Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.

Introduction of Grid Security

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Public Key Management and X.509 Certificates

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Grid Security. Typical Grid Scenario Users Resources.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Security on Grid Roberto Barbera Univ. of Catania and INFN

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Security Management.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

CSCI 6962: Server-side Design and Programming

Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.

1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Cryptography, Authentication and Digital Signatures

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,

Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.

Security, Authorisation and Authentication.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Security, Authorisation and Authentication Mike Mineter,

Security in gLite Gergely Sipos MTA SZTAKI

Basics of Cryptography

Authentication, Authorisation and Security

Authorization and Authentication in gLite

Security, Authorisation and Authentication

Grid Security Jinny Chien Academia Sinica Grid Computing.

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Lecture 4 - Cryptography

Presentation transcript:

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University

Overview Problems Glossary Encryption –Symmetric algorithms –Asymmetric algorithms: Public Key Infrastructure Certificates –Digital Signatures –X.509 certificates Grid Security –Proxy certificates –Command line interfaces Virtual Organization –Concept of VO and authorization Authentication and Authorization in gLite 2

Glossary Principal –An entity: a user, a program, or a machine Credentials –Some data providing a proof of identity Authentication –Verify the identity of a principal Authorization –Map an entity to some set of privileges Confidentiality –Encrypt the message so that only the recipient can understand it Integrity –Ensure that the message has not been altered in the transmission Non-repudiation –Impossibility of denying the authenticity of a digital signature The “Grid Security Infrastructure(GSI)” is the basis of (most) production grids Authentication and Authorization in gLite 3

4 Problems How does a user securely access the Resource without having an account on the machines of the Resource? How does the Resource know who a user is? How are rights and that they are allowed access? User Resource Authentication Authorization

Authentication and Authorization in gLite 5 Security!!! –Launch attacks to other sites  Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. –Illegal or inappropriate data distribution and access sensitive information  Massive distributed storage capacity ideal for example, for swapping movies.  Growing number of users have data that must be private – biomedical imaging for example –Damage caused by viruses, worms etc.  Highly connected infrastructure means worms could spread faster than on the internet in general. Problems

Cryptography Is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Symbology –Plaintext: M –Cyphertext: C –Encryption with key K 1 : E K 1 (M) = C –Decryption with key K 2 : D K 2 (C) = M Algorithms –Symmetric –Symmetric: K 1 = K 2 –Asymmetric –Asymmetric: K 1 ≠ K 2 Authentication and Authorization in gLite 6 K2K2 K1K1 MCM Encryption Decryption Alice Bob

Symmetric Algorithm Authentication and Authorization in gLite 7 AliceBob Hi3$rHi AliceBob Hi3$rHi3$r

Symmetric Algorithm Advantages: –Fast & Easy Problems: –How to distribute the key? –The number of keys needed is O(n 2 ) Examples: –DES (Digital Encryption Standard) –3DES (Triple DES) –AES (Digital Encryption Standard) –Blowfish Authentication and Authorization in gLite 8

9 Asymmetric Algorithms Private Key Public Key

Authentication and Authorization in gLite 10 Asymmetric Algorithm Bob’s keys public private Alice’s keys publicprivate AliceBob Hello3$rHello AliceBob Hellocy7Hell o 3$r cy7

Hash Function Converts any size of input into a fixed (smaller) size of output –Given h(x), it is difficult to compute x. –Given x, it is difficult to find x’ such that h(x) = h(x’). Usage –Verifying file integrity –Digitally Signature Examples –MD5 –SHA-1 Authentication and Authorization in gLite 11

Authentication and Authorization in gLite Digital Signature 12

Authentication and Authorization in gLite 13 Certification Authorities How can Bob be sure that Alice’s public key is really Alice’s public key and not someone else’s? –A third party certifies correspondence between the public key and Alice’s identity. –Both Bob and Alice trust this third party Certification Authority The “third party” is called a Certification Authority (CA).

Authentication and Authorization in gLite 14 Certification Authorities User’s identity has to be certified by one of the national Certification Authorities (CAs) Resources are also certified by CAs CAs are mutually recognized CAs each establish a number of people “registration authorities” RAs

Authentication and Authorization in gLite 15 X.509 Certificates An X.509 Certificate contains:  owner’s public key;  identity of the owner;  info on the CA;  time of validity;  Serial number;  Optional extensions –digital signature of the CA Public key Subject:C=CH, O=PKU, OU=GRID, CN=Liang Zhao 8968 Issuer: C=CH, O=IHEP, OU=GRID, CN=IHEP CA Expiration date: Nov 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature

Authentication and Authorization in gLite 16 The Grid Security Infrastructure every Grid transaction is mutually authenticated: 1. A sends his certificate; 2. B verifies signature in A’s certificate using CA public certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. 9. Repeat for A to verify B’s identity A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Based on X.509 PKI:

Authentication and Authorization in gLite 17 The Grid Security Infrastructure Default: message integrity checking –Not private – a test for tampering For private communication: –Encrypt all the message (not just hash) - Slower After A and B authenticated each other, for A to send a message to B: A B Generate hash from message Message + Encrypted hash Decrypt with A’ s public key Compare with decrypted hash Encrypt hash with A’ s private key Further encrypt hash with B’ s public key Decrypt with B’ s private key Generate hash from message

Authentication and Authorization in gLite 18 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate

Authentication and Authorization in gLite 19 Grid Security Infrastructure - proxies To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates –Short-lived certificates signed by the user’s certificate or a proxy –Reduces security risk, enables delegation

Authentication and Authorization in gLite 20 User Responsibilities Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

Authentication and Authorization in gLite 21 Evolution of VO management Before VOMS User is authorized as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs –Aggregate rights VO can have groups –Different rights for each  Different groups of experimentalists  … –Nested groups VO has roles –Assigned to specific purposes  E,g. system admin  When assume this role Proxy certificate carries the additional attributes voms-proxy-init VOMS – now in use on EGEE grid

Authentication and Authorization in gLite 22 Summary of AA - 1 Authentication based on X.509 PKI infrastructure –Trust between Certificate Authorities (CA) and sites, CAs and users is established (offline) –CAs issue (long lived) certificates identifying sites and individuals (much like a passport)  Commonly used in web browsers to authenticate to sites –In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates Proxies can –Be delegated to a service such that it can act on the user’s behalf –Include additional attributes (like VO information via the VO Membership Service VOMS) –Be stored in an external proxy store (MyProxy) –Be renewed (in case they are about to expire)

Authentication and Authorization in gLite 23 Summary of AA - 2 Authentication –User obtains certificate from Certificate Authority –Connects to UI by ssh (UI is the user’s interface to Grid) –Uploads certificate to UI –Single logon – to UI - create proxy –Grid Security Infrastructure Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by resource: Credentials in proxy determine user’s rights UI CA VO mgr Annually VO database Mapping to access rights GSI VO service Daily update