Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security, Authorisation and Authentication.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
An overview of the EGEE infrastructure and middleware EGEE is funded by the European Union under contract IST Emmanuel Medernach Based on a.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Authentication, Authorisation and Security
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Grid School Module 4: Grid Security
Grid Security Overview
Grid Security Infrastructure
Presentation transcript:

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

International Summer School for Grid Computing 2005 Why security? Information has value  Copyright  Patent Responsibility  To ensure good behavior on resources held in common requires that actions can be linked to individuals – audit trails Confidence  Users will not use a system which is not trusted  Resource providers will not allow their resources onto an insecure system Not just hardware resources, data resources are crucial too.

International Summer School for Grid Computing 2005 The value of information Small pieces of information may seem of little value  However in large groupings may reveal valuable patterns  - Traffic analysis in military intelligence  - Individual genetics -> population genetics  - Analysis of spending patterns from receipts People value privacy  Although mostly when noticeably removed

International Summer School for Grid Computing 2005 Is this new? Communities and organisations have been managing access to common resources for millennia  Although frequently not successfully “tragedy of the commons” Over grazing – dustbowl, Mediterranean environments ? (goats)  Because this is a HARD problem States continually struggle with the idea of authentication  Balance the need for authentication with the need for freedom/privacy Should/can computing solutions be different?

International Summer School for Grid Computing 2005 Security Concepts (triple A) Authentication  Are you who you claim to be? Authorisation  Do you have access to the resource you are connecting to? Accounting  What did you do, when did you do it and where did you do it from?

International Summer School for Grid Computing 2005 The Virtual Organisation This term was coined to describe a distributed organisation which has the task of managing access to resources which are accessed through computer network Implementations have been created which have their own more specialised definitions of the term  Eg. EGEE

International Summer School for Grid Computing 2005 Aspects of Grid Security Resources being used may be valuable & the problems being solved sensitive Dynamic formation and management of virtual organizations (VOs)  Large, dynamic, unpredictable… VO Resources and users are often located in distinct administrative domains  Can’t assume cross-organizational trust agreements  Different mechanisms & credentials Interactions are not just client/server, but service-to-service on behalf of the user  Requires delegation of rights by user to service  Services may be dynamically instantiated slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 The Trust Model Certification Domain A Server XServer Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 Delegation A Site delegates responsibility for the users that may access its resources to the managers/management system. An organisation delegates its rights to a user. A user delegates their authentication to a service to allow programs to run on remote sites. Delegation : The act of giving an organisation, person or service the right to act on your behalf.

International Summer School for Grid Computing 2005 Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 INSECURE SECURE Public Private Key Life Savings Alice Bob Life Savings Private KeyMessage Public Key

International Summer School for Grid Computing 2005 Public Key Infrastructure (PKI) PKI allows you to know that a given key belongs to a given user. PKI builds off of asymmetric encryption:  Each entity has two keys: public and private.  Data encrypted with one key can only be decrypted with other.  The public key is public.  The private key is known only to the entity. The public key is given to the world encapsulated in a X.509 certificate. slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 Certificates Similar to passport or driver’s license: Identity signed by a trusted party Name Issuer Public Key Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal

International Summer School for Grid Computing 2005 Certificate Authorities A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates Users authenticate themselves to CA, for example by use of their Passport or Identity Card. The CA signs it’s own certificate which is distributed in a secure manner. Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 Certificate Request Private Key encrypted on local disk Certificate Request Public Key ID Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Public

International Summer School for Grid Computing 2005 Inside the Certificate Standard (X.509) defined format. User identification (e.g. full name). Users Public key. A “signature” from a CA created by encoding a unique string (a hash) generated from the users identification, users public key and the name of the CA. The signature is encoded using the CA’s private key. This has the effect of:  Proving that the certificate came from the CA.  Vouching for the users identification.  Vouching for the binding of the users public key to their identification.

International Summer School for Grid Computing 2005 Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA

International Summer School for Grid Computing 2005 User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004

International Summer School for Grid Computing 2005 Authorisation Requirements Detailed user rights assigned:  User can have certain group membership and roles Involved parties:  Resource providers. Keep full control on access rights.  The users Virtual Organisation. Member of a certain group should have same access rights independent of resource. Resource provider and VO must agree on authorisation:  Resource providers evaluate authorisation granted by VO to a user and map into local credentials to access resources

International Summer School for Grid Computing 2005 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. IT IS YOUR PASSPORT AND CREDIT CARD

International Summer School for Grid Computing 2005 Grid Security Infrastructure (GSI) Globus Toolkit TM proposed and implements the Grid Security Infrastructure (GSI)  Protocols and APIs to address Grid security needs GSI protocols extend standard public key protocols  Standards: X.509 & SSL/TLS  Extensions: X.509 Proxy Certificates (single sign-on) & Delegation GSI extends standard GSS-API (Generic Security Service)  The GSS-API is the IETF standard for adding authentication, delegation, message integrity, and message confidentiality to applications. Proxy Certificate:  Short term, restricted certificate that is derived form a long-term X.509 certificate  Signed by the normal end entity cert, or by another proxy  Allows a process to act on behalf of a user  Not encrypted and thus needs to be securely managed by file system

International Summer School for Grid Computing 2005 Example: VO-LDAP server for Authorisation mkgridmap grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local users ban list Adopted by DataGrid Testbed0 (2001/02) DataGrid Testbed1 (2003) DataTAG Testbed (2003)

International Summer School for Grid Computing 2005 Accounting Summary User via Certificates and Delegated Services AuthenticationAuthorisation delegated to VO Resource

International Summer School for Grid Computing 2005 Finer grained security A user may have different rights in different contexts Systems being deployed which give finer grained access  Roles (eg. Sys admin, user, clinician, top secret clearance, etc)  VOMS, Permis

International Summer School for Grid Computing 2005 Acknowledgements Many slides in this presentation are based on the presentation given by Carl Kesselman at the GGF Summer School This presentation may be found at curriculum.htm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.