1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
PKI Implementation in the Real World
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.
WebFTS as a first WLCG/HEP FIM pilot
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
Grid Computing Security Lê Thị Minh Châu Huỳnh Thị Khánh Duyên Trần Thị Thanh Thủy May 11, 2010.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Security, Authorisation and Authentication.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Authentication, Authorisation and Security
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
THE STEPS TO MANAGE THE GRID
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Grid School Module 4: Grid Security
Grid Security Overview
Presentation transcript:

1 Grid Security

2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups Support multi-user collaborations –Federate through mutually trusted services –Local policy authorities rule Allow users and application communities to set up dynamic trust domains –Personal/VO collection of resources working together based on trust of user/VO

3 Virtual Organization (VO) Concept VO for each application or workload Carve out and configure resources for a particular use and set of users

4 LAB: Exclude “bad” countries Include all LBNL staff and guests Equipment: Must have X-Ray training R&D Group: Must be a group member Effective permission

5 Security Basics Privacy –Only the sender and receiver should be able to understand the conversation Integrity –Receiving end must know that the received message was the one from the sender Authentication –Users are who they say they are (authentic) ‏ Authorization –Is user allowed to perform the action

6 Encryption Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encrypted data is, in principal, unreadable unless decrypted Encryption Function

7 Decryption Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data – Encryption and decryption functions are linked Decryption Function

8 Asymmetric Encryption Encryption and decryption functions that use a key pair are called asymmetric – Keys are mathematically linked

9 Authentication Private Key - known only by owner Public Key- known to everyone What one key encrypts, the other decrypts Borja Sotomayor, Guarantees Integrity Authentication And Privacy

10 Authentication using Digital Certificates Digital document that certifies a public key is owned by a particular user Signed by 3 rd party – the Certificate Authority (CA) ‏ Borja Sotomayor, To know if you should trust the certificate, you have to trust the CA

11 John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates Similar to passport or driver’s license Name Issuer Public Key Validity Signature Valid Till: Rachana Ananthakrishnan

12 Globus Security Globus security is based on the Grid Security Infrastructure (GSI) ‏ –Set of IETF standards for security interaction Public-key-based authentication using X509 certificates

13 Requesting a Certificate To request a certificate a user starts by generating a key pair Rachana Ananthakrishnan Private Key Public Key

14 Certificate Request The user signs their own public key to form what is called a Certificate Request /Web upload Note private key is never sent anywhere Sign Certificate Request Public Key Rachana Ananthakrishnan Public Key

15 Registration Authority (RA) ‏ The user then takes the certificate to a Registration Authority (RA) ‏ Vetting of user’s identity Often the RA coexists with the CA and is not apparent to the user Certificate Request Public Key ID Rachana Ananthakrishnan

16 Certificate Issuance The CA then takes the identity from the RA and the public key from the certificate request It then creates, signs and issues a certificate for the user Certificate Request Public Key Name Issuer Validity Public Key Signature Name Rachana Ananthakrishnan

17 GridMap File Maps distinguished names (found in certificates) to local names (such as login accounts) ‏ Can also serve as a access control list for GSI enabled services

18 Delegation Resource A Resource C Resource B File X Transfer a file from Resource B to Resource C

19 Delegation Resource A Resource C Resource B File X Transfer a file from Resource B to Resource A File X

20 Delegation Resource A Resource C Resource B File X Transfer a file From Resource B to Resource A File X Transfer a file from Resource A to Resource C File X

21 Delegation Resource A Resource C Resource B File X Transfer a file From Resource B to Resource C File X

22 Proxy Certificate Proxy Certificate allows another user to act upon their behalf –Credential delegation Borja Sotomayor,

23 Proxy Certificate Proxy empowers 3 rd party to act upon your behalf Proxy certificate is signed by the end user, not a CA Proxy cert’s public key is a new one from the private-public key pair generated specifically for the proxy certificate Proxy also allows you to do single sign-on –Setup a proxy for a time period and you don’t need to sign in again

24 Benefits of Single Sign-on Don’t need to remember (or even know) ID/passwords for each resource. Automatically get a Grid proxy certificate for use with other Grid tools More secure –No ID/password is sent over the wire: not even in encrypted form –Proxy certificate expires in a few hours and then is useless to anyone else –Don’t need to write down 10 passwords It’s fast and it’s easy!

25 Proxy Certificate Chain Borja Sotomayor,

26 Delegation Can delegate as part of protocol Extra round trip with delegation Types: Full or Limited delegation Single sign-on –one password for the whole grid Let services (eg RFT) act on your behalf Rachana Ananthakrishnan

27 VOMS A community-level group membership system Database of user roles –Administrative tools –Client interface voms-proxy-init –Uses client interface to produce an attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server –Works with non-VOMS services, but gives more info to VOMS- aware services Allows VOs to centrally manage user roles

28 Enabling Private Communication Transport-level Security (https) ‏ Message-level Security GSI enables security at 2 levels Borja Sotomayor,

29 Globus’s Use of Security Standards Supported, Supported, Fastest, but slow but insecure so default

30 Globus Security Extensible authorization framework based on Web services standards –SAML-based authorization callout >Security Assertion Markup Language, OASIS standard >Used for Web Browers authentication often >Very short-lived bearer credentials –Integrated policy decision engine >XACML (eXtensible Access Control Markup Language) policy language, per-operation policies, pluggable

31 Globus-XACML Integration eXtensible Access Control Markup Language –OASIS standard, open source implementations XACML: sophisticated policy language Globus Toolkit ships with XACML runtime –Included in every client and server built on Globus core –Turned-on through configuration … that can be called transparently from runtime and/or explicitly from application … … and we use the XACML-”model” for our Authz Processing Framework

32 Globus Authorization Framework VOMSShibbolethLDAP PERMIS … Globus Client Globus Server PDP Attributes Authorization Decision PIP

33 Globus Security VO Rights Users Rights’ Compute Center Access Services (running on user’s behalf) ‏ Rights Local policy on VO identity or attribute authority CAS or VOMS issuing SAML or X.509 ACs SSL/WS-Security with Proxy Certificates Authz Callout: SAML, XACML KCA MyProxy

34 Globus Security: How It Works VO Users Compute Center Services

35 Globus Security: How It Works VO Rights Users Rights Compute Center Services

36 Globus Security: How It Works VO Rights Users Rights Compute Center Services Local policy on VO identity or attribute authority CAS

37 Globus Security: How It Works VO Rights Users Rights Compute Center Services CAS Services (running on user’s behalf) ‏ Rights Compute Center Access Local policy on VO identity or attribute authority

38 Globus Security: How It Works VO Rights Users Rights Compute Center Services CAS Services (running on user’s behalf) ‏ Rights Compute Center Access with Proxy Certificates Authz Callout Local policy on VO identity or attribute authority

39 A Cautionary Note Grid security mechanisms are tedious to set up –If exposed to users, hand-holding is usually required –These mechanisms can be hidden entirely from end users, but still used behind the scenes These mechanisms exist for good reasons. –Many useful things can’t be done without Grid security –It is unlikely that an ambitious project could go into production operation without security like this –Most successful projects end up using Grid security, but using it in ways that end users don’t see much

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.