Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates
Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Unit 1: Protection and Security for Grid Computing Part 2
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
5-1.1 Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 5, pp For educational.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Hands-on security Angelines Alberto Morillas Ciemat.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
1 Grid Security: PKI Based Authentication Infrastructure M.Effatparvar Fall 1391.
Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Authentication, Authorisation and Security
SSL Certificates for Secure Websites
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

Presentation Two: Grid Security

Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D: The grid-mapfile E: Gsi-SSH

A: Grid Security Infrastructure (GSI)

GSI Part of the Globus Toolkit (GTK) Based on PKI: Public Key Infrastructure X.509 Certificates SSL (Secure Sockets Layer) protocol Reference:

Why GSI? To provide secure communication (authenticated and perhaps confidential) between elements of a computational Grid. To support security across organizational boundaries, thus prohibiting a centrally-managed security system. To support "single sign-on" for users of the Grid, including delegation of credentials for computations that involve multiple resources and/or sites.

B: PKI and X.509 Certificates

PKI: Public Key Infrastructure User (or entity) gets a related key pair: one private key, known only to the user one public key, distributable to the world A message encrypted with one key requires the other key for decryption

Key Reciprocity Data encrypted using the public key requires the private key for decryption. If you know my public key, you can send me via an open channel a message only I can read. Data encrypted using the private key requires the public key for decryption. If my public key decrypts an encrypted message I have sent via an open channel, then only I could have sent it.

How Keys Get Around Public keys can be freely distributed Allows messages to be encrypted just for you. Your private key doesn’t get around. Period. That’s why it’s private.

X.509 Certificates Keys can be distributed as encapsulated in an X.509 certificate. The X.509 certificate associates the public key with a qualified name. The X.509 certificate is also signed by a trusted issuer. You saw one in Lab 1.

Who Issues a Certificate? A certificate authority (CA) is a trusted entity who signs and issues X.509 credentials Examples: NCSA Alliance, DOEgrid CA In the so-called “real world”: VeriSign Each credential identifies its CA

X.509 Certificate = “License” Identifies you and your institution Can’t be self-created Created for you by your institution Getting one isn’t an instantaneous process

What’s in an X.509 Certificate? Entity’s qualified name Entity’s public key Name of the issuing CA Signature of issuing CA Validity dates (start and end dates) Other stuff — version information, etc.

Qualified Name Person’s name Institution Country C=US, O=National Center for Supercomputing Applications, CN=Edward N. Bola

Variations on the Theme Qualified Name Distinguished Name Subject Name, Subject You say “eether” I say “eyether” Note that there are variations on the syntax; your format may not exactly match this You say “potato” I say “potahto”

How do you inspect a certificate? Utility for seeing information encapsulated in a certificate: grid-cert-info

The Certificate File Itself Is stored in your ~/.globus directory “usercert.pem” is the public key File permissions = -rw-r----- “userkey.pem” is the private key File permissions = -r Don’t chmod these, by the way; utilities like GSI-SSH check them out

Host Certificates Certs aren’t just for users any more Grid hosts also have certificates Stored in /etc/grid-security “hostcert.pem” “hostkey.pem”

C: Proxy Certificates

Why Use Proxy Certificates? A certificate usually lasts a year If it’s stolen, it’s still good for the rest of the year unless it’s revoked by being placed on a certificate revocation list (CRL) And your utility actually checks the CRL. With any frequency A proxy certificate usually lasts 12 hours Minimizes the possible mischief

grid-proxy-init Asks for your grid passphrase Stored in /tmp/x509up_uXXXX Where XXXX is your uid. You’ve already seen this in Lab 1.

grid-proxy-info Queries the proxy certificate, not the “real” certificate subject : […] issuer : […] identity : […] type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u506 timeleft : 11:57:31

grid-proxy-destroy Destroys the proxy. That’s about as simple as it gets.

D: grid-mapfile

grid-mapfile Text file residing on a given host /etc/grid-security/grid-mapfile Associates accounts on that host to qualified names as they appear in the X.509 certificates

Example gridmap-file entry "/O=Grid/OU=GlobusTest/OU=simpleCA- grids3.ncsa.uiuc.edu/OU=localdomain/CN=Bob Test" btest

gsi-ssh Grid-secure ssh utility Modified version of OpenSSH using GSI

E: Lab 2 — Security

Lab 2 — Security In this lab: How to get information about your certificate How to create (and destroy) proxy certificates How to use SSH without a password via GSI-SSH How to use MyProxy to register a proxy certificate

Credits Portions of this presentation were adapted from the following sources: GryPhyN Grid Summer Workshop NEESgrid Sysadmin Workshop

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.