\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
Security, Authorisation and Authentication.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Academia Sinica Grid Computing Certification Authority (ASGCCA)
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
Next Steps: becoming users of the NGS Mike Mineter
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Next Steps.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
SEE-GRID The SEE-GRID initiative is co-funded by the European Commission under the FP6 Research Infrastructures contract no SEE-GRID.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
Security in WLCG/EGEE. Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Tutorial on "GRID Computing“ EMBnet Conference 2008 CNR - ITB Authenticated Grid access with robot certificates Giuseppe LA ROCCA INFN.
Security Bob Cowles
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security, Authorisation and Authentication Mike Mineter,
Authentication, Authorisation and Security
Grid Security.
LCG Security Status and Issues
EGEE VO Management.
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
PKI (Public Key Infrastructure)
Presentation transcript:

\ Grid Security and Authentication1

David Groep Physics Data Processing group Nikhef

Stakkato Grid Security and Authentication3 Slide and info: Leif Nixon, NSC, Linköping – CCGrid06 key note “The Stakkato Intrusions”

Then, in 2007 and February … Grid Security and Authentication4

Is It Random: 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, Grid Security and Authentication5 Only possible ssh keys!

More ssh ‘XXXX-CERT ’ Grid Security and Authentication6

Zombies for Sale Grid Security and Authentication7 Price for 1000 infected consumer computers: AU: US$ 300 US: US$ 110 NL: US$ 100 And grid systems are better connected than xDSL systems, so …

Incidents involving EGEE sites (per 3/2008 and extrapolated) Grid Security and Authentication8 Romain Wartel, CERN and OSCT; Most incidents are not malicious users, but stolen credentials plus a local exploit remote exploits

Grid Security and Authentication9 Weakness But What About Containment?  do not expire  cannot be revoked Oops … ssh keys

Security And Availability For All Involved Grid Security and Authentication10 Who are playing in the Grid Space, and thus: who get attacked? Virtual Organisations or Communities: you and your colleagues Resource Centres and Grid Services: CPU, Storage, Data base and service providers central services and coordination

Security and Availability ‘Security means more than merely preventing unauthorised access. It is pro-actively concerned with maximising the availability and integrity of all the services and data that might be required by authorised users. This Policy accordingly addresses the protection, confidentiality, integrity and availability of Resources and the Services running on them.’ Grid Security and Authentication11 From: LCG Security and Availability Policy version 4.0c

Security Policies Grid Security and Authentication12 Security and Availability Policy Site & VO Policies Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide Grid & VO AUPs Site Oper. Procedures

Grid Acceptable Use Policy Protecting the Grid and Resource Centres and tells you what you consent to: 1.Don’t do anything nasty 2.Your work stays within the scope of your VO 3.Report (potential) abuse or suspected account compromise 4.The Grid is not a guaranteed resource 5.Registration and logged information is used only for administrative, operational, accounting, monitoring and security purposes may be disclosed to other organizations anywhere in the world for these purposes 6.You’re liable for the consequences of violating the AUP Grid Security and Authentication13 Security and Availability Policy Site & VO Policies Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide Grid & VO AUPs Site Oper. Procedures

But Who Are You, and Why? You already got a ‘digital certificate’ A digital passport: it says who you are, not where you can go Technically called ‘X.509 identity certificate’ Digitally signed by a ‘certification authority’ Contains: your name, and a unique name in the world Grid Security and Authentication14 An X.509 Certificate contains: –owner’s public key; –identity of the owner; –info on the CA; –time of validity; –Serial number; –digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA Digital signature You prove possession by a ‘private key’ that only you know to sign transactions

Grid By Proxy Your private key MUST be protected by a pass phrase –Like ‘gRatJESolleSB&E’, or ‘o~gemds!oniE’ But –You don’t want to type that every few seconds –The broker has to work on your behalf –Password-less, short-lived, proxy certificates: Grid Security and Authentication15

Attached to your passport are ‘Visa’ Grid ‘visa’ are issues by your community (VO) Technically called ‘VOMS Attribute Certificates’ Digitally signed by the community server Contains: your roles and group memberships Bound to your passport (“X.509”) distinguished name Embedded in your temporary proxy certificate Grid Security and Authentication16 C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy Pinco’s VO attributes Quer y Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert

Acceptable Credentials on the Grid Grid Security and Authentication17 All Credentials Have A Life Time –Long lived credentials must be revocable –Short lived (< 100ks) credentials may be left to expire So we get X.509 identity certificates: 1 year Proxy credentials: between 12 and ~24 hours VOMS attributes: ~ 24 hours Proxies in a trusted credential store MyProxy: 1Ms, ~11 days It seems horribly complicated, but … … but you get global trust, instead of signing up at 250 sites! ‘Let’s not make the SSH mistake again’

How do the sites know me (and I them)? International Grid Trust Federation All research grid infrastructures share the same base set of trusted third parties (‘CAs’) There is typically one in each country The credentials they issue are comparable in quality Grid Security and Authentication18

VOs that comply with the Policy Sites supporting the VO trust the ‘visa’ issued Trust anchor available to all sites from the trusted source VO manager is responsible for adding and removing users subject to the VO management policy Grid Security and Authentication19 EGEE Operations Portal:

So, where does that leave us? Is the grid safe? You never know … –Strong authentication of users and resources by certificates –Exposure is time-limited and revocable –Community membership via secured ‘visa’ –Encrypted and integrity-protected communications –Grid and sites subject to policies, with data protection taken seriously, commensurate with the open, scientific nature of the infrastructure –A vulnerability and risk assessment process to work on the software –Auditing and incident response teams across Europe and the Grids And you now know more-or-less how this works But, as always, it remains a matter of trust … Grid Security and Authentication20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.