Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September.

Published byEugenia Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September."— Presentation transcript:

1 www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September 2008

2 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 2 Table of contents Introduction Encrypting –Symetric algorithms –Asymectic algorithms: PKI (public-key)‏ Certificates –Digital sign –X509 certificates Grid security –Proxy certificates –Command line instructions Virtual organizations –VO and authorization concepts

3 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 3 Glossary Main –It is any entity: an user, a program or a machine Credentials –They are certain data which gives a prove of identity Authentication –Checking of identity of a main Authorization –Mapping of an identity to certain group of privileges Confidentiality –Encrypting a message so that only the receiver can understands it Integrity –Guarantying that a message is not been modified during the transmission

4 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 4 It is a math branch which is dedicated to study security in information and their linked aspects, in particular encrypting, authentication and access control. Symbols: –Plain text: M –Encrypted text: C –Encrypted key K 1 : E K 1 (M) = C –Decrypted key K 2 : D K 2 (C) = M Algorithms –Simetric –Simetric: K 1 = K 2 –Asimetric –Asimetric: K 1 ≠ K 2 Encrypting K2K2 K1K1 Encrypt Decrypt MCM Peter Jonh

5 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 5 The same key is used to crypt and decrypt Advantages: –Speed Disadvantages: –How to distribute keys? Examples: –DES –3DES –Rijndael (AES)‏ –Blowfish –Kerberos MeryJohn hola 3$r hola MeryJohn hola 3$r hola 3$r Simetric Algorithms

6 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 6 Each user has two keys: one private and one public: –it is “impossible” to deduce the private key from the public one; –A encrypted message by a key only can be decrypted by the other one. It is not necessary exchanging the keys: –the one who is sending encrypts by using the private key of the receiver. –the receiver decrypts by using his public key. Examples: –Diffie-Helmann (1977)‏ –RSA (1978)‏ Mark's keys pública privada George's keys públicaprivada GeorgeMark hola 3$r hola GeorgeMark hola cy7 hola 3$r cy7 Asimetric algorithms (Public Key Algorithms)‏

7 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 7 George calculates the h hh hash of the message. George encrypts the hash using his p pp private key: the encrypted hash is the d dd digital signature. George sends the signed message to Mark. Mark calculates the hash of the message and it v vv verifies it with Hash(A), decrypting it with George’s p pp public key. If the hashes are equal: the message wasn’t modified; George can’t repudiate it. Mark mensaje Firma Digital George mensaje Firma Digital mensaje Firma Digital Hash(A)‏ Claves de Pablo públicaprivada Hash(B)‏ Hash(A)‏ = ? Digital Signature

8 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 8 George’s digital signature is safe if: 1. Pablo’s private key is not compromised. 2. Mark knows Pablo’s public key. How can Mark be sure that George’s public key is really George’s public key and not of somebody else? –A third entity guaranties correspondence between public keys and the identity of the owner. –George and Mark must trust in this third entity. Digital Certificate

9 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 9 Certification Authority Certification Authority The “third entity” is called Certification Authority (CA). Digital Certificates ;It emits Digital Certificates (containing the public key and the owner’s identity) for users, programs and machines; signed by the Certification Authority. It checks the identity and personal data of the applicants. –Register Authorities (RA): they make the validation, itself.

10 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 10 Clasic Profile of the CA How to obtain a certificate: Certificate is emitted by the CA Certificate is used as an access key to the grid Request for the certificate User’s identity is confirmed by the RA

11 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 11 A X.509 certificate contains: –o–owner’s public key –o–owner’s identity –C–CA information –v–validity period –s–serial number –C–CA digital signature Public Key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271)‏ CA digital signature Estructura de un certificado X.509 Certificate X.509

12 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 12 Each user/host/service has a X.509 certificate; Certificates are signed by the CA’s; Each transaction in the Grid is mutually authentificated: 1.Cole sends his certificate. 2.Sean verifies the signature in Cole’s certificate. 3.Sean sends to Cole a random number. 4.Cole encrypts it using his private key. 5.Cole sends the encrypted number to Sean. 6.Sean uses Cole’s public key to decrypt the number. 7.Sean compares the decrypted number with the original. 8.If they are equal, Sean verifies Cole’s identity. Cole Sean Cole’s certificate Verifies CA signature Random number Encrypts with his private key Encrypted number Decrypt with public key of Cole Compares the number with the original Based in X.509 PKI: Grid Security Infrastructure (GSI)‏

13 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 13 Updating The maximum duration of a certificate is 1 year + 1 month. The idea is that at the end of the year (12 th month) a new certificate is emitted. Users should be warned about expiration and the necessity of renew it. Not to revoke a certificate for a new emission unless the certificate is been compromised or the user is stopped the activity which provoked the request of the certificate.

14 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 14 Updating It is not necessary for the user to make the identification for updating: –This is a great advantage both for the user and the RA. –Nevertheless a maximum number of updating without identification is advisable (for example: every two years the EE must do the identification process again). To avoid the identification process, the updating request must be signed with the user’s certificate, for example: –Email signed with the user’s certificate.  Through a CA/RA web interface that could identify the user’s certificate. If the user’s certificate expires before the updating, the procedure to request a new certificate must be followed.

15 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 15 Where to request a certificate to use in EELA If you are Italian: –https://security.fi.infn.it/CA/en/RA/https://security.fi.infn.it/CA/en/RA/ If you are Portuguese: –http://ca.lip.pt/http://ca.lip.pt/ If you are Spanish: –http://www.irisgrid.es/pki/http://www.irisgrid.es/pki/ If you are none of the above : –http://igc.services.cnrs.fr/GRID- FR/?lang=en&cmd=certificates&type=usercerthttp://igc.services.cnrs.fr/GRID- FR/?lang=en&cmd=certificates&type=usercert

16 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 16 Use of the Certificates To import the certificate to the web browser: –If you received a.pem certificate, you need to convert it into a PKCS12 format –Use “openssl” command (available in each UI)‏  openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ GILDA (and other VOs included in EELA): –You will receive a PKCS12 certificate (you can import it directly in the web browser). –For its use in the future, you will need usercert.pem and userkey.pem in the directory ~/.globus inside your UI. –Export the PKCS12 certificate to a local directory in the UI and use again openssl:  openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem  openssl pkcs12 -clcerts -nokeys -in my_cert.p12 -out usercert.pem

17 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 17 Certificado Proxy X.509 It is dangerous to transfer your personal certificate through the Grid Proxy Certificates: –Signed by the certifying entity (or by another proxy). –They have some important features:  Delegation –They have a limited lifetime (minimum risk of “compromised credential”) Proxy certificates are created with the grid-proxy-init command: $ grid-proxy-init –Options for grid-proxy-init:  -hours  -bits  -help

18 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 18 User enters his pem key, which is used to decrypt his private key. Private key is used to sign the proxy certificate with its own new public/private keys pair. –So that user’s private key is not exposed before the proxy is confirmed. User’s certificate Private key (encrypted) ‏ pem key User’s proxy certificate Proxy –saved in a local archive: it must have read-only attributes, only for the owner. –Lifetime is short (typically 12h) to minimize security risks. grid-proxy-init

19 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 19 Proxy … grid-proxy-init ≡ es el “login” a la Grid To make a “logout” the proxy must be destroyed: – grid-proxy-destroy To get information about your proxy: – grid-proxy-info –Options to show proxy information -subject-issuer -type-timeleft -strength-help

20 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 20 Delegation = remote creation (second level) of a proxy certificate. –A new keys pair are generated remotely in the server –Client signs the proxy certificate and returns it back It allows remote processes being autentificated in user’s name. –The remote process “is personified” as the user Delegation

21 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 21 Long term proxies Proxy certificates have a lifetime (by default 12 h)‏ –It is not a good idea to have longer certificates –Nevertheless, a task in the grid can need using a proxy a longer period of time –For example a task to analyze data can last several days MyProxy Server: –Allows to create and save a long term proxy certificates – myproxy-init -s  -s: especifies MyProxy host number – myproxy-info  Obtiains information about stored long term proxies – myproxy-get-delegation  Obtains a new proxy from MyProxy server – myproxy-destroy  Destroys the proxy MyProxy server The gLite archive transfers service validates user’s requests and eventually renews proxies

22 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 22 Grid users MUST belong to a virtual organization –User’s group that belong to a collaboration –Users must know guidelines for its use in VO VOs keeps a member’s list in LDAP server –The list is downloaded by the grid machines to map users to local accounts... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice... VOs and authorization

23 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 23 Virtual Organization Members Service –Extend information in the proxies members of the VO, groups, roles. –Absolutely compatible with Globus Toolkit. –Every VO has a database which contains information about the members of the group, roles and capacities of each user. –Users contact with voms server requesting their information of authorization –Serve sends the information of authorization to the client, who includes it in a proxy certificate. – $voms-proxy-init –-voms gilda  Creates a certificate and extends it with the voms server information. – $voms-proxy-info –all  Shows information of the certificate together with voms extension. VOMS

24 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 24 Questions …

25 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 Practice Practice in gLite security

26 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 This page will show you through the stages of inspecting your certificates and then creating and testing a VOMS proxy. We assume you are logged on a User Interface (glite- tutor.ct.infn.it in this example), and you have valid certificates under.globus directory, and you are under your home directory.

27 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 Inspecting personal certificate Your personal certificate is split in two separate files in a directory called.globus. These files are effectively your public and private keys, which will be used for the authenticated connections with all the other grid elements. It is essential that they have the correct file permissions otherwise you won't be able to create a proxy. Check the permissions with the command ls -l.globus which should give you the following output: total 8 -rw-r--r-- 1 giorgio users 1613 Jun 7 15:16 usercert.pem -r-------- 1 giorgio users 1914 Jun 7 15:16 userkey.pem

28 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 You can have now a look inside your certificate with grid-cert-info Certificate: Data: Version: 3 (0x2)‏ Serial Number: 3901 (0xf3d)‏ Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=GILDA, CN=GILDA Certification Authority Validity Not Before: Apr 12 08:32:31 2006 GMT Not After : Apr 12 08:32:31 2007 GMT Subject: C=IT, O=GILDA, OU=Personal Certificate, L=INFN, CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)‏ Modulus (2048 bit): 00:c7:c9:9a:ae:81:e5:0f:03:c9:f6:0f:5b:3c:c5: [cut...] Inspecting personal certificate

29 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 41:8D:0A:A0:6D:3E:24:00:9E:98:FA:3B:EF:6F:40:DC:CB:86:81:0B X509v3 Authority Key Identifier: keyid:F2:4E:BA:9C:42:04:41:7F:A0:0A:AA:35:D0:98:93:12:37:EF:8C:76 DirName:/C=IT/O=GILDA/CN=GILDA Certification Authority serial:00 Signature Algorithm: md5WithRSAEncryption 91:b1:2b:45:40:74:b1:0a:ba:d5:d2:fb:ad:32:07:9f:a9:3b: [cut...] dd:4f Inspecting personal certificate

30 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 Creation of a proxy with voms extensions This step is comparable to a login on the Grid, because without it you can do very little. The command to do it is voms-proxy-init --voms VO-NAME Then, for instance, if your VO is gilda, you have to type voms-proxy-init --voms gilda Cannot find file or dir: /home/giorgio/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase: Creating temporary proxy....................................... Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it] "gilda" Done Creating proxy............................................ Done Your proxy is valid until Fri Jul 14 00:34:00 2006

31 www.eu-eela.eu Dublin (Ireland), Tutorial for User and Site Admin., 15.09.2008 – 18.09.2008 Check your voms proxy Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. It is much more useful if ran with the -all option, because it will show also the VO related infos added by the VOMS server, such as belonging groups (tutor in this case) or roles. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the AC infos added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations. voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:39:55 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 11:39:54

Download ppt "Www.eu-eela.org E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), 15-18 September."

Similar presentations

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
It’s not about security... it’s about access! Grid Security Pieter van Beek.

It’s not about security... it’s about access! Grid Security Pieter van Beek.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.

INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.

Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.

Similar presentations

Ads by Google