Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Published byJesse Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team."— Presentation transcript:

1 1 Grid Security Jinny Chien jinny324@gate.sinica.edu.tw Academia Sinica Computing Centre Deployment team

2 2 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

3 3 Grid Security Infrastructure (GSI) GSI is based on public key encryption, X.509 certificates, and the Secure Sockets Layer (SSL) communication protocol. Extensions to these standards have been added for single sign-on and delegation. GSI is try to slove Data security issues Identification Authentication Authorization Single-sign-on

4 4 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

5 5 Data Secure:Public Key Algorithms Every user has two keys: one private and one public: it is impossible to derive the private key from the public one; a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary the sender ciphers using the public key of the receiver; the receiver decrypts using his private key; the number of keys is O(n). Examples: Diffie-Helmann (1977) RSA (1978) Bob keys public private Alice keys publicprivate AliceBob ciao3$rciao AliceBob ciaocy7ciao 3$r cy7

6 6 Non-Repudiation: Digital Signature hashAlice calculates the hash of the message private digital signatureAlice encrypts the hash using his private key: the encrypted hash is the digital signature. Alice sends the signed message to Bob. verifies publicBob calculates the hash of the message and verifies it with the one received by A and decyphered with Alice’s public key. If hashes equal: message wasn’t modified; Alice cannot repudiate it. Bob This is some message Digital Signature Alice This is some message Digital Signature This is some message Digital Signature Hash(A) Alice keys publicprivate Hash(B) Hash(A) = ?

7 7 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

8 8 I'm Tom 『 /O=AS/OU=CC/CN=Tom/Email=tom@sinica.edu.tw Certification Authority I'm John 『 /O=CERN/CN=John/Email=John@sinica.edu.tw I'm host A 『 /O=AS/OU=IP/CN=lcg00001.grid.sinica.edu.tw 』 I'm service B 『 /O=CERN/CN=ftp/adc00001.cern.ch 』 Identification – CA & X.509 Certificate

9 9 X.509 Certificates An X.509 Certificate contains:  owner’s public key;  identity of the owner;  info on the CA;  time of validity;  Serial number;  digital signature of the CA Public key Subject:C=TW, O=AS, OU=CC CN= Joen Yi Jian Issuer: C=TW, O=AS, CN= Academia Sinica Grid Computing Certification Authority Expiration date: May 10 14:15:14 2005 GMT Serial number: 080E CA Digital signature Structure of a X.509 certificate

10 10 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user.

11 11 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

12 12 Authentication – make sure who is who B authenticate A A send certificate to B B verify A’s certificate by Check CA signature B send a message M encrypted by A’s public key included in A’s certificate A decrypt the message M’ and sent it to B B verify the context of message If M’ matches M, then B trust A Vice versa, A authenticate B with same process

13 13 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

14 14 Authorization: decide what you can do Grid users MUST belong to Virtual Organizations What we previously called “Groups” Sets of users belonging to a collaboration List of supported VOs: https://lcg-registrar.cern.ch/virtual_organization.html VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts Sites decide which VOs to accept... "/C=TW/O=AS/OU=CC/CN=Jeng-Hsueh Wu/Email=jhwu@gate.sinica.edu.tw".dteam "/C=TW/O=AS/OU=CC/CN=Joen Yi Jian/Email=jinny324@gate.sinica.edu.tw".dteam "/C=TW/O=AS/OU=CC/CN=Li-Yung Ho/Email=liyungho@gate.sinica.edu.tw".twgrid... /etc/grid-security/grid-mapfile

15 15 Authorization - LCAS Local Centre Authorization Service (LCAS), is a service that is used to decide whether a user is allowed to even log onto a machine. It is integrated inside the gatekeeper. It is based on a plugin scheme to support multiple authorization policies

16 16 Authorization - LCMAPS The Local Credential Mapping Service (LCMAPS) is a service that decides how to map a remote user into a local account, provided that the user has already been authorized to login. It is (also) integrated inside the gatekeeper and is (also) based on a plugin structure.

17 17 VOMS: Manage the VO membership Virtual Organization Membership Service (VOMS) A service that keeps track of the members of a VO and grants them a set of attributes, that get included in the user’s proxy certificate at proxy creation time. Attributes granted to users upon request (e.g. via voms-proxy-init) as AC and inserted as extension in user ’ s proxy-certificate and used by RB, CE, SE …. VO name Group membership Role ownership (optional) voms- proxy-init VOMS server DB AC Proxy + AC

18 18 Identification / Authentification / Authorization Overview

19 19 The Gatekeeper On the CE the Gatekeeper authenticates and authorizes the remote user. Authorization globus-job-run hostCE.hostdomain /bin/hostname hostCE.hostdomain service globus-gatekeeper status /var/log/globus-gatekeeper.log Has a certificate Run grid-proxy-init and his proxy is still valid Remote user authenticated and mapped to a local user PKI Authentication Gatekeeper LCAS Local Centre Authorization Service LCMAPS Local Credential Mapping Service CE Job manager

20 20 Single Sign-On Thinking in Real Case Example: 'A' user submits a job to computer 'B‘(1) and get input data from 'C‘(2) then write to storage 'D‘(3). Each transaction involved in authentication/authorization. A C D B

21 21 Proxy Certificate A delegated user credential that authenticates the user in every secure interaction, and has a limited lifetime User proxy certificate will be written in /tmp/x509up_u The proxy has a lifetime of 12 hours

22 22 Delegation and limited proxy Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Client signs proxy cert and returns it Allows remote process to authenticate on behalf of the user Remote process “ impersonates ” the user The client can elect to delegate a “ limited proxy ” Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited proxy to be used

23 23 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

24 24 Start to use Grid 1.Obtain a user certificate from ASGCCA. 2.Register to a VO (twgrid, apesci,…) 3.Obtain an account on User Interface (UI) 4.Install your Certificate & Private key 5.Create a proxy certificate.

25 25 Obtain a User Certificate http://ca.grid.sinica.edu.tw/

26 26 Register to a VO: VOMS Web Site Before you request a membership, please complete the AUP rule. For Twgrid: https://voms.grid.sinica.edu.tw:8443/voms/twgrid For Apesci : https://voms.grid.sinica.edu.tw:8443/voms/apesci

27 27 Obtain an account on User Interface (UI) Create an account on UI For example : - Role : root - UI: lcg00122.grid.sinica.edu.tw - Account / password

28 28 Install your Certificate & Private key :.globus directory. globus directory contains your personal public / private keys Pay attention to permissions userkey.pem contains your private key, and must be readable just by yourself (400) usercert.pem contains your public key, which should be readable also from outside (644) [jinnychien@lcg00122.globus]$ ls -al total 20 -rw-r--r-- 1 jinnychien jinnychien 1920 Mar 17 2005 usercert.pem -r-------- 1 jinnychien jinnychien 1997 Mar 17 2005 userkey.pem

29 29 Command line grid-proxy-init : create a proxy certificate grid-proxy-info : To print information about a proxy certificate grid-proxy-destroy : To destroy an existing proxy certificate before its expiration - rw------- 1 hungche dteam 3198 Feb 24 08:21 x509up_u20003 -rw------- 1 hlshih hlshih 3210 Feb 19 14:05 x509up_u508 -rw------- 1 tsai tsai 2589 Feb 20 04:28 x509up_u515 -rw------- 1 jinnychien gtchiang 3202 Feb 28 07:02 x509up_u522 [jinnychien@lcg00122 jinnychien]$ grid-proxy-init Your identity: /C=TW/O=AS/OU=CC/CN=Joen Yi Jian/Email=jinny324@gate.sinica.edu.tw Enter GRID pass phrase for this identity: Creating proxy.................................................. Done Your proxy is valid until: Mon Mar 13 11:03:00 2006 From the /tmp of the ASGC UI:

30 30 voms-proxy-init voms-proxy-init is the replacement of grid-proxy-init Users MUST join at least one of the group allowed to use the Grid resources = Virtual Organization (VO) To create a proxy containing attributes retrieved from a VOMS server use voms-proxy-init –voms voname For example : [jinnychien@lcg00122 jinnychien]$ voms-proxy-init -voms twgrid Your identity: /C=TW/O=AS/OU=CC/CN=Joen Yi Jian/Email=jinny324@gate.sinica.edu.tw Enter GRID pass phrase: Creating temporary proxy............................................................................. Done Contacting voms.grid.sinica.edu.tw:15010 [/C=TW/O=AS/OU=CC/CN=voms.grid.sinica.edu.tw] "twgrid" Done Creating proxy.................................. Done Your proxy is valid until Tue Mar 14 15:38:01 2006

31 31 Using the client command To gather information about your proxy: voms-proxy-info Options for printing proxy information - help : displays usage - version : displays version - path : Pathname of proxy file - vo : Vo name - all : prints all proxy options To destroy an already existing VOMS proxy: voms-proxy-destroy

32 32 Outline GSI: Grid Security Infrastructure Data Security Identification Authentication Authorization Start to use Grid Reference

33 33 Reference Grid Security LCG Security: http://proj-lcg-security.web.cern.ch/proj-lcg-security/ Globus Security: http://www.globus.org/security/ Grid-it portal: http://grid-it.cnaf.infn.it LCG Registration: http://lcg-registrar.cern.ch/Background GGF Security: http://www.gridforum.org/security/ IETF PKIX charter: http://www.ietf.org/html.charters/pkix-charter.html PKCS: http://www.rsasecurity.com/rsalabs/pkcs/index.html

34 34 Thanks for Your Listening

Download ppt "1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Security Management.

Security Management.

Similar presentations

Ads by Google