Authentication and Authorization in gLite Antonio Fuentes Bermejo RedIRIS/Red.Es Tutorial de Grid EELA/EGEE/EUMedGrid May, 2007.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Kerberos and X.509 Fourth Edition by William Stallings
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
User Certificate Application Guide Mason Hsiung. Visit start to request your user certificatehttp://ca.grid.sinica.edu.tw.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Summer School Certificates Diego Romano & Gilda Team.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Security Mechanisms The European DataGrid Project Team
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
CSCI 6962: Server-side Design and Programming
Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Security, Authorisation and Authentication.
INFSO-RI Enabling Grids for E-sciencE How to join GILDA Riccardo Bruno INFN gLite Tutorial at the First EGEE User Forum CERN,
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
Security Mechanisms The European DataGrid Project Team
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Grid security Enrico Fattibene INFN-CNAF 26 Settembre 20111Calcolo Parallelo su Grid e CSN4cluster.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Security in gLite Gergely Sipos MTA SZTAKI
Basics of Cryptography
Authentication, Authorisation and Security
Grid Security.
Authorization and Authentication in gLite
Practicals on VOMS and MyProxy
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
The EU DataGrid Security Services
The EU DataGrid Security Services
Presentation transcript:

Authentication and Authorization in gLite Antonio Fuentes Bermejo RedIRIS/Red.Es Tutorial de Grid EELA/EGEE/EUMedGrid May, 2007 Users and Admin Tutorial

2 Glossary Encryption  Symmetric algorithms  Asymmetric algorithms: PKI Certificates  Digital Signatures  X509 certificates Grid Security  Proxy certificates  Command line interfaces Virtual Organization  Concept of VO and authorization

3 Principal  An entity: a user, a program, or a machine Credentials  Some data providing a proof of identity Authentication  Verify the identity of a principal Authorization  Map an entity to some set of privileges Confidentiality  Encrypt the message so that only the recipient can understand it Integrity  Ensure that the message has not been altered in the transmission Non-repudiation  Impossibility of denying the authenticity of a digital signature

4 Is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Symbology Plaintext: M Cyphertext: C Encryption with key K 1 : E K 1 (M) = C Decryption with key K 2 : D K 2 (C) = M Algorithms Symmetric Symmetric: K 1 = K 2 Asymmetric Asymmetric: K 1 ≠ K 2 K2K2 K1K1 Encryption Decryption MCM Pablo Juan

5 The same key is used for encryption and decryption Advantages: Fast Disadvantages: how to distribute the keys? Examples: DES 3DES Rijndael (AES) Blowfish Kerberos MaríaPedro ciao3$rciao MaríaPedro ciao3$rciao3$r

6 Every user has two keys: one private and one public: it is “impossible” to derive the private key from the public one; a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary the sender cyphers using the public key of the receiver; the receiver decrypts using his private key; Examples: Diffie-Helmann (1977) RSA (1978) Juan keys public private Pablo keys publicprivate PabloJuan ciao3$rciao PabloJuan ciaocy7ciao 3$r cy7

7 Pablo calculates the h hh hash of the message Pablo encrypts the hash using his private key: the encrypted hash is the d dd digital signature. Pablo sends the signed message to Juan. Juan calculates the hash of the message and v vv verifies it with A, decyphered with Pablo’s p pp public key. If hashes equal: message wasn’t modified; Pablo cannot repudiate it. Juan This is some message Digital Signature Pablo This is some message Digital Signature This is some message Digital Signature Hash(A) Pablo keys publicprivate Hash(B) Hash(A) = ?

8 Pablo’s digital signature is safe if: 1. Pablo’s private key is not compromised 2. Juan knows Pablo’s public key How can Juan be sure that Pablo’s public key is really Pablo’s public key and not someone else’s?  A third party guarantees the correspondence between public key and owner’s identity.  Both Pablo and Juan must trust this third party Digital Certificates

9 Certification Authority The “third party” is called Certification Authority (CA). Digital Certificates ( Issue Digital Certificates (containing public key and owner’s identity) for users, programs and machines (signed by the CA) Check identity and the personal data of the requestor  Registration Authorities (RAs) do the actual validation

10 Classic profile of a CA How to obtain a certificate: The certificate is issued by the CA The certificate is used as a key to access the grid A certificate request is performed The user identify is confirmed by the RA

11 An X.509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

12 Renewal The certificates maximum lifetime is 1 year + 1 month The idea is that at the end of the year (12 th month) a new certificate is issued Users should be warned about the coming expiration and the need to renew Don’t revoke a certificate to issue a new one unless the certificate has been compromised or the user has ceased his activity which entitles him to have a certificate

13 Renewal During a renewal it is not required to make the user to pass through the identification procedure:  This is a big advantage for both the users and the RA  However a maximum renewal number without identification is advisable (for instance: every two years the EE must pass through the identification again) In order not to pass through the identification the renewal request must be signed with the user certificate, examples:  signed with user certificate  CA/RA Web interface that would identify the user certificate If the user certificate expires before renewal the procedure for a new certificate must be followed

14 Request a Personal Certificate If you are Italian go to:  If you are Portuguese go to:  If you are Spanish go to:  If you are not any of the above go to:  FR/?lang=en&cmd=certificates&type=usercert FR/?lang=en&cmd=certificates&type=usercert Status to be updated since there are now 4 Certification Authorities in the Latin America

15 Request a Certificate to the GRID-FR CA ( Working RA’s are: 1.ICN-UNAM 2.REUNA 3.UFF 4.UFRJ 5.ULA If you DO NOT belong to any of the EELA partners mentioned above, a new RA must be created in your site. This operation starts sending an to Jorge Gomes and asking him to create a new

16 Import your certificate in your browser  If you received a.pem certificate you need to convert it to PKCS12  Use openssl command line (available in each UI)  openssl pkcs12 – export – in usercert.pem – inkey userkey.pem – out my_cert.p12 – name ’ My Name ’ GILDA (and other VOs, among which EELA):  You receive already a PKCS12 certificate (can import it directly into the web browser)  For future use, you will need usercert.pem and userkey.pem in a directory ~/.globus on your UI  Export the PKCS12 cert to a local dir on UI and use again openssl:  openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem  openssl pkcs12 -clcerts -nokeys -in my_cert.p12 -out usercert.pem

17 It would be dangerous to transfer your certificate through the Grid Proxy Certificates  signed by the normal end entity cert (or by another proxy).  Support some important features  Delegation  Have a limited lifetime (minimized risk of “compromised credentials”) Proxy certificates are created by the grid- proxy-init command: % grid-proxy-init Enter PEM pass phrase: ******  Options for grid-proxy-init:  -hours  -bits  -help

18 User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. User’s private key not exposed after proxy has been signed User certificate file Private Key (Encrypted) Pass Phrase User Proxy certificate file Proxy stored in local file: must be readable only by the owner lifetime is short (typically 12 h) to minimize security risks.

19 Proxy again … grid-proxy-init ≡ “login to the Grid” To “logout” you have to destroy your proxy:  grid-proxy-destroy To gather information about your proxy:  grid-proxy-info  Options for printing proxy information -subject-issuer -type-timeleft -strength-help

20 Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Client signs proxy cert and returns it Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user

21 Proxy has limited lifetime (default is 12 h)  Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time  Grid jobs in HEP Data Challenges on LCG last up to 2 days MyProxy server:  Allows to create and store a long term proxy certificate:  myproxy-init -s  -s: specifies the hostname of the myproxy server  myproxy-info  Get information about stored long living proxy  myproxy-get-delegation  Get a new proxy from the MyProxy server  myproxy-destroy File transfer services in gLite validates user request and eventually renew proxies  contacting myproxy server

22 Grid users MUST belong to virtual organizations  Sets of users belonging to a collaboration  User must sign the usage guidelines for the VO VOs maintain a list of their members on a LDAP Server  The list is downloaded by grid machines to map user certificate subjects to local “pool” accounts... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice...

23 EELA VO Usage Rules (

24 EELA VOMS (

25 EELA Registration (1/6) (

26 EELA Registration (2/6)

27 EELA Registration (3/6) address confirmation for VO eela A request for a VO membership on eela has been made using this address. If you have not made this request please ignore this message. It would be helpful if you would contact the VO registrar and tell us about this bogus request. If the request was made by you, please click on the following URL to confirm this address, eqid=21 Make sure you have your client certificate loaded in your browser. One way to ensure this is to copy and paste the above URL into the same browser that you used to submit the request. If you wish to confirm the request another way, then you need the following information: Request number : 21 Confirmation cookie: xlqi8oy6fudv0wod eqid=21

28 EELA Registration (4/6)

29 EELA Registration (5/6) Dear Scardaci, Diego, Thank you for confirming your address. Your request for an account on VO eela has been sent to the VO administrators. A VO administrator will probably contact you to confirm account creation. If you find any problems regarding the account registration, then please contact the VO registrar. Thank You, VO Registration

30 EELA Registration (6/6) Welcome to the eela VO! Dear Scardaci, Diego, Your request (21) for the eela VO has been accepted and allowed by the VO Administrator. From this point you can use the voms-proxy-init command to acquire the VO specific credentials, which will enable you to use the resources of this VO. Good Luck, VO Registration

31 Grid Grid  LCG Security: security/ security/  EELA VOMS Registration:  EELA ROC:  Globus Security Infrastructure:  VOMS:  CA: Background Background  GGF Security:  IETF PKIX charter: charter.htmlhttp:// charter.html  PKCS:

Edificio Bronce Plaza Manuel Gómez Moreno s/n Madrid. España Tel.: / 25 Fax: Gracias por su atención

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.