a trusted CA!

  • „login”: grid-proxy-init

    short lifetime certificate: 24 hours

    Enter PEM pass phrase:

    ...........................+++++

    ....................................+++++

  • checking the proxy: grid-proxy-info -subject

    /O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy

    -> use the Grid services

  • „logout”: grid-proxy-destroy


Certificate request for a host

CA

grid-cert-request

grid-cert-request

cert signing

service

user

host-request

cert-request

certificate

convert

cert.pkcs12

registration

VO

proxy-cert

grid-proxy-init

Certificate Request for a Host

once in every year


Signing the certificate

CA

grid-cert-request

grid-cert-request

cert signing

cert signing

service

user

host-request

cert-request

host-cert

certificate

convert

cert.pkcs12

registration

VO

proxy-cert

grid-proxy-init

Signing the Certificate


Configuration on the server

CA

grid-cert-request

grid-cert-request

cert signing

cert signing

service

user

host-request

cert-request

cert/crl update

host-cert

certificate

convert

ca-certificate

cert.pkcs12

registration

crl

VO

proxy-cert

grid-proxy-init

Configuration on the Server

In EDG: automatically updated every night/week


Service

Service

You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured.

  • Registering a trusted CA

    • /etc/grid-security/certificates: hashed cert, crl and url

  • Generating a gridmap file: mkgridmap

    • /etc/grid-security/gridmap: DN -> userid/gid mapping

    • See Authorisation

  • Generating host/service certificate: grid-cert-request –host (see user certificates for the whole process)

info


Service ca certificates

Service: CA Certificates

  • ls /etc/grid-security/certificates

    0ed6468a.0 c35c1972.0 d64ccb53.0

    0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url

    0ed6468a.r0 c35c1972.r0 d64ccb53.r0

    0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy

    16da7552.0 cf4ba8c8.0 df312a4e.0

    16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url

    16da7552.r0 cf4ba8c8.r0 df312a4e.r0

    16da7552.signing_policy cf4ba8c8.signing_policydf312a4e.signing_policy

    In General:

    *.0 … CA certificate

    *.r0 … Certificate Revocation List (CRL)

example


Service a certificate

Service: a certificate

  • cat c35c1972.signing_policy

    # EACL CERN CA

    access_id_CA X509'/C=CH/O=CERN/CN=CERN CA'

    pos_rights globusCA:sign

    cond_subjects globus'"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'

  • openssl x509 -in c35c1972.0 –text

    Issuer: C=CH, O=CERN, CN=CERN CA[...]the issuer and the subject are the same

    Subject: C=CH, O=CERN, CN=CERN CA[...]self signed certificate

    X509v3 extensions:

    X509v3 Basic Constraints: critical

    CA:TRUE [...]it may be used to sign other certificates

    Netscape Cert Type:

    SSL CA, S/MIME CA, Object Signing CAit is a CA certificate

example


Certificate revocation list crl

Certificate Revocation List (CRL)

  • openssl crl -in c35c1972.r0 –text

    Certificate Revocation List (CRL):

    Version 1 (0x0)

    Signature Algorithm: md5WithRSAEncryption

    Issuer: /C=CH/O=CERN/CN=CERN CAthe issuer is the CA itself

    Last Update: Jul 1 17:53:17 2002 GMT

    Next Update: Aug 5 17:53:17 2002 GMTnext update: shall be checked

    Revoked Certificates:

    Serial Number: 5Athe revoced certificate’s number

    Revocation Date: May 24 16:45:52 2002 GMT

    Signature Algorithm: md5WithRSAEncryptionSignature – as usual

example


Grid mapfile

Grid-mapfile

  • cat /etc/grid-security/gridmap

    "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor

    "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro

    "/C=IT/O=INFN/L=Bologna/CN=Franco [email protected]" aliprod

    "/C=IT/O=INFN/L=Bologna/CN=Marisa [email protected]" aliprod

    "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones

    "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney

    "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon

    "/C=FR/O=CNRS/OU=LPC/CN=Yannick [email protected]" yannick

example


Abbreviations

Abbreviations

  • CA – Certificate Authority

  • CP – Certificate Policy

  • CPS – Certificate Practice Statement

  • CRL – Certificate Revocation List

  • GSI – Grid Security Infrastructure

  • GSS – Generic Security Service

  • PKI – Public Key Infrastructure

  • SSL – Secure Socket Layer

  • TLS – Transport Layer Security

  • VO – Virtual Organization

  • VOMS - Virtual Organization Membership Service


Conclusion

Conclusion

  • Security is important for Grid middleware:

    • In particular in commercial use

  • Security solutions need to be integrated from the very beginning

  • Grid security relies on PKI

    • Requires: authentication & authorisation

  • Basic entities:

    • Users – CA (Certificate Authorities) – Resource Providers

“We had a security concept from the very beginning

but decided to deal with security later”

Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides

The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-512092.


  • Login