Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.

Published byMoris Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December."— Presentation transcript:

1 Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December 11 th -16 th 2006 Sophie Nicoud CNRS/UREC Sophie.Nicoud@urec.cnrs.fr

2 2Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  What do we need to access to Grid Computing infrastructure ?  Authentication Digital certificates Certification Authority collaboration Grid Security Infrastructure (GSI)  Authorization Concept of Virtual Organizations Mechanisms and architecture  Security Groups

3 3Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 What do we need to access to Grid Computing infrastructure ?  Authentication=> Digital Certificate X509v3 (CA) Who I am ?  Authorization=> Virtual Organization (VO or VOMS) What I am allowed to do  Access to GRID=> User Interface or Web portal (UI)  Single Sign-On  Accounting WHO do WHAT and WHEN ?  Future billing

4 4Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Authentication Digital certificates Certification Authorities collaboration Grid Security Infrastructure (GSI)

5 5Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 What’s a digital certificate ?  Build on mathematical asymmetric algorithms  and trust in a third party, the Certification Authority (CA)  It’s a couple of two keys The keys are generated together It is impossible to derive the private key from the public one A message encrypted by one key can be decrypted only by the other one  It’s composed of a public key and a private key  The public key Plus some information about the owner is signed by the Certification Authority Published worldwide by the CA In the current language, it’s named certificate  The private key Stored in the hard disk of the user machine Encrypted and protected by password

6 6Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (1)  A digital certificate (or X509v3 certificate) can be issued for Physical person (personal certificate) Machine (host certificate) Program (service certificate)  The CA check the identity of the requester => RA‘s job Registration Authority  The digital certificate has a validity period and an unique serial number  CA has a certificate signed by itself => Root CA by other CA => sub-CA

7 7Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (2)  When a certificate is lost, stolen or password forgotten the certificate is revoked  The CRL, Certificate Revocation List, contains all serial number of revoked certificates is published when a certificate is revoked at least every month

8 8Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (3)  The certificate contains : Subject or DN (Distinguish Name) Serial number Time of validity Public key Info on the CA X509v3 extensions s Owner email s Allowed use of the certificate s... Digital signature of the CA

9 9Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (4) # openssl x509 -text -noout -in usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 656 (0x290) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, O=CNRS, CN=GRID-FR Validity Not Before: Feb 8 10:04:45 2006 GMT Not After : Feb 8 10:04:45 2007 GMT Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Sophie Nicoud Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b9:8d:52:15:ee:80:d8:8f:3c:a7:1f:fb:59:6d:  Serial number  Issuer CA  Time of validity  Subject  Public key

10 10Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Un certificat X509v3 (2) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.10813.1.1.8.1.0 X509v3 Subject Alternative Name: email:Sophie.Nicoud@urec.cnrs.fr X509v3 CRL Distribution Points: URI:http://crls.services.cnrs.fr/GRID-FR/getder.crl 1.3.6.1.4.1.7650.1: unicoreClient Signature Algorithm: sha1WithRSAEncryption 7a:ea:e5:96:d6:cb:2f:2e:a6:9c:1d:06:55:8a:af:2a:7a:1c:  X509v3 extensions Allowed use  X509v3 extensions CP/CPS version Email CRL  CA signature

11 11Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Digital signature Hash code Public key Fingerprint CA private key Signing of a certificate by the issuer CA Encripted fingerprint CA signing £$ Public key + info + CA signature £$ Certificate £$

12 12Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certificate checks Public key + info + CA signature £$ Certificate £$ Fingerprint A Hash code CA public key Fingerprint B Equal ? £$ Public key + info + CA signature £$ Time of validi ty ? Inclu de in CRL ? CRL £$ Public key + info + CA signature £$

13 13Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certification Authorities collaboration (1)  In a Grid environment with many users and many organizations need single sign-on and identity certificates for all national and global grid projects thus issued by independent identity providers and trusted by everyone in the grid  Impossible to use only one CA by project or partner => One CA by country s But also by set of country or institute Need collaboration in each country Need CA coordination to establish CA trust domain Need Catch-all CA for countries without CA

14 14Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certification Authorities collaboration (2)  At start of EDG in 2001 3 CA : CNRS, INFN, CERN One coordination group CACG then EuGridPMA  Now, in 2006 Coordination group splits in 3 continents European coordination : 37 CAs Asia and Pacific coordination : 8 CAs Americas coordination : 2 CAs Every year new CAs come Many Grid projects : EGEE, LCG, DEISA, EELA, EuMedGrid, EScience, PPDG, …

15 15Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Organisation of GRID PMAs  IGTF, International Grid Trust Federation Establish worldwide trust for Grid Establish rules and charter between PMAs Approved at GGF 15, October 5, 2005 http://www.gridpma.org/  EUGridPMA First PMA to establish IGTF In fact covers not only Europe but stays the reference for most continents http://www.eugridpma.org  TAGPMA America South and North 2 CA, DOE and Canada. Many in accreditation process for South America  APGridPMA Asia and Pacific 10 CA, Australia, Japan, China, Taiwan, … http://apgrid.org/

16 16Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Purpose of GRID PMA  Policy Management Authority : GRID PMA Establish minimal requirements and best practices for GRID CA Accredit CAs by review CP/CPS Audit CAs  Minimal requirements : Certificate Revocation List (CRL) s Lifetime must be no more than 30 days s New CRL must be generated at least 7 days before expiration s New CRL must be issued immediately after a certificate revocation CA Namespace s No clash with any other CA CA System s Dedicated machine in a secure environment where access is controlled Some certificate extensions must be set to specific values …

17 17Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Chinese CA  IHEP CA https://gridca.ihep.ac.cn/ Issue certificates to people and sites participating in Grid Computing CA running since 2004 Accredited by EUGridPMA and APGridPMA in 2005 Managed by Gongxing SUN  SDG CA http://ca.sdg.grid.cn/en/ SDG CA provides PKI services for the Scientific Data Grid research community that are involved in Grid activities Accrdited by APGridPMA Managed by Kai Nan

18 18Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 French CA  2001-2004 : Datagrid-fr CA Sub-CA of CNRS CA dedicated to DataGrid (EDG) project  Since 2005 : GRID-FR CNRS CA Sub-CA of CNRS CA dedicated to GRID projects  Issues certificates for: All French entities: s French institutes or private companies involved in GRID project with the CNRS Catch-all CA: s Institutes or private companies, no HEP, involved with CNRS in a GRID project which have not a national GRID CA  Now, we issue around 800 certificates per year in 27 countries

19 19Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Grid Security Infrastructure (GSI)  Authentication based on digital certificates and trusted CA  A standard for Grid softwares  Implement : Single sign-on: the password is given only one time Mutual authentication : every Grid transaction is mutually authenticated Proxy: allows remote process to authenticate on behalf of the user, to allow someone to use his authorizations and his authentication  Proxy certificates Certificate with limited lifetime signed with user private key

20 20Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Authorization Concept of Virtual Organizations Mechanisms and architecture

21 21Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Authorization  Virtual Organizations (VO) A set of entities sharing the same objective Users Resources A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.

22 22Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Virtual Organizations (1)  A VO can be a set of user sharing the same experiment, or from the same lab, area or project : Experiment : Biomed, gene, Alice, Atlas, Babar, LHCb, ESR, EGEODE,... Labs, areas : vo.dapnia.cea.fr, vo.lal.in2p3.fr,... Projects : ambrace, infngrid, GridPP, auvergrid,... Other : dteam,...  https://cic.in2p3.fr/index.php?id=vo  One administrator per Virtual Organization He’s the manager of the users of his VO  Site managers allow VO to access to site resources  Specific rights can be allowed by site administrators Refuse users with specific certificate subject patterns VO

23 23Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 LDAP VO  At each site each user certificate is mapped into a unique local user account (UID/GID) in function of his VO  This UID/GID is picked up in the VO pool account defined by the site administrator  Now, there’re 2 types of VO : LDAP VO and VOMS  LDAP VO The oldest method, it is based onLDAP server that contains the list of VO members A user can be a member of only one VO All members of a VO have the same rights access User authentication command is : grid-proxy-init The local authorization file, grid-mapfile, is rebuilt every few hours from the LDAP server. Each certificate subject of the VO is mapped with its VO pool account. "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=Sylvain Reynaud".dte "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Alexandre Rozanov".atl "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev" lhcs

24 24Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VO LDAP architecture VO Service grid-mapfile Mutual authentication + authorization checks Proxy Cert. (24 h max) VO CA CRL update low frequency high frequency Host Cert. (1 an max) grid-proxy-init User Interface CA Cert. registration User Cert. (1 an max)

25 25Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (1)  VOMS, Virtual Organization Membership Service VOMS database contains VO members with their specific rights A VOMS user can have many different set of authorization, next a user can be a member of many VOMS User rights depend of his group or role membership in the VOMS Groups, roles and rights are included in the user proxy User authentication command is : voms-proxy-init --voms Authorizations are expressed by FQAN* and included in proxy attributes /Role=[ ][/Capability= ] *FQAN : Fully Qualified Attributes Name

26 26Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (2)  Groups Groups can have a hierarchical structure, indefinitely deep Useful to give different authorization in function of group membership Default group is /  Roles Software manager, VO-Administrator, Production, … Roles have no hierarchical structure – there is no sub-role Roles are not used in ‘normal operation’ They must be specifically requested when user creates his proxy  Proxy attributes are check by each site with LCAS and LCMAPS

27 27Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (3)  LCMAPS Maps grid credentials (subject + attributes of the proxy certificate) to local credentials (UID/GID)  LCAS Checks if the user is authorized or banned at the site (currently using the grid-mapfile)  Local authorization file, grid-mapfile, is rebuilt every few hours. Each VOMS/group/role is mapped with its pool account. "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer".dte "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer" dtes "/VO=dteam/GROUP=/dteam".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL/CAPABILITY=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin" dtes "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin/CAPABILITY=NULL" dtes "/VO=dteam/GROUP=/dteam/ROLE=production" dtep "/VO=dteam/GROUP=/dteam/ROLE=production/CAPABILITY=NULL" dtep

28 28Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS architecture VOMS Service Mutal authentication and authorization VOMS CA CRL update Low frequency high frequency Host Cert. (1 an max) voms-proxy-init User Interface CA Cert. registration User Cert. (1 an max) Proxy cert. (24 h max) Authorization = Cert. LCAS LCMAPS VOMS Cert.

29 29Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Security Groups

30 30Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Security groups  Security Incident Response Policy (EGEE/LCG) Grid Security Incident Handling and Response Guide, http://osgdocdb.opensciencegrid.org/0000/000019/002/OSG_incident_handling_v1.0.pdf Announcements and Information Dissemination Incident Detection and Analysis Incident Response on-site => Member(s) on each site Vulnerability Handling  Middleware Security Group (EGEE) Focalized on middleware developments  JSPG, Joint Security Policy Group (LCG) Advise and make recommendations to the LCG Grid Deployment Manager and the LCG Grid Deployment Board (GDB) on matters related to LCG Security. AUP, Grid Acceptable Use Policy, https://edms.cern.ch/document/428036https://edms.cern.ch/document/428036  CA Manager Groups  VO Manager Group

31 31Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Links  Certification Authorities http://gridpma.org/  VOMS https://edms.cern.ch/file/572406/1/user-guide.pdf  Security Groups http://egee-jra3.web.cern.ch/egee-jra3/ http://proj-lcg-security.web.cern.ch/proj-lcg-security/ https://cic.gridops.org/index.php?section=roc&page=securityissues Thanks !

Download ppt "Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Similar presentations

Ads by Google