1 / 18

Brief Introduction to Certificates for Accessing the NW-GRID

Brief Introduction to Certificates for Accessing the NW-GRID. John Kewley Grid Technology Group E-Science Centre CCLRC Daresbury Laboratory j.kewley@dl.ac.uk. Talk outline . Security Basics Certificates Requirements for accessing the NW-GRID Registering for NW-GRID. Security Issues.

anoki
Download Presentation

Brief Introduction to Certificates for Accessing the NW-GRID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brief Introduction to Certificates for Accessing the NW-GRID John Kewley Grid Technology Group E-Science Centre CCLRC Daresbury Laboratory j.kewley@dl.ac.uk

  2. Talk outline • Security Basics • Certificates • Requirements for accessing the NW-GRID • Registering for NW-GRID

  3. Security Issues • How does the expensive Grid resource "account" for its use? Are these users who they claim to be? • How does a user utilise a resource on a remote machine when he may not have an account on any intervening ones? • How can you trust the remote machine to "behave" with your data?

  4. Security Basics • Authentication • Who you are, Identity • Non-repudiation • Authorisation • What you are allowed to do, Capability • Which resources you can use • Confidentiality (encryption) • Integrity (untampered, lossless)

  5. Tools of the trade Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower Oneway hash / message digest • MD5, SHA-1 • fast

  6. Gbbyf bs gur genqr Rapelcgvba • Frpergt “flzzrgevp” xrl – obgu cnegvrf arrq gb funer gur xrl • QRF, EP4 • Pbzcnengviryl rssvpvrag • Choyvp/cevingr xrl – “nflzzrgevp” - 2 xrlf zngurzngvpnyyl eryngrq • EFN, QFN • Fybjre Barjnl unfu / zrffntr qvtrfg • ZQ5, FUN-1 • Snfg

  7. Tools of the trade Encryption • Secret “symmetric” key – both parties need to share the key • DES, RC4 • Comparatively efficient • Public/private key – “asymmetric” - 2 keys mathematically related • RSA, DSA • Slower Oneway hash / message digest • MD5, SHA-1 • fast

  8. Clear text message Clear text message Encrypted text Public Key Private Key Public/Private keys • Asymmetric encryption comprises a key pair: one private and one public: • it is impossible to derive the private key from the public one; • a message encrypted by one key can be decrypted only by its partner • Public keys can be freely exchanged / distributed • The sender encrypts using his private key • The receiver decrypts using sender's public key;

  9. Certificates • A statement from a trusted 3rd party (the Certification Authority), that your public key (and hence your private key) is associated with your identity • A certificate can only be verified if you have the public key of the party who signed it

  10. X.509 Certificates Public key An X.509 Certificate contains: • owner’s public key; • identity of the owner; • info on the CA; • validity; • Serial number; • digital signature from the CA Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature

  11. State of Illinois ID Certificate Request User generatespublic/privatekey pair in browser. CA root certificate CA signature links identity and public key in certificate. CA informs user. CertRequest Public Key User sends public key to CA and shows RA proof of identity. Certification Authority Cert Private Key encrypted on local disk

  12. Certificate installation • Download certificate into your browser • Export certificate as .p12 (on Linux) or .pfx (on Windows) format and move to the Grid client machine (Linux for now) • Convert certificate to correct format using openssl, change file permissions and install into correct directory (or by using the Growl script mk-cert)

  13. $ openssl pkcs12 –in \ mykey.p12 \ -clcerts –nokeys \ -out usercert.pem <Pass1> <Pass2> <Pass2> [confirm] $ openssl pkcs12 –in \ mykey.p12 –nocerts \ -out userkey.pem <Pass1> $ chmod 444 usercert.pem $ chmod 400 userkey.pem $ mv userkey.pem ~/.globus $ mv usercert.pem ~/.globus $ chmod 700 ~/.globus $ mk-cert mykey.p12 <Pass1> [<Pass2>] Use of mk-cert

  14. Proxy Certificates To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates • Short-lived certificates signed by the user’s certificate or a proxy • Reduces security risk, enables delegation

  15. Use of MyProxy Server Client Growl Server JK 365d growl-login JK 12h myproxy-logon JK MyProxy Server 7d

  16. Registering to use NW-GRID There is a web registration form for NW-GRID. Once approved, this will : • assign you a common username (e.g. nwdljk) • register the Distinguished Name (DN) from your certificate with the NW-GRID machines /C=UK/O=eScience/OU=CLRC/L=DL/CN=john kewley • open NW-GRID firewalls so your client machine(s) can access the Grid resources. http://www.nw-grid.ac.uk/?q=nwguser/regForm

  17. Requirements for accessing the Grid To access the Grid, you will need: • An e-science certificate, from a trusted certification authority, in an appropriate format • The Distinguished Name (DN) from your certificate registered with the Grid resource you intend to use • Client-side middleware on the accessing computer (unless you intend using only browser/portal technology) • No firewalls "in the way" between your client and the grid resource

  18. Some useful links • NW-GRID http://www.nw-grid.ac.uk/ • GROWL http://www.growl.org.uk/ • NGS CA Web site https://ca.grid-support.ac.uk/ • STFC e-Science Centre http://www.e-science.stfc.ac.uk/

More Related