Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 0 Lezione 5B - 18 Novembre 2009 Il materiale didattico usato in questo corso è stato mutuato.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Tecnologia dei Servizi Grid e cloud computing - Lezione 002a 0 Lezione 2a - 14 ottobre 2009 Il materiale didattico usato in questo corso è stato mutuato.
Tecnologia dei Servizi Grid e cloud computing - Lezione 9b 0 Lezione 9b - 16 Dicembre 2009 Il materiale didattico usato in questo corso è stato mutuato.
Tecnologia dei Servizi Grid e cloud computing - Lezione 002a 0 Lezione 2a - 14 ottobre 2009 Il materiale didattico usato in questo corso è stato mutuato.
Tecnologia dei Servizi Grid e cloud computing - Lezione 007a 0 Lezione 7a - 9 Dicembre 2009 Il materiale didattico usato in questo corso è stato mutuato.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Lousy Introduction into SWITCHaai
Introduction of Grid Security
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jeff Mischkinsky Nickolas Kavantzas Goran Olsson Web Services Choreography.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Week 2 The Object-Oriented Approach to Requirements
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
31242/32549 Advanced Internet Programming Advanced Java Programming
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Authentication, Authorisation and Security
Grid Security.
Grid accounting system
e-Infrastructure Workshop 28th March 2006, University of Leeds
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Grid Security Jinny Chien Academia Sinica Grid Computing.
Adding Distributed Trust Management to Shibboleth
Update on EDG Security (VOMS)
Grid Security Infrastructure
Presentation transcript:

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 0 Lezione 5B - 18 Novembre 2009 Il materiale didattico usato in questo corso è stato mutuato da quello utilizzato da Paolo Veronesi per il corso di Griglie Computazionali per la Laurea Specialistica in Informatica tenuto nellanno accademico 2008/09 presso lUniversità degli Studi di Ferrara. Paolo Veronesi Università degli Studi di Bari – Corso di Laurea Specialistica in Informatica Tecnologia dei Servizi Grid e cloud computing A.A. 2009/2010 Giorgio Pietro Maggi

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 1 Securing the Channel GSI and the Mutual Authentication Authorization Federated Trusts Overview

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 2 Securing the Channel

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 3 Techniques Transport Level Security (TLS) Creation of a secure point-to-point connection between the client and server Use of a Secure Sockets Layer (SSL) implementation Message Level Security (MLS) SOAP messages are signed/encrypted over a non-secure socket connection Use of emerging WS standards such as WS-Security, WSSecureConversation, XML Signatures

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 4 Transport-Layer Security TLS: Pros and Cons Pros SSL has been an internet standard for years Fast implementations available Cons Implemented at the socket layer - difficult to propagate security related information (e.g. clients DN, security assertions, etc) to higher levels in the software stack Due to the secure point-to-point nature of the socket connection, it doesnt work for multi-hop connections, e.g. in the presence of firewalls, intermediaries, etc.

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 5 Message-Level Security MLS: Pros and Cons Pros No need for a secure point-to-point connection – works well for multi-hop connections Since it is done at the message level, portions of messages can be encrypted - useful if messages can contain a mixture of sensitive and non-sensitive information Authorization information (e.g. assertions) can propagated easily to higher levels in the software stack Cons Performance

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 6 OGSA Basic Security Profile 1.0 Based on: WS-I Basic Security Profile HTTP Over TLS TLS 1.0 Focus: Mutual Authentication. The Profile mandates the use of a secure transport layer protocol to ensure mutual authentication of both ends of a Web service communication Integrity. The Profile mandates the use of a secure transport layer protocol to ensure data integrity while communicating with Web services Confidentiality. The Profile mandates the use of a secure transport layer protocol to ensure confidentiality of a Web service communication.

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 7 Mutual Authentication

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 8 Mutual Authentication If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are. this is known as mutual authentication. GSI (Grid Security Infrastructure) uses the TLS for its mutual authentication protocol Standard secure transport for pre-WS services in Grids Before mutual authentication can occur, the parties involved must first trust the CAs that signed each other's certificates. In practice, this means that they must have copies of the CAs certificates--which contain the CAs' public keys--and that they must trust that these certificates really belong to the CAs.

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 9 The Grid Security Infrastructure (GSI) every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CAs; every Grid transaction is mutually authenticated: 1. John sends his certificate; 2. Paul verifies signature in Johns certificate; 3. Paul sends to John a challenge string; 4. John encrypts the challenge string with his private key; 5. John sends encrypted challenge to Paul 6. Paul uses Johns public key to decrypt the challenge. 7. Paul compares the decrypted string with the original challenge 8. If they match, Paul verified Johns identity and John can not repudiate it. sNsNow that Paul trusts John's identity, the same operation must happen in reverse. John Paul Johns certificate Verify CA signature Random phrase Encrypy with J. s private key Encrypted phrase Decrypt with J. s public key Compare with original phrase Based on X.509 PKI:

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 10 Authorization

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 11 What Can I Do? Identity established through authentication No info on user permissions/rights/privilege A separate infrastructure is needed to manage user privilege Authorisation is an ongoing research area with many solutions Most solutions involve integrating many separate technologies And often many AuthZ techs

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 12 Access Control Lists (ACLs) Lets start with the simplest scenario: Once a user has authenticated they are checked against a local list of users Simple to understand and works well for mini-grids Grid-map file But.. What if access to a resource is needed for a different purpose by the same person? Multiple entries or multiple lists? What if we want HUNDREDS of users? BUSY, BUSY sys admins!!

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 13 Problems: Very coarse-grained authorization: Remote users are mapped directly to UNIX users. Classification of users into categories must be done on a local farm basis without input from the VO (may result in the same user having very different privileges in different farms). No support for groups or roles Grid-mapfile authorization is not flexible.

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 14 A better way… Just a straight list of users is too difficult to maintain and is not flexible enough for Grids What defines a persons permissions on a resource usually? What kind of jobs do people have? Doctor, Nurse, Student, Lecturer, Director, CEO, SysAdmin, PhD People come and go but job descriptions generally are static Any exceptions should be easy to manage Can you see where this may be going..?

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 15 Role Based Access Control Access to a resource should be granted according to a users ROLE within the VO Multiple Roles may be held by a user Different levels of AuthZ may be enforced Role hierarchies may be supported Access may be granted by Role only If anonymous access is required No policy changes required as users come and go Happy sys admins! Just grant them the necessary role when they join the VO and they will have access.. So how do we grant roles to users?

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 16 Privilege Management Infrastructures (PMIs) We can utilise the secure infrastructure provided by X.509 certificates to assign roles to users We need an extension to the X.509 specification to support PRIVILEGE ATTRIBUTES So as well as the normal info in their certificate, a user may be assigned one or more ATTRIBUTE CERTIFICATES which contain a signed assertion of their role within the VO Many similarities to PKIs…

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 17 PKI and PMI A PMI is to authorisation what a PKI is to authentication – hence similar concepts ConceptPKI EntityPMI Entity Certificate Public Key Certificate (PKC) Attribute Certificate (AC) Certificate Issuer Certification Authority (CA) Attribute Authority (AA) Certificate User SubjectHolder Certificate Binding Subjects name to Public Key Holders Name to Privilege Attribute(s) Revocation Certificate Revocation List (CRL) Attribute Certificate Revocation List (ACRL) Root of trust Root Certification Authority or Trust Anchor Source of Authority (SOA) Subordinate authority Subordinate Certification Authority Attribute Authority (AA)

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 18 PMI in Grid The PMI is defined by a standard body In Grid systems,the most successful Privilege Attribute management system is VOMS VOMS has many concepts close to PMI and are applied to Proxy Certificates Another emerging approach is GridShib

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 19 VO Management VOMS: Virtual Organization Membership Service

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 20 What is VOMS The most successful privilege attributes manager available today to Grid VOs VOMS is an X.509 Attribute Authority with special support for grids. Adds groups and roles Adds Attribute Certificates (ACs) directly in the user proxy Used via voms-proxy-init command Compatible with grid-proxy-init

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 21 VOMS Objectives and requirements To provide a secure system for Virtual Organizations (VOs) to organize users into groups and/or roles and to disseminate this information. A VO is a collection of users and resources working together on a common project Membership in a VO is a restricted information Extensibility Users should be able to specify how much information they want to publish Backwards compatibility with the Globus Toolkit Should not invalidate established GT-based work mechanisms Should minimize software requirements other than GSI libraries in the core components

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 22 VOMS Solution Grant authorization at the VO level Each VO has its own VOMS server Contains (group / role / capabilities) triples for each member of the VO Also support for forced groups (for negative permissions) Insert these information in a well-defined non critical extension of the user proxy All client-server communication is secure and authenticated Authorization info must be processed by the local sites

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 23 VOMS: Client-Server Interaction 1) Mutual authentication between client and server Secure communication channel via Globus GSI 2) The client sends a signed request to server 3) The server checks the identity of the user and the syntactic correctness of the request 4) The server signs the authorization information and returns it back 5) The client checks the consistency and validity of the information returned 6) Steps 1-6 may be repeated for any number of servers 7) The client creates a proxy certificate that includes the information returned by the VOMS servers 8) Finally, the client may decide to include also additional information provided by the user (e.g. Kerberos tickets) Query Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 24 Pseudo Certificate Format This Pseudo Certificate is included into a non critical extension of the user s proxy OID: Conversion to a true attribute certificate already started There will be one such certificate for each VOMS server contacted /C=IT/O=INFN/L=CNAF/CN=Vincenzo it /C= IT/O=INFN/CN=INFN CA /C=IT/O=INFN/OU=gatekeeper/L=PR /C=IT/O=INFN/CN=INFN CA VO: CMS URI: TIME1: Z TIME2: Z GROUP: montecarlo ROLE: administrator CAP: 100 GB disk SIGNATURE: L...B]....3H =".h.r...;C'..S......o.g.=.n8S'x..\..A~.t 'Q. V.I..../.Z*V*{.e.RP.....X.r qEbb...A... users identity server identity vomsd

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 25 Groups and Roles in VOMS Every user in a VO belongs to at least one group: E.g: /infngrid And may also belong to some subgroups: E.g: /infngrid/g1, /infngrid/g2, meaning subgroups g1 and g2 of /infngrid There are also Roles: E.g: /Role=VO-Admin Roles make sense only in the contest of a group: E.g: /Role=VO-Admin in the group /infngrid. Compact way of describing it: (FQAN) /infngrid/Role=VO-Admin Holding the role of VO-Admin in the group /infngrid

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 26 Federated Trusts

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 27 SAML Security Assertion Markup Language Framework based on XML for the exchange of assertionsabout authentication and authorization Defined by OASIS Security Services Technical Commitee Standard for managing identities A bit of history Nov 2002: SAML v1.0. Set 2003: SAML v1.1. Many projects adopt SAML for managing the access to Web resources Mar 2005: SAML v2.0 convergence of SAML 1.1, Liberty Alliance ID-FF 1.2, Shibboleth 1.3

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 28 SAML: Principali Componenti

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 29 Federated Trust The best entity to authenticate a person is their home institution/company Info will be up to date They will always know a person better than a remote site Remote site may not know if user is still valid or not Can we utilise a users home credentials to access remote resources?

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 30 Shibboleth Internet2 project Standards-based (SAML) Allows for Identity Federation Identity == Identifier + Attributes Identifier may or may not be a persistent Name. Allows for pseudonymity via temporary, meaningless identifiers called Handles Allows for inter-institutional sharing of Web resources (via browsers) Provides attributes for authorization between institutions Being extended to non-web resources

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 31 Federated Authentication system using SAML for secure conversation Enables Single-Sign On to Web Pages and Portals Authentication is done by the users home institution Identity Provider (Origin) Authorisation (and access) is done by the resource Service Provider (Target)

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 32 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 33 UserGrid Portal Home Institution WAYF Application Federation Authz Point browser to portal

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 34 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Shibboleth redirects user to W.A.Y.F service

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 35 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz User selects their home institution

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 36 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHENTICATE Home confirms user ID in local LDAP and pushes attributes to the service provider LDAP

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 37 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Portal logs user in and presents attributes to authorisation function

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 38 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHORISE Portal passes attributes to AuthZ function to make final access control decision

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 39 GridShib GridShib enables secure attribute sharing between Grid virtual organizations and higher- educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 40 Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Bridging Grid/X.509 with Shib/SAML

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 41 Operation Modes Pull after the client has been authenticated, the Grid SP requests attributes from the client's own administrative domain via a back-channel exchange Push the client provides the attributes up front, obtaining and pushing those attributes to the Grid SP at the time of initial request In either case, the Grid SP obtains the user attributes it needs to make an informed access control decision (authorization)

Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 42 Riferimenti Lezione 5 GT 4.0 Security: Key Concepts; GT 4.0 Security: Key Concepts Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective.; Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy.; Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. EGEE Project and gLite Middleware EGEE ProjectgLite Middleware GILDA Infrastructure gLite userGuide Cap 1; 2; 3.3.1; 3.3.2; 4; gLite userGuide

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.