Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Published byAnais Rasberry Modified over 9 years ago

Similar presentations

Presentation on theme: "Grid Computing Basics From the perspective of security or An Introduction to Certificates."— Presentation transcript:

1 Grid Computing Basics From the perspective of security or An Introduction to Certificates.

2 Authentication Identification of user Kerberos is Fermilab’s chosen authentication service Certificates provide authentication services for Grid and Web Authorization is permission to access and utilize a resource after authentication

3 X.509 Standard for Public Key Certificates –CCITT Recommendation X.509 Coupled with X500 Naming Conventions Part of Public Key Infrastructure (PKI) Uses Asymmetric Encryption Digital signatures Expiration and Revocation Lists

4 Components of a Certificate Distinguished Names of Issuer and Subject –/DC=org/DC=doegrids/OU=People/CN=Frank J. Nagy 442270 –/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 Serial Number Validity Interval (start and end dates) Extensions –E-mail address, Subject type, Policy Information, etc. Public key of the Subject Signature to make tamper-evident

5 Encryption Symmetric encryption uses same shared key to encrypt and decrypt Alice’s problem is securely getting her key to Bill before sending him any messages Asymmetric encryption uses two keys –User keeps private key secret –User publishes public key

6 Public Key Encryption Alice has published her public key and Bill has a copy. Alice encrypts message with her private key, Bill (or anyone) can decrypt message with her public key –This message can be a digital signature that identifies the rest of the message as from Alice Bill encrypts message with Alice’s public key but only Alice can decrypt with her private key. Computationally Intensive, often used to securely exchange Symmetric key for use in the remainder of the communication session

7 Digital Signature Use to sign messages –Identify sender –Make message tamper-evident Take hash function or checksum of message text Encrypt the hash with private key and send with message Receiver decrypts signature with public key and compares to his hash of message text

8 Certificate Authority Certificates are issued by a Certificate Authority (CA) Trust Chains Root Certificates Update is sometimes seen when doing Windows Update is getting new CA certificates that establish this trust chain for well known root CAs Publish Certificate Revocation List (CRL) –Serial numbers of revoked certificates

9 Trust Chain and Root CA...

10 Fermilab Kerberos CA (KCA) Get a certificate based on having a Kerberos principal With a Kerberos ticket, KCA issues a certificate to the user valid for the maximum lifetime (7 days) of the Kerberos ticket Use kinit followed by kx509 under Linux then typically import certificate into browser Use Get-Cert.bat under Windows which automatically loads certificate into browser

11 Typical KCA Certificate Uses Nessus scanner Import into browser to access some Fermilab Web sites Use to access Grid resources Not generally useful for signing E-mail due to limited lifetime of the certificate

12 DOEGrids CA Can issue personal or host/service certificates good for 1 year. Home site is ttp://ww.doegrids.org for instructions and other informationttp://ww.doegrids.org Request via their Web site –ttps://pki1.doegrids.org/ttps://pki1.doegrids.org/ –As Fermilab employee or visitor use FNAL as the affiliation on the request form –Keep your private key secret! Keep it offline!

13 What is the Grid? Internet Grid Computing Resource Certificate Gatekeeper Jane User

14 Certificates and the Grid Pass your personal certificate to Grid resource gatekeeper Authenticates you to access this resource Kerberos users (KCA certificates) can get full access to Fermilab Grid resources Non-KCA certificates get limited access to Fermilab Grid resources

15 Load your personal certificate into your E- mail program to add digital signature to your E-mail Can also be used to encrypt messages KCA certificates are NOT useful with E-mail due to very limited lifetime, instead use DOEGrids certificates (or ones from other CAs). Certificates and E-mail

16 Certificates and the Web Web servers send a server certificate to your browser to establish secure communications –Secure Sockets Layer (SSL) –https: instead of http: in the URL –Remember those Root CA Certificates Brower is authenticating the server in this case Note: SSL only secures internet link, not data resident at E-commerce site!

17 Certificates and the Web Personal certificate (or KCA certificate) can be loaded into browser and used to authenticate the user for access to some sites. Some Fermilab Web sites use KCA certificates in this manner

18 Host/Service Certificates Fermilab system administrators can get host or service certificates from DOEGrids for Grid resources or Web servers. –ttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.htmlttp://computing.fnal.gov/security/pki/Get-DOEGrids-Cert.html You will need OpenSSH utility (see above web page) Get KCA CA Certificates to authenticate KCA user certificates –ttp://omputing.fnal.gov/security/pki/index.htmlttp://omputing.fnal.gov/security/pki/index.html

19 More Information Much of this information will appear in greater detail and with hyperlinks and examples on web pages off the Fermilab Computer Security web page. These web pages are in conceptual development at this time, watch for their appearance in the future. Some information is currently available there, more is in development.

20 References Planning for PKI –By Russ Housley and Tim Polk, pub by Wiley What is a Digital Signature? –http://www.youdzone.com/signature.htmlhttp://www.youdzone.com/signature.html OpenSSL Certificate Cookbook –http://www.pseudonym.org/ssl/ssl_cook.htmlhttp://www.pseudonym.org/ssl/ssl_cook.html The PKI Page (lots of links) –http://www.pki-page.org/http://www.pki-page.org/ The NIST PKI Program –http://csrc.nist.gov/pki/http://csrc.nist.gov/pki/

Download ppt "Grid Computing Basics From the perspective of security or An Introduction to Certificates."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Secure Sockets Layer. SSL SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security.

Secure Sockets Layer. SSL SSL is a communications protocol layer which can be placed between TCP/IP and HTTP It intercepts web traffic and provides security.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Cryptography in e-Business Guest Lecture, November 13, 2006, Olin College Steven R. Gordon Prof. of Info Tech Management Babson College.

Cryptography in e-Business Guest Lecture, November 13, 2006, Olin College Steven R. Gordon Prof. of Info Tech Management Babson College.
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

Similar presentations

Ads by Google