Grid fr
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

GRID-FR PowerPoint PPT Presentation


  • 136 Views
  • Uploaded on
  • Presentation posted in: General

GRID-FR. French CA http://igc.services.cnrs.fr/GRID-FR Alice de Bignicourt. Outline. Requirement to access to the GRID GRID-FR CA Certificate Statistics. Requirement to access to GRID. User certificate (authentication) Access to VO or VOMS (authorization)

Download Presentation

GRID-FR

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Grid fr

GRID-FR

French CA

http://igc.services.cnrs.fr/GRID-FR

Alice de Bignicourt


Outline

Outline

  • Requirement to access to the GRID

  • GRID-FR CA

  • Certificate

  • Statistics


Requirement to access to grid

Requirement to access to GRID

  • User certificate (authentication)

  • Access to VO or VOMS (authorization)

  • User interface or web service access


Outline1

Outline

  • Requirement to access to the GRID

  • About GRID-FR CA

  • Certificate

  • Statistics


About grid fr ca

About GRID-FR CA

  • CA=Certification Authority

  • CA GRID-FR

    • Issue certificates for institutes participating in GRID projects in which CNRS is involved:

      • EGEE, LCG, DEISA , Grid 5000, ILDG, E-Sciences, Integrative Biology, …

  • Issue user, server and service certificates to:

    • French public institutes & private institutes

    • Foreign public & private institutes, no HEP, and who do not have CA (catch-all).


About grid fr ca1

About GRID-FR CA

Composition of a CA

  • CA : Certification Authority

  • RA : Registration Authority

  • EE : End Entity (person, host, service)

  • Certificate repository

    • Certificates (EE, CAs)

    • CRLs

  • Validation Service

  • Encipherment Private Key Recovery Service


About grid fr ca2

About GRID-FR CA

  • GRID-FR sign algorithm

    • SHA1

  • CRL=Certification Revocation List

    • Generated each night

    • Lifetime : 1 month

    • Download dedicated server:

      • crls.services.cnrs.fr

  • EUGridPMA requirements

    • European Policy Management Authority for Grid Authentication (http://www.eugridpma.org)

    • Activity :

      • To verify the minimum requirements

      • To accredit new CAs


Grid fr in the cnrs pki

CNRS

CNRS-Standard

CNRS-Plus

CNRS-Projets

GRID - FR

SSI

Partenaires-CNRS

GRID-FR in the CNRS PKI


Outline2

Outline

  • Requirement to access to the GRID

  • GRID-FR CA

  • Certificate

  • Statistics


X509v3 certificate

X509v3 Certificate

  • asymmetric encryption algorithm

  • Accredited by the trusted CA

  • Certificate for :

    • User

    • Host

    • Service

  • Couple of 2 keys :

    • Private key

      • NOT communicated

      • Encoded and protected by password

    • Public key (also called certificate)

      • Signed by CA

      • Published


Structure of an x509 certificate

Structure of an X509 certificate

  • Certificate

    • Version

    • Serial Number

    • Algorithm ID

    • Issuer

    • Validity

      • Not Before

      • Not After

    • Subject

    • Subject Public Key Info

      • Public Key Algorithm

      • Subject Public Key

    • Issuer Unique Identifier (Optional)

    • Subject Unique Identifier (Optional)

    • Extensions (Optional)

      • ...

  • Certificate Signature Algorithm

  • Certificate Signature

    (Issuer and subject unique identifiers were introduced in Version 2, Extensions in Version 3)


Example 1 2

Example 1/2

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1323 (0x52b)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=FR, O=CNRS, CN=GRID-FR

Validity

Not Before: Oct 3 13:13:42 2006 GMT

Not After : Oct 3 13:13:42 2007 GMT

Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Alice De Bignicourt

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:f6:48:51:86:3f:c3:0e:5a:1d:69:9e:c9:a7:4c: 25:d8:a1:e7:5a:9c:6f:50:d4:d6:34:ab:3f:57:a7: 60:d9:f1:3d:58:43:3a:ca:90:fb:51:9d:2f:4a:3e: 10:d4:14:4e:48:ca:6b:9f:d0:ac:f0:b5:94:bb:15: d6:43:49:91:37:72:75:0e:1b:89:d2:7c:76:db:25: 60:d1:fd:fc:b5:20:78:18:cb:11:a3:73:9a:e3:2b: ab:a3:cd:7c:0c:6c:9a:3a:19:5e:cb:10:e6:66:f4: 8e:02:aa:8f:1b:12:e0:f8:42:5e:68:a8:53:1b:f6:

c6:00:92:f0:76:77:6b:f9:cd

Exponent: 65537 (0x10001)

Serial Number

CA Issuer

Validity

Subject

Public Key


Example 2 2

Example 2/2

X509v3 extensions: X509v3

Basic Constraints: critical

CA:FALSE

Netscape Cert Type:

SSL Client, S/MIME, Object Signing

X509v3 Key Usage: critical

Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement

Netscape Comment: Certificat GRID-FR. Pour toute information se reporter à http://igc.services.cnrs.fr/GRID-FR/

X509v3 Subject Key Identifier:

C6:89:EF:A4:82:41:0A:3A:CB:EB:BE:36:69:35:AA:CB:27:E6:15:CC

X509v3 Authority Key Identifier:

keyid:77:49:79:C1:F6:BB:92:F0:EC:08:C3:EE:D1:9C:B0:77:10:8C:93:2F

DirName:/C=FR/O=CNRS/CN=CNRS-Projets

serial:0C

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.10813.1.1.8.1.0

X509v3 Subject Alternative Name:

email:[email protected]

X509v3 CRL Distribution Points:

URI:http://crls.services.cnrs.fr/GRID-FR/getder.crl

1.3.6.1.4.1.7650.1:

unicoreClient

Signature Algorithm: md5WithRSAEncryption

a6:35:3a:d8:50:2c:ab:d8:8e:67:fd:54:cf:9c:65:76:1d:31 ../..

Use of the certificate

Version of the CA’s CP/CPS

E-mail address

CRL


Information in the x509 certificate

Information in the X509 certificate

  • Information

    • Subject = Distinguish Name (DN)

      • Identifier in the Grid

    • Lifetime

      • Date not bedore

      • Date not after

    • Extensions  the use of the certificate

  • Common filename extensions for X.509-certificates are :

    • .PEM

      • 2 files : public key, private key protected

    • .P7C - PKCS#7

      • Certificates or CRLs

    • .P12 - PKCS#12

      • 1 file : 2keys, protected

    • Also : CER DER P7B


How to obtain a grid fr certificate

How to obtain a GRID-FR certificate ?

  • Requestor

    • Generates :

      • private key

      • public key

    • Sends public key

  • RA (Registration Authority = GRID-FR manager) to verify & valid

  • Public key is signed and certificate issued

  • Requestor get back the certificate


Outline3

Outline

  • Requirement to access to the GRID

  • GRID-FR CA

  • Certificate

  • Statistics


Grid fr statistics

GRID-FR Statistics

  • Valide certificates

    (On June 7th 2007)


Grid fr statistics1

GRID-FR Statistics


Grid fr statistics2

GRID-FR Statistics


Grid fr statistics countries

GRID-FR Statistics - Countries


Question

Question ?


  • Login