INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National Grid Service 10 th -11 th March 2005
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Acknowledgements Some of the slides in this presentation are based on / motivated by: The presentation given by Carl Kesselman at the GGF Summer School This presentation may be found at – curriculum.htm Lectures given by Richard Sinott and John Watt at the University of Glasgow. These lectures may be found at – The presentation given by Simone Campana of CERN at First Latinamerican Grid Workshop, Merida, Venezuela. This presentation may be found at –
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March The Problem Question: How does a user securely access the Resource without having an account on the machines in between or even on the Resource? Question: How does the Resource know who a user is and that they are allowed access? User Resource
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Overview Grid Security Infrastructure Authentication Encryption & Data Integrity Authorization Security
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Approaches to Security: 1 The Poor Security House
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Approaches to Security: 2 The Paranoid Security House
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Approaches to Security: 3 The Realistic Security House
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Approaches to Grid Security The Poor Security Approach: –Use unencrypted communications. –No or poor (easily guessed) identification means. –Private identification (key) left in publicly available location. The Paranoid Security Approach: –Don’t use any communications (no network at all). –Don’t leave computer unattended. The Realistic Security Approach: –Encrypt all sensitive communications –Use difficult to break identification means. –Keep identification secure at all times (e.g. encrypted on a memory stick). –Only allow access to trusted users.
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March The Risks of Poor User Security Launch attacks to other sites –Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information –Massive distributed storage capacity ideal for example, for swapping movies. Damage caused by viruses, worms etc. –Highly connected infrastructure means worms spread faster than on the internet in general.
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Authentication and Authorization Authentication –Are you who you claim to be? Authorisation –Do you have access to the resource you are connecting to? John Doe 755 E. Woodlawn Urbana IL Jane
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March The Trust Model Certification Domain A Server XServer Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March INSECURE SECURE Public Private Key Life Savings Alice Bob Life Savings Private KeyMessage Public Key
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Public Key Infrastructure (PKI) PKI allows you to know that a given key belongs to a given user. PKI builds off of asymmetric encryption: –Each entity has two keys: public and private. –Data encrypted with one key can only be decrypted with other. –The public key is public. –The private key is known only to the entity. The public key is given to the world encapsulated in a X.509 certificate. slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Certificates Similar to passport or driver’s license: Identity signed by a trusted party Name Issuer Public Key Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Certificate Authorities A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates A Certificate Authority is an entity that exists only to sign user certificates Users authenticate themselves to CA, for example by use of their Passport or Identity Card. The CA signs it’s own certificate which is distributed in a secure manner. Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Delegation and Certificates Delegation : The act of giving an organization, person or service the right to act on your behalf. For example: A user delegates their authentication to a service to allow programs to run on remote sites. Stage1: Low Frequency Stage2: Medium Frequency Stage3: High Frequency ServiceCA Certificate Signs own User Certificate signs Proxy Certificate signs
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March Summary via Certificates and Delegated Services Authentication Authorisation delegated to VO. Resource User
Enabling Grids for E-sciencE INFSO-RI Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March The Practical In your information pack is a sheet containing the details for logging on to your workstation and the passwords needed for logging on to your account on lab-07 – the server to be used in this tutorial. Login to your workstation Use the putty program (on your desktop) to connect to lab-07 Open a browser window to Follow the instructions from there.