E-science grid facility for Europe and Latin America gLite Security Alfonso Pardo CETA-CIEMAT - Spain Dublin (Ireland), September 2008
Dublin (Ireland), Tutorial for User and Site Admin., – Table of contents Introduction Encrypting –Symetric algorithms –Asymectic algorithms: PKI (public-key) Certificates –Digital sign –X509 certificates Grid security –Proxy certificates –Command line instructions Virtual organizations –VO and authorization concepts
Dublin (Ireland), Tutorial for User and Site Admin., – Glossary Main –It is any entity: an user, a program or a machine Credentials –They are certain data which gives a prove of identity Authentication –Checking of identity of a main Authorization –Mapping of an identity to certain group of privileges Confidentiality –Encrypting a message so that only the receiver can understands it Integrity –Guarantying that a message is not been modified during the transmission
Dublin (Ireland), Tutorial for User and Site Admin., – It is a math branch which is dedicated to study security in information and their linked aspects, in particular encrypting, authentication and access control. Symbols: –Plain text: M –Encrypted text: C –Encrypted key K 1 : E K 1 (M) = C –Decrypted key K 2 : D K 2 (C) = M Algorithms –Simetric –Simetric: K 1 = K 2 –Asimetric –Asimetric: K 1 ≠ K 2 Encrypting K2K2 K1K1 Encrypt Decrypt MCM Peter Jonh
Dublin (Ireland), Tutorial for User and Site Admin., – The same key is used to crypt and decrypt Advantages: –Speed Disadvantages: –How to distribute keys? Examples: –DES –3DES –Rijndael (AES) –Blowfish –Kerberos MeryJohn hola 3$r hola MeryJohn hola 3$r hola 3$r Simetric Algorithms
Dublin (Ireland), Tutorial for User and Site Admin., – Each user has two keys: one private and one public: –it is “impossible” to deduce the private key from the public one; –A encrypted message by a key only can be decrypted by the other one. It is not necessary exchanging the keys: –the one who is sending encrypts by using the private key of the receiver. –the receiver decrypts by using his public key. Examples: –Diffie-Helmann (1977) –RSA (1978) Mark's keys pública privada George's keys públicaprivada GeorgeMark hola 3$r hola GeorgeMark hola cy7 hola 3$r cy7 Asimetric algorithms (Public Key Algorithms)
Dublin (Ireland), Tutorial for User and Site Admin., – George calculates the h hh hash of the message. George encrypts the hash using his p pp private key: the encrypted hash is the d dd digital signature. George sends the signed message to Mark. Mark calculates the hash of the message and it v vv verifies it with Hash(A), decrypting it with George’s p pp public key. If the hashes are equal: the message wasn’t modified; George can’t repudiate it. Mark mensaje Firma Digital George mensaje Firma Digital mensaje Firma Digital Hash(A) Claves de Pablo públicaprivada Hash(B) Hash(A) = ? Digital Signature
Dublin (Ireland), Tutorial for User and Site Admin., – George’s digital signature is safe if: 1. Pablo’s private key is not compromised. 2. Mark knows Pablo’s public key. How can Mark be sure that George’s public key is really George’s public key and not of somebody else? –A third entity guaranties correspondence between public keys and the identity of the owner. –George and Mark must trust in this third entity. Digital Certificate
Dublin (Ireland), Tutorial for User and Site Admin., – Certification Authority Certification Authority The “third entity” is called Certification Authority (CA). Digital Certificates ;It emits Digital Certificates (containing the public key and the owner’s identity) for users, programs and machines; signed by the Certification Authority. It checks the identity and personal data of the applicants. –Register Authorities (RA): they make the validation, itself.
Dublin (Ireland), Tutorial for User and Site Admin., – Clasic Profile of the CA How to obtain a certificate: Certificate is emitted by the CA Certificate is used as an access key to the grid Request for the certificate User’s identity is confirmed by the RA
Dublin (Ireland), Tutorial for User and Site Admin., – A X.509 certificate contains: –o–owner’s public key –o–owner’s identity –C–CA information –v–validity period –s–serial number –C–CA digital signature Public Key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA digital signature Estructura de un certificado X.509 Certificate X.509
Dublin (Ireland), Tutorial for User and Site Admin., – Each user/host/service has a X.509 certificate; Certificates are signed by the CA’s; Each transaction in the Grid is mutually authentificated: 1.Cole sends his certificate. 2.Sean verifies the signature in Cole’s certificate. 3.Sean sends to Cole a random number. 4.Cole encrypts it using his private key. 5.Cole sends the encrypted number to Sean. 6.Sean uses Cole’s public key to decrypt the number. 7.Sean compares the decrypted number with the original. 8.If they are equal, Sean verifies Cole’s identity. Cole Sean Cole’s certificate Verifies CA signature Random number Encrypts with his private key Encrypted number Decrypt with public key of Cole Compares the number with the original Based in X.509 PKI: Grid Security Infrastructure (GSI)
Dublin (Ireland), Tutorial for User and Site Admin., – Updating The maximum duration of a certificate is 1 year + 1 month. The idea is that at the end of the year (12 th month) a new certificate is emitted. Users should be warned about expiration and the necessity of renew it. Not to revoke a certificate for a new emission unless the certificate is been compromised or the user is stopped the activity which provoked the request of the certificate.
Dublin (Ireland), Tutorial for User and Site Admin., – Updating It is not necessary for the user to make the identification for updating: –This is a great advantage both for the user and the RA. –Nevertheless a maximum number of updating without identification is advisable (for example: every two years the EE must do the identification process again). To avoid the identification process, the updating request must be signed with the user’s certificate, for example: – signed with the user’s certificate. Through a CA/RA web interface that could identify the user’s certificate. If the user’s certificate expires before the updating, the procedure to request a new certificate must be followed.
Dublin (Ireland), Tutorial for User and Site Admin., – Where to request a certificate to use in EELA If you are Italian: – If you are Portuguese: – If you are Spanish: – If you are none of the above : – FR/?lang=en&cmd=certificates&type=usercerthttp://igc.services.cnrs.fr/GRID- FR/?lang=en&cmd=certificates&type=usercert
Dublin (Ireland), Tutorial for User and Site Admin., – Use of the Certificates To import the certificate to the web browser: –If you received a.pem certificate, you need to convert it into a PKCS12 format –Use “openssl” command (available in each UI) openssl pkcs12 –export –in usercert.pem –inkey userkey.pem –out my_cert.p12 –name ’My Name’ GILDA (and other VOs included in EELA): –You will receive a PKCS12 certificate (you can import it directly in the web browser). –For its use in the future, you will need usercert.pem and userkey.pem in the directory ~/.globus inside your UI. –Export the PKCS12 certificate to a local directory in the UI and use again openssl: openssl pkcs12 -nocerts -in my_cert.p12 -out userkey.pem openssl pkcs12 -clcerts -nokeys -in my_cert.p12 -out usercert.pem
Dublin (Ireland), Tutorial for User and Site Admin., – Certificado Proxy X.509 It is dangerous to transfer your personal certificate through the Grid Proxy Certificates: –Signed by the certifying entity (or by another proxy). –They have some important features: Delegation –They have a limited lifetime (minimum risk of “compromised credential”) Proxy certificates are created with the grid-proxy-init command: $ grid-proxy-init –Options for grid-proxy-init: -hours -bits -help
Dublin (Ireland), Tutorial for User and Site Admin., – User enters his pem key, which is used to decrypt his private key. Private key is used to sign the proxy certificate with its own new public/private keys pair. –So that user’s private key is not exposed before the proxy is confirmed. User’s certificate Private key (encrypted) pem key User’s proxy certificate Proxy –saved in a local archive: it must have read-only attributes, only for the owner. –Lifetime is short (typically 12h) to minimize security risks. grid-proxy-init
Dublin (Ireland), Tutorial for User and Site Admin., – Proxy … grid-proxy-init ≡ es el “login” a la Grid To make a “logout” the proxy must be destroyed: – grid-proxy-destroy To get information about your proxy: – grid-proxy-info –Options to show proxy information -subject-issuer -type-timeleft -strength-help
Dublin (Ireland), Tutorial for User and Site Admin., – Delegation = remote creation (second level) of a proxy certificate. –A new keys pair are generated remotely in the server –Client signs the proxy certificate and returns it back It allows remote processes being autentificated in user’s name. –The remote process “is personified” as the user Delegation
Dublin (Ireland), Tutorial for User and Site Admin., – Long term proxies Proxy certificates have a lifetime (by default 12 h) –It is not a good idea to have longer certificates –Nevertheless, a task in the grid can need using a proxy a longer period of time –For example a task to analyze data can last several days MyProxy Server: –Allows to create and save a long term proxy certificates – myproxy-init -s -s: especifies MyProxy host number – myproxy-info Obtiains information about stored long term proxies – myproxy-get-delegation Obtains a new proxy from MyProxy server – myproxy-destroy Destroys the proxy MyProxy server The gLite archive transfers service validates user’s requests and eventually renews proxies
Dublin (Ireland), Tutorial for User and Site Admin., – Grid users MUST belong to a virtual organization –User’s group that belong to a collaboration –Users must know guidelines for its use in VO VOs keeps a member’s list in LDAP server –The list is downloaded by the grid machines to map users to local accounts... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice... VOs and authorization
Dublin (Ireland), Tutorial for User and Site Admin., – Virtual Organization Members Service –Extend information in the proxies members of the VO, groups, roles. –Absolutely compatible with Globus Toolkit. –Every VO has a database which contains information about the members of the group, roles and capacities of each user. –Users contact with voms server requesting their information of authorization –Serve sends the information of authorization to the client, who includes it in a proxy certificate. – $voms-proxy-init –-voms gilda Creates a certificate and extends it with the voms server information. – $voms-proxy-info –all Shows information of the certificate together with voms extension. VOMS
Dublin (Ireland), Tutorial for User and Site Admin., – Questions …
Dublin (Ireland), Tutorial for User and Site Admin., – Practice Practice in gLite security
Dublin (Ireland), Tutorial for User and Site Admin., – This page will show you through the stages of inspecting your certificates and then creating and testing a VOMS proxy. We assume you are logged on a User Interface (glite- tutor.ct.infn.it in this example), and you have valid certificates under.globus directory, and you are under your home directory.
Dublin (Ireland), Tutorial for User and Site Admin., – Inspecting personal certificate Your personal certificate is split in two separate files in a directory called.globus. These files are effectively your public and private keys, which will be used for the authenticated connections with all the other grid elements. It is essential that they have the correct file permissions otherwise you won't be able to create a proxy. Check the permissions with the command ls -l.globus which should give you the following output: total 8 -rw-r--r-- 1 giorgio users 1613 Jun 7 15:16 usercert.pem -r giorgio users 1914 Jun 7 15:16 userkey.pem
Dublin (Ireland), Tutorial for User and Site Admin., – You can have now a look inside your certificate with grid-cert-info Certificate: Data: Version: 3 (0x2) Serial Number: 3901 (0xf3d) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=GILDA, CN=GILDA Certification Authority Validity Not Before: Apr 12 08:32: GMT Not After : Apr 12 08:32: GMT Subject: C=IT, O=GILDA, OU=Personal Certificate, L=INFN, CN=Emidio Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c7:c9:9a:ae:81:e5:0f:03:c9:f6:0f:5b:3c:c5: [cut...] Inspecting personal certificate
Dublin (Ireland), Tutorial for User and Site Admin., – X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 41:8D:0A:A0:6D:3E:24:00:9E:98:FA:3B:EF:6F:40:DC:CB:86:81:0B X509v3 Authority Key Identifier: keyid:F2:4E:BA:9C:42:04:41:7F:A0:0A:AA:35:D0:98:93:12:37:EF:8C:76 DirName:/C=IT/O=GILDA/CN=GILDA Certification Authority serial:00 Signature Algorithm: md5WithRSAEncryption 91:b1:2b:45:40:74:b1:0a:ba:d5:d2:fb:ad:32:07:9f:a9:3b: [cut...] dd:4f Inspecting personal certificate
Dublin (Ireland), Tutorial for User and Site Admin., – Creation of a proxy with voms extensions This step is comparable to a login on the Grid, because without it you can do very little. The command to do it is voms-proxy-init --voms VO-NAME Then, for instance, if your VO is gilda, you have to type voms-proxy-init --voms gilda Cannot find file or dir: /home/giorgio/.glite/vomses Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Enter GRID pass phrase: Creating temporary proxy Done Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN "gilda" Done Creating proxy Done Your proxy is valid until Fri Jul 14 00:34:
Dublin (Ireland), Tutorial for User and Site Admin., – Check your voms proxy Once that your proxy has been created, you can gather info on it through the voms-proxy-info command. It is much more useful if ran with the -all option, because it will show also the VO related infos added by the VOMS server, such as belonging groups (tutor in this case) or roles. You may note also two different lifetimes : first is related to the proxy itself, the second one is referred to the AC infos added by the VOMS server. They have to be valid both in order to be fully enabled to perform operations. voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 11:39:55 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio issuer : /C=IT/O=GILDA/OU=Host/L=INFN attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 11:39:54