Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,

Published byMorris Briggs Modified over 7 years ago

Similar presentations

Presentation on theme: "Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,"— Presentation transcript:

1 Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF, Bologna 26-29/12/2007

2 INFN Grid School 26-30/11/2007 - 2 Summary Security concepts - - Symmetric encryption algorithms - - Asymmetric encryption algorithms - - PKI - - Digital Signature - - Digital Certificates Grid Security: - - VOMS certificates - - myproxy

3 INFN Grid School 26-30/11/2007 - 3 Glossary Principal   An entity: an user, a program, or a machine Credentials   Some data providing a proof of identity Authentication   Verify the identity of the principal Authorization   Map an entity to some set of privileges Confidentiality   Encrypt the message so that only the recipient can understand it Integrity   Ensure that the message has not been altered in the transmission Non-repudiation   Impossibility of denying the authenticity of a digital signature

4 INFN Grid School 26-30/11/2007 - 4 Cryptography Mathematical algorithm that provides important building blocks for the implementation of a security infrastructure Symbology   Plaintext: M   Cyphertext: C   Encryption with key K 1 : E K 1 (M) = C   Decryption with key K 2 : D K 2 (C) = M Algorithms  Symmetric  Symmetric: K 1 = K 2  Asymmetric  Asymmetric: K 1 ≠ K 2 K2K2 K1K1 Encryption Decryption MCM

5 INFN Grid School 26-30/11/2007 - 5 Symmetric Algorithms PaulJohn ciao3$rciao PaulJohn ciao3$rciao3$r The same key is used for encryption and decryption Advantages: Fast Disadvantages: how to distribute the keys? the number of keys is O(n 2 ) Examples: DES 3DES Rijndael (AES) Blowfish

6 INFN Grid School 26-30/11/2007 - 6 Asymmetric Algorithms (Public Key) John keys public private Paul keys publicprivate PaulJohn ciao3$rciao PaulJohn ciaocy7ciao 3$r cy7 Every user has two keys: one private and one public:   it is hard to derive the private key from the public one;   a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary   the sender ciphers using the public key of the receiver;   the receiver decrypts using his private key;   the number of keys is O(n). Examples:   Diffie-Helmann (1977)   RSA (1978)

7 INFN Grid School 26-30/11/2007 - 7 One-Way Hash Functions Functions (H) that, given as input a variable-length message (M), produce as output a string of fixed length (h)   the length of h must be at least 128 bits (to avoid birthday attacks) 1. 1. given M, it must be easy to calculate H(M) = h 2. 2. given h, it must be difficult to calculate M = H -1 (h) 3. 3. given M, it must be difficult to find M’ such that H(M) = H(M’) Examples:   MD4/MD5: hash of 128 bits;   SHA (Standard FIPS): hash of 160 bits.

8 INFN Grid School 26-30/11/2007 - 8 [marotta@datatag6]$ cat prova1 testo di prova [marotta@datatag6]$ md5sum prova1 909adc30dcc15239ac640b52d33a12b2 prova1 [marotta@datatag6]$ cat prova2 testo di prove [marotta@datatag6]$ md5sum prova2 c89ee15b2f056edfbef2dcb62b2249aa prova2 [marotta@datatag6]$ ls -l /bin/ls -rwxr-xr-x 1 root root 67700 Dec 9 2005 /bin/ls [marotta@datatag6]$ md5sum /bin/ls 2636c546ce5ca69687f5dfc74cc3175e /bin/ls

9 INFN Grid School 26-30/11/2007 - 9 Digital Signature John This is some message Digital Signature Paul This is some message Digital Signature This is some message Digital Signature Hash(A) Paul keys publicprivate Hash(B) Hash(A) = ? hash Paul calculates the hash of the message private digital signature Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. verifies public John calculates the hash of the message and verifies it with the one received by A and decyphered with A’s public key. If hashes equal: message wasn’t modified; Paul cannot repudiate it.

10 INFN Grid School 26-30/11/2007 - 10 Digital Certificates Paul’s digital signature is safe if: 1. 1. Paul’s private key is not compromised 2. 2. John knows Paul’s public key How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s?   A third party guarantees the correspondence between public key and owner’s identity   Both A and B must trust this third party Two models:   X.509: hierarchical organization;   PGP: “web of trust”.

11 INFN Grid School 26-30/11/2007 - 11 A B C D E F F knows D and E, who knows A and C, who knows A and B. F is reasonably sure that the key from A is really from A. PGP “web of trust”

12 INFN Grid School 26-30/11/2007 - 12 X.509 Certificates Certification Authority The “third party” is called Certification Authority (CA). Digital Certificates Issue Digital Certificates for users, programs and machines Check the identity and the personal data of the requestor   Registration Authorities (RAs) do the actual validation CA’s periodically publish a list of compromised certificates   Certificate Revocation Lists (CRL): contain all the revoked certificates yet to expire CA certificates are self-signed

13 INFN Grid School 26-30/11/2007 - 13 X.509 Certificates An X.509 Certificate contains:   owner’s public key;   identity of the owner;   info on the CA;   time of validity;   Serial number;   digital signature of the CA Public key Subject:C=IT, O=INFN, OU=Personal Certificate, L=CNAF CN=Daniele Cesini Issuer: C=IT, O=INFN, CN=INFN Certification Authority Expiration date: May 10 14:15:14 2005 GMT Serial number: 080E CA Digital signature Structure of a X.509 certificate

14 INFN Grid School 26-30/11/2007 - 14

15 INFN Grid School 26-30/11/2007 - 15

16 INFN Grid School 26-30/11/2007 - 16

17 INFN Grid School 26-30/11/2007 - 17 Which CA are trusted in LCG/EGEE? http://www.eugridpma.org/ “The EUGridPMA is the international organization to coordinate the trust fabric for e- Science grid authentication in Europe. It collaborates with the regional peers APGridPMA for the Asia-Pacific and The Americas Grid PMA in the International Grid Trust Federation. The charter document defines the group's objective, scope and operation. It is the basis for the guidelines documents on the accreditation procedure, the Authentication profile for X.509 secured "classic" certification authorities and other IGTF recognised Profiles. “ In LCG/EGEE CA are installed on machine trough rpms. The official production apt CA repository is: rpm http://linuxsoft.cern.ch LCG-CAs/current production apt-get install lcg-CA  a metapackage that install all the lcg CA

18 INFN Grid School 26-30/11/2007 - 18 grid-cert-info cat.globus/usercert.pem -----BEGIN CERTIFICATE----- MIIF1zCCBL+gAwIBAgICCA4wDQYJKoZIhvcNAQEEBQAwQzELMAkGA1UEBhMCSVQx DTALBgNVBAoTBElORk4xJTAjBgNVBAMTHElORk4gQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDQwNTEwMTMxNTIyWhcNMDUwNTEwMTMxNTIyWjCBjzELMAkGA1UE BhMCSVQxDTALBgNVBAoTBElORk4xHTAbBgNVBAsTFFBlcnNvbmFsIENlcnRpZmlj YXRlMQ0wCwYDVQQHEwRDTkFGMRcwFQYDVQQDEw5EYW5pZWxlIENlc2luaTEqMCgG CSqGSIb3DQEJARYbZGFuaWVsZS5jZXNpbmlAY25hZi5pbmZuLml0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEvVPBpTjKLA4F0K+Zgc8pWyEPGDnwLW glktBI6+mYTLuemPzgkZ4CTyrZL7bw5ywXUe717e1Rmg6wDfPANRLkxxRNKNaron kS19eNKjPYpklEKNq2gSGsK0/SsYB2YUG4kWLqtFC93x1Ffdc1Tz0xgrXH3kC0jq NqHImDrbpB7VtvAGC7/e/EJhy9MvlPA4W2vbUnwBocjMA/en3GXs2KY19tbFA3Tg jyIpCMbIeu3GlyTnbSJFoy3eeHkNLsf9c29RAJ5gWxMF7arM++NyURQ9qaEdMINj Cqb7dHJEj8E/AwSsYeWmWHfaPXnjj5aP23UlRTc31nSwh+5y0bMnFwIDAQABo4IC hjCCAoIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBPAwNgYDVR0fBC8wLTAr oCmgJ4YlaHR0cDovL3NlY3VyaXR5LmZpLmluZm4uaXQvQ0EvY3JsLmNybDAXBgNV HSAEEDAOMAwGCisGAQQB0SMKAQQwHQYDVR0OBBYEFCM+8mfoaenmQ76tHy+7hX+5 RKJ6MGsGA1UdIwRkMGKAFMoR710dBwSYqaW1WBpmTgoWK+BJoUekRTBDMQswCQYD VQQGEwJJVDENMAsGA1UEChMESU5GTjElMCMGA1UEAxMcSU5GTiBDZXJ0aWZpY2F0 -----END CERTIFICATE----- Something is needed to understand what is written inside a certificate You can use grid-cert-info command (i.e. on a UI) Usage: grid-cert-info - -f cert_file.pem where can be: -all-startdate -subject-enddate -issuer-help Try to look inside a certificate with a text editor

19 INFN Grid School 26-30/11/2007 - 19 [cesini@lcg-ui cesini]$ grid-cert-info -f.globus/usercert.pem -subject -enddate -startdate -issuer /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Daniele Cesini/Email=daniele.cesini@cnaf.infn.it Apr 16 17:50:42 2008 GMT Apr 17 17:50:42 2007 GMT /C=IT/O=INFN/CN=INFN CA grid-cert-info Try to run a grid-cert-info on you certificate

20 INFN Grid School 26-30/11/2007 - 20 grid-cert-info [cesini@lcg-ui cesini]$ grid-cert-info –all –f /etc/grid-security/certificates/2f3fadf6.0 [cesini@lcg-ui cesini]$ grid-cert-info -file /etc/grid-security/certificates/2f3fadf6.0 Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN CA Validity Not Before: Oct 3 14:16:47 2006 GMT Not After : Oct 3 14:16:47 2016 GMT Subject: C=IT, O=INFN, CN=INFN CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ce:95:8e:0e:83:95:9d:42:a9:ca:29:23:ca:b7: 63:f9:0a:49:ba:82:5e:2a:4a:85:e1:f6:dd:e8:ba: ea:79:02:f4:76:a0:22:96:e5:51:f0:3e:32:fd:3d: ……. Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 X509v3 Authority Key Identifier: keyid:D1:62:F3:B3:77:72:C8:2E:FB:F2:79:1A:6F:37:4E:27:9F:13:D5:20 DirName:/C=IT/O=INFN/CN=INFN CA serial:00 Signature Algorithm: sha1WithRSAEncryption 78:d7:d3:3f:b7:3f:72:72:40:62:01:23:96:80:5c:e4:b7:36: e0:c4:7f:43:1d:a8:22:c5:20:6b:17:8e:db:c8:9b:69:03:48: c4:86:40:e8:39:b9:99:c9:2d:30:21:69:3f:a0:5f:97:8d:90: 37:73:86:eb:89:12:05:b5:14:f1:83:cb:62:1f:eb:38:03:e1: …….. [cesini@lch-ui cesini]$ openssl verify /etc/grid-security/certificates/2f3fadf6.0 /etc/grid-security/certificates/2f3fadf6.0: /C=IT/O=INFN/CN=INFN CA error 18 at 0 depth lookup:self signed certificate OK Gather info about a certificate in your CE directory /etc/grid-security/certificates/

21 INFN Grid School 26-30/11/2007 - 21 The Grid Security Infrastructure (GSI) John’s certificate Verify CA signature Random phrase + timestamp Encrypt hash with J.’ s private key Encrypted hash Decrypt with J.’ s public key Compare with hash of original phrase Based on X.509 PKI: John Paul Every Grid transaction is mutually authenticated: 1. 1. John sends his certificate; 2. 2. Paul verifies CA signature in John’s certificate; 3. 3. Paul sends to John a challenge string; 4. 4. John encrypts the hash of the challenge string with his private key; 5. 5. John sends encrypted hash challenge to Paul 6. 6. Paul uses John’s public key to decrypt the hash. 7. 7. Paul compares the decrypted string with the has of original challenge 8. 8. If they match, Paul verified John’s identity and John can not repudiate it. Attention: if Bill is in the middle and manages to have John’s private key he can impersonate John!! Private keys must be stored in protected places and in encrypted form

22 INFN Grid School 26-30/11/2007 - 22 The Grid Security Infrastructure (GSI) On the Grid who is John and who is Paul? Which are the entities that need a certificate? WMS CE WN LFC BDII SE User A Certificate is needed for: USER (NOT UI) RB/WMS CEVOMS SELFC FTSMYPROXY glite-wms-job-submit A Certificate is NOT needed for: WN BDII UI

23 INFN Grid School 26-30/11/2007 - 23 X.509 Proxy Certificate On the Grid the user does not use his own long living certificate  Security problems may arise. X.509 Proxy Certificate GSI extension to X.509 Identity Certificates Has a limited lifetime Is signed by the normal end entity certificate or by another proxy Delegation = remote creation of a (second level) proxy credential Allows remote process to authenticate on behalf of the user

24 INFN Grid School 26-30/11/2007 - 24 Virtual Organizations and voms-proxy-init To submit to the Grid, personal certificates are not the end of the story. Users MUST join at least one of the groups allowed to use the Grid resources = Virtual Organization (VO) The proxy obtained with grid-proxy-init does not contain information about your VO The VOMS ( Virtual Organization Membership Service) e xtends the proxy info with VO membership, group, role and capabilities. Related commands: voms-proxy-init voms-proxy-destroy voms-proxy-info voms-proxy-list

25 INFN Grid School 26-30/11/2007 - 25 Groups and Roles in VOMS Every user in a VO belongs to at least one group:  E.g: /infngrid And may also belong to some subgroups:  E.g: /infngrid/g1, /infngrid/g2, meaning subgroups g1 and g2 of /infngrid There are also Roles:  E.g: /Role=VO-Admin Roles make sense only in the contest of a group:  E.g: /Role=VO-Admin in the group /infngrid. Compact way of describing it: (FQAN)  /infngrid/Role=VO-Admin Holding the role of VO-Admin in the group /infngrid

26 INFN Grid School 26-30/11/2007 - 26 voms-proxy-init creates your proxy for the grid  If you forget this command, nothing will work! Many, many options.  Most advanced  Will show only basic usage. But two things are important:  If you are reporting a bug, add –debug to voms-proxy-init’s command line before reporting the output  ‘voms-proxy-init –version’ to discover which version you have. The version of gLite or LCG you have is useless.

27 INFN Grid School 26-30/11/2007 - 27 voms-proxy-init: basic usage [ marotta@lcg-ui marotta]$ voms-proxy-init --voms infngrid Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy..................................... Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy................................ Done Your proxy is valid until Thu Nov 22 03:19:14 2007 [marotta@lcg-ui marotta]$ voms-proxy-info –all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:54 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:54 VO

28 INFN Grid School 26-30/11/2007 - 28 What Attributes can you request? [marotta@lcg-ui]$ voms-proxy-list --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Cannot find file or dir: /home/marotta//.glite/vomses Creating temporary proxy............................................ Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Available attributes: /infngrid/Role=NULL/Capability=NULL /infngrid/Role=VO-Admin/Capability=NULL /infngrid/Role=SoftwareManager/Capability=NULL /infngrid/prova/Role=NULL/Capability=NULL

29 INFN Grid School 26-30/11/2007 - 29 voms-proxy-init: basic usage [marotta@lcg-ui]$ voms-proxy-init --voms infngrid:all Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini [… omissis…] Your proxy is valid until Thu Nov 22 03:31:14 2007 [marotta@lcg-ui]$ voms-proxy-info –all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:55 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/Role=SoftwareManager/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:55 Values

30 INFN Grid School 26-30/11/2007 - 30 voms-proxy-init: basic usage [ marotta@lcg-ui]$ voms-proxy-init --voms infngrid:/infngrid/Role=VO-Admin Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy.............................................................. Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy.............................. Done Your proxy is valid until Thu Nov 22 03:31:24 2007 [marotta@lcg-ui]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:58 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=VO-Admin/Capability=NULL attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 11:59:58 Role

31 INFN Grid School 26-30/11/2007 - 31 voms-proxy-init: advanced usage [marotta@lcg-ui]$ voms-proxy-init --voms infngrid --valid 10:00 Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy................................................................ Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy....................................... Done Your proxy is valid until Thu Nov 22 01:51:56 2007 [marotta@lcg-ui]$ voms-proxy-init --voms infngrid --valid 1000:00 Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini Enter GRID pass phrase: Creating temporary proxy........................................................ Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Warning: voms.cnaf.infn.it:15000: The validity of this VOMS AC in your proxy is shortened to 86400 seconds! Done Creating proxy........................................... Done Your proxy is valid until Wed Jan 2 07:52:09 2008 Error!

32 INFN Grid School 26-30/11/2007 - 32 [marotta@lcg-ui]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u514 timeleft : 999:59:59 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL attribute : /infngrid/prova/Role=NULL/Capability=NULL timeleft : 23:59:59 Length has been shortened

33 INFN Grid School 26-30/11/2007 - 33 Destroying credentials: [ciasc@grid-ui ciasc]$ voms-proxy-destroy [ciasc@grid-ui ciasc]$

34 INFN Grid School 26-30/11/2007 - 34 Long term proxy - myproxy Grid tasks may need a time longer than the proxy lifetime (short for security reasons) A myproxy server is used to create and store a long term proxy which is used to renew short term proxies when they are going to expire. Related commands: myproxy-init myproxy-get-delegation myproxy-destroy A dedicated service on the WMS can renew automatically the proxy on your behalf contacting the myproxy server (the myproxy server should be indicated in the job description)

35 INFN Grid School 26-30/11/2007 - 35 Myproxy basics Registering a credential: [marotta@lcg-ui]$ myproxy-init -d --voms infngrid Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini verify OK Cannot find file or dir: /home/marotta//.glite/vomses Creating temporary proxy......................................... Done Contacting voms.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it] "infngrid" Done Creating proxy.................................. Done Your proxy is valid until Wed Nov 28 16:31:59 2007 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini now exists on myproxy.cnaf.infn.it.

36 INFN Grid School 26-30/11/2007 - 36 Getting the credential back: [marotta@lcg-ui]$ myproxy-get-delegation -d Enter MyProxy pass phrase: A proxy has been received for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini in /tmp/x509up_u514 [marotta@lcg-ui]$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u514 timeleft : 11:59:50 === VO infngrid extension information === VO : infngrid subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it attribute : /infngrid/Role=NULL/Capability=NULL timeleft : 11:58:05

37 INFN Grid School 26-30/11/2007 - 37 Destroying the Credential: [marotta@lcg-ui]$ myproxy-destroy -d Default MyProxy credential for user /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini was successfully removed. Avoid directly using MyProxy for job submissions!  myproxy-init overwrites your existing credentials  Means that you cannot specify roles! Use proxyrenewal instead!  Details in Marco’s presentation.

38 INFN Grid School 26-30/11/2007 - 38 References Cryptography “The Handbook of Applied Cryptography” by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone http://www.cacr.math.uwaterloo.ca/hac/ http://www.cacr.math.uwaterloo.ca/hac/http://www.cacr.math.uwaterloo.ca/hac/ “Applied Cryptography” by Bruce Schneier “Applied Cryptography” by Bruce Schneier Grid Security LCG Security: http://proj-lcg-security.web.cern.ch/proj-lcg- security/ Globus Security: http://www.globus.org/security/ Grid-it portal: http://grid-it.cnaf.infn.it

Download ppt "Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,"

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Similar presentations

Ads by Google