1. EGEE is a project funded by the European Union under contract IST-2003-508833 Security Mechanisms David Groep (after original by Ákos Frohner) EDG tutorial team, JRA3 LCG-2 Tutorial, June 3,4 2004 www.eu-egee.org

2. EGEE and LCG tutorial, June 2004 - 2 Contents Overview  authentication and authorisation User side  getting a certificate  joining a Virtual Organisation Server side  host and service certificates  the roots of trust  authorisation mechanisms

3. EGEE and LCG tutorial, June 2004 - 3 Organizing Users and Resources

4. EGEE and LCG tutorial, June 2004 - 4 Virtual Organizations A VO is a temporary alliance of stakeholders  Users  Service providers A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. Viewgraph: Foster, Kesselman, Tuecke, the Globus Alliance next: common and open protocols

5. EGEE and LCG tutorial, June 2004 - 5 Autonomous Resources owners of resources and data stay in control sharing conditions are explicit, … … and can vary for every resource or service each VO, and each user, thus has its own view of the Grid his “own” grid is transparent, thus no per-resource registration single sign-on

6. EGEE and LCG tutorial, June 2004 - 6 What is what? Authentication proving who you are Authorisation deciding what you are allowed to do Auditing Who did what when? Accounting How much “resources” did X use? Billing and payment oops!

7. EGEE and LCG tutorial, June 2004 - 7 Some cryptography Need to communicate securely without prior arrangements Can you talk to someone in privacy using only public data? Yes: using “asymmetric cryptography” You generate a key pair (two halves) One half you publish on the ’Net Others can encrypt a message using the public key only you have the private key to decrypt this assumes that the private key cannot be derived easily!

8. EGEE and LCG tutorial, June 2004 - 8 Binding a public key to you Put you public key and a unique name together have that combination digitally signed by someone trusted This “trusted third party” certifies the binding: a Certification Authority or CA Certificate: Data: Version: 3 (0x2) Serial Number: 332 (0x14c) Signature Algorithm: md5WithRSAEncryption Subject: O=dutchgrid, O=users, O=nikhef, CN=David Groep Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:a2:8b:5c:a3:ed:fe:d5:03:55:b6:7c:cb:44:.... Issuer: C=NL, O=NIKHEF, CN=NIKHEF medium-security certification auth Validity Not Before: Mar 1 08:52:49 2004 GMT Not After : Mar 1 08:52:49 2005 GMT Netscape Comment: Certificate issued under DutchGrid and NIKHEF medium-security policy version 2.1;limited liabilities apply Signature Algorithm: md5WithRSAEncryption 9d:d8:19:32:3e:39:f1:55:58:d6:dd:21:7a:40:31:36:f6:07: 96:91:cf:2c

9. EGEE and LCG tutorial, June 2004 - 9 Certification Authorities Common trust domain for all of Europe: the EUGridPMA 23 national certification authorities catch-all CAs for EGEE, LCG and SEE-GRID all comply to the same minimum standards  in-person checking with a photo-ID  secure signing machine  certificates valid for 1 year  … your Grid certificate works across all of Europe other CAs exist: for students, demonstrations, tutorials

10. EGEE and LCG tutorial, June 2004 - 10 Authorisation Based on Virtual Organisations (VO) you join both a VO and (implicitly) an Infrastructure:  agree to the Acceptable Use Policy  request VO membership  wait for the VO administrator to approve  resource providers will then automatically give you access! Many different VOs, including “catch-alls” AtlasLHCbAliceCMSDTEAM* EarthObBioMedASCI…NL-Grid NCF*

11. EGEE and LCG tutorial, June 2004 - 11 A walk-through CA VO user service

12. EGEE and LCG tutorial, June 2004 - 12 Certificate request CA VO user service cert-request grid-cert-request once every year

13. EGEE and LCG tutorial, June 2004 - 13 Contacting the Certificate Authority Each CA has different policies and practices Generate a cryptographic key pair  using a script like grid-cert-request  with your web browser  using a Java Applet Appear in-person to the Registration Authority (RA) RA approves your request CA signs the approved request and sends you the cert  via mail: copy to your home directory  via the web: download into your browser and export to disk All use a network of RAs close to you

14. EGEE and LCG tutorial, June 2004 - 14 DutchGrid CA http://www.dutchgrid.nl/ca

15. EGEE and LCG tutorial, June 2004 - 15 Making the request (DutchGrid CA) triode:davidg:1004$ sh makerequest.sh Generating user request and private key in /tmp Do NOT delete the private key in this directory NOTICE: you are about to create the cryptographic key pair you need in your certificate. The private key is highly confidential information! Do not share it with anyone and do not send it by mail to the Certification Authority Your private key is stored in a file named ‘userkey.pem' Using configuration from /tmp/certreq15061.cnf Generating a 1024 bit RSA private key.....++++++..................++++++ writing new private key to '/tmp/userkey.pem' ----- Mailing [CA:medium] certificate request to the DutchGrid CA … In the authentication process by the CA, you may be asked to provide a proof-of-possession of the keypair you submitted. This may involve you providing part of your public keydata displayed below: BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EF A3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B 400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065 *** Fill in the registration form now, and go to your RA. Proof of Possession Challenge run request script

16. EGEE and LCG tutorial, June 2004 - 16 Your request openssl req –in ~/.globus/user_request.pem –text Data: Version: 0 (0x0) Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerUser information Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):Public key 00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58: [...] Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryptionSignature on the public 29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e: [...] key and user information -----BEGIN CERTIFICATE REQUEST-----PEM encoded request MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC [...] -----END CERTIFICATE REQUEST-----

17. EGEE and LCG tutorial, June 2004 - 17 Private Key Details openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: Private-Key: (1024 bit) modulus: [...] publicExponent:..... (0x......) privateExponent: [...] prime1: [...]private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY-----PEM encoded private key -----END RSA PRIVATE KEY-----

18. EGEE and LCG tutorial, June 2004 - 18 Certificate signing CA VO user service cert-request grid-cert-request certificate cert signing

19. EGEE and LCG tutorial, June 2004 - 19 Importing your certificate in the browser CA VO user service cert.pkcs12 convert cert-request grid-cert-request certificate cert signing

20. EGEE and LCG tutorial, June 2004 - 20 Browser certificates Your our certificate must be in PKCS#12 format openssl pkcs12 –export \ –in ~/.globus/usercert.pem \ –inkey ~/.globus/userkey.pem \ –out user.p12 \ –name ’Joe Smith’ Use the “certificate store” of your browser  Windows: double-click on the “.p12” file  Explorer: Internet Options – tab: Content  Netscape 6: Preferences – Privacy&Sec – Certificates, then use “Restore” And SET THE MASTER PASSWORD

21. EGEE and LCG tutorial, June 2004 - 21 Usage Guidelines CA VO user service registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing Usage guidelines Account Registration once for the lifetime of the VO (only the DN not the keys, so they may change)

22. EGEE and LCG tutorial, June 2004 - 22 Registering with LCG http://lcg-registrar.cern.ch/

23. EGEE and LCG tutorial, June 2004 - 23 Registration with the NCF VO /O=dutchgrid/O=users/O=nikhef/CN=David Groep David Groep

24. EGEE and LCG tutorial, June 2004 - 24 Registering with a VO User registration in an EDG Virtual Organisation sign the usage guidelines. For LCG go to http://lcg-registrar.cern.ch/ For NCF go to http://register.matrix.sara.nl/http://lcg-registrar.cern.ch/http://register.matrix.sara.nl/ ask an account from your VO administrator there -> You are registered in the VO-Directory server and have an account on all systems (~24 hrs).

25. EGEE and LCG tutorial, June 2004 - 25 Starting a session CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing every 12/24 hours

26. EGEE and LCG tutorial, June 2004 - 26 Usage of your cert: single sign-on You must have a valid certificate from a trusted CA! „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase:...........................+++++....................................+++++ checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy „logout”: grid-proxy-destroy -> use the grid services

27. EGEE and LCG tutorial, June 2004 - 27 Proxy Certificate details openssl x509 –in /tmp/x509up_u`id -u` -text Data: [...] Issuer: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerIssuer is the user not a CA Validity Not Before: Jul 22 09:44:39 2002 GMTshort time certificate: 1 day Not After : Jul 22 21:49:39 2002 GMT Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohner, CN=proxyextra tag: proxy Subject Public Key Info:new (shorter) key(s) Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:e9:7c:f4:d0:5d:8a:4c:91:8b:df:a7:16:78:1f: [...] Exponent: 65537 (0x10001) X509v3 extensions: [...] same as earlier Signature Algorithm: md5WithRSAEncryption [...] signed by the user example

28. EGEE and LCG tutorial, June 2004 - 28 The Resource Provider Side

29. EGEE and LCG tutorial, June 2004 - 29 Certificate Request for a Host CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-request grid-cert-request once in every year

30. EGEE and LCG tutorial, June 2004 - 30 Signing the Certificate CA VO user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request

31. EGEE and LCG tutorial, June 2004 - 31 Configuration on the Server CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

32. EGEE and LCG tutorial, June 2004 - 32 Service You must have the trusted CA certificates in files and the VO- LDAP server(s) URL configured. registering the trusted CAs (also on UI)  /etc/grid-security/certificates: hashed cert, crl and url generating a gridmap file: mkgridmap  /etc/grid-security/gridmap: DN -> userid/gid mapping generating host/service certificate  similar to user certificates for the whole process info

33. EGEE and LCG tutorial, June 2004 - 33 Service: CA Certificates ls /etc/grid-security/certificates 0ed6468a.0 c35c1972.0 d64ccb53.0 0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url 0ed6468a.r0 c35c1972.r0 d64ccb53.r0 0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy 16da7552.0 cf4ba8c8.0 df312a4e.0 16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url 16da7552.r0 cf4ba8c8.r0 df312a4e.r0 16da7552.signing_policy cf4ba8c8.signing_policydf312a4e.signing_policy cat c35c1972.crl_url http://globus.home.cern.ch/globus/ca/cern.crl.pem example

34. EGEE and LCG tutorial, June 2004 - 34 Service: a certificate cat c35c1972.signing_policy # EACL CERN CA access_id_CA X509'/C=CH/O=CERN/CN=CERN CA' pos_rights globusCA:sign cond_subjects globus'"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"‘ openssl x509 -in c35c1972.0 –text Issuer: C=CH, O=CERN, CN=CERN CA[...]the issuer and the subject are the same Subject: C=CH, O=CERN, CN=CERN CA [...] self signed certificate X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE [...] it may be used to sign other certificates Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CAit is a CA certificate example

35. EGEE and LCG tutorial, June 2004 - 35 Service: Revocation List openssl crl -in c35c1972.r0 –text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=CH/O=CERN/CN=CERN CAthe issuer is the CA itself Last Update: Jul 1 17:53:17 2002 GMT Next Update: Aug 5 17:53:17 2002 GMTnext update: shall be checked Revoked Certificates: Serial Number: 5Athe revoced certificate’s number Revocation Date: May 24 16:45:52 2002 GMT Signature Algorithm: md5WithRSAEncryptionSignature – as usual example

36. EGEE and LCG tutorial, June 2004 - 36 Authorization Information CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host-request grid-cert-request ca-certificate crl cert/crl update automatically updated every night/week

37. EGEE and LCG tutorial, June 2004 - 37 Gridmap file: configuration cat /etc/grid-security/mkgridmap.conf auth ldap://marianne.in2p3.fr/ou=People,o=testbed,dc=eu-datagrid,dc=org # EDG Standard Virtual Organizations group ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org.alice group ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org.atlas group ldap://grid-vo.nikhef.nl/ou=tb1users,o=cms,dc=eu-datagrid,dc=org.cms group ldap://grid-vo.nikhef.nl/ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org.lhcb group ldap://grid-vo.nikhef.nl/ou=tb1users,o=biomedical,dc=eu-datagrid,dc=org.biome group ldap://grid-vo.nikhef.nl/ou=tb1users,o=earthob,dc=eu-datagrid,dc=org.eo group ldap://marianne.in2p3.fr/ou=ITeam,o=testbed,dc=eu-datagrid,dc=org.iteam group ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org.wpsix default_lcluser AUTO example

38. EGEE and LCG tutorial, June 2004 - 38 Generated Gridmap file cat /etc/grid-security/gridmap "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor".atlas "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci".dteam "/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/Email=Franco.Semeria@bo.infn.it".alice "/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/Email=Marisa.Luvisetto@bo.infn.it".alice "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones".dteam "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney".dteam "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon".lhcb "/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/Email=legre@clermont.in2p3.fr".biome example

39. EGEE and LCG tutorial, June 2004 - 39 Using a Service CA VO-LDAP user service proxy-cert grid-proxy-init registration cert.pkcs12 convert cert-request grid-cert-request certificate cert signing host-cert cert signing gridmap mkgridmap host/proxy certs exchanged host-request grid-cert-request ca-certificate crl cert/crl update

40. EGEE and LCG tutorial, June 2004 - 40 Summary CA: authentication; VO: AUP, authorisation and access new certificate: follow the web page instructions send to the appropriate CA (e.g. ca@dutchgrid.nl) save the answer  ~/.globus/usercert.pem import in web browser (.p12) and register with VO new proxy certificate: grid-proxy-init  /tmp/x509up_u use the Grid

41. EGEE and LCG tutorial, June 2004 - 41 Outlook for Grid Security GT2 – LCG-2 – VOMS

42. EGEE and LCG tutorial, June 2004 - 42 The Original Globus Toolkit user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) CA crl update low frequency high frequency host cert (long life ) grid-proxy-init

43. EGEE and LCG tutorial, June 2004 - 43 The VO-Directory (EDG/LCG-2) VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

44. EGEE and LCG tutorial, June 2004 - 44 The VOMS Model VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration service cert (short life) authz cert (short life) registration LCAS LCMAPS edg-java-security

45. EGEE and LCG tutorial, June 2004 - 45 Getting VOMS Attributes Query Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert [davidg@tbn01 davidg]$ edg-voms-proxy-init -voms=wpsix Your identity: /O=dutchgrid/O=users/O=nikhef/CN=David Groep Enter GRID pass phrase for this identity: Creating temporary proxy............................... Done /C=FR/O=CNRS/OU=UREC/CN=vo-iteam.datagrid.cnrs.fr/Email=edg- site-admin@datagrid.cnrs.fr /C=FR/O=CNRS/CN=Datagrid-fr Creating proxy.............................. Done [davidg@tbn01 davidg]$ edg-voms-proxy-info -all … Type : proxy Bits : 512 Valid From : Jun 2 06:22:02 2004 GMT Validity left : Jun 2 18:27:02 2004 GMT VO : wpsix Holder Subject: /O=dutchgrid…/O=nikhef/CN=David Groep … Issuer Subject:/C=FR/O=CNRS/OU=UREC/ CN=vo-iteam.datagrid.cnrs.fr … Valid from : Jun 2 06:26:09 2004 GMT Valid to : Jun 2 18:26:09 2004 GMT Attribute : /wpsix/Role=NULL/Capability=NULL

46. EGEE and LCG tutorial, June 2004 - 46 The VOMS Attribute Certificates /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C= IT/O=INFN/CN=INFN CA Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it /C=IT/O=INFN/CN=INFN CA VO: CMS URI: http://vomscms.cern.ch TIME1: 020710134823Z TIME2: 020711134822Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A... The pseudo-cert is inserted in a non-critical extension of the user’s proxy  1.3.6.1.4.1.8005.100.1 00.1 Format: X.509 Attribute Cert FQAN One for each VOMS Server contacted user’s identity server identity user’s info

47. EGEE and LCG tutorial, June 2004 - 47 Interpretation at the Resources … "/O=dutchgrid/O=users/O=sara/CN=Walter de Jong".wpsix "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Robert Belleman".pvier "/VO=iteam/GROUP=/iteam".iteam "/VO=wpsix/GROUP=/wpsix".wpsix Local Centre Authorization Service (LCAS)  Handles authorization requests to local fabric Authorization decisions based on proxy user certificate and job specification Supports grid-mapfile mechanism  Plug-in framework (hooks for external authorization plug-ins) Local Credential Mapping Service (LCMAPS)  Provides local credentials needed for jobs in fabric (identifier in Java JVM in EJS)  Plug-in framework, driven by comprehensive policy language  Mapping based on user identity, VO affiliation, site-local policy  Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5

48. EGEE and LCG tutorial, June 2004 - 48 Additional material

49. EGEE and LCG tutorial, June 2004 - 49 Secure Communications Using Public Key Cryptography conventional (symmetric) secure communication: both parties need a pre-existing trusted channel Asymmetric encryption (‘public key crypto’) allows secured communication without need for channel to share a secret You can reliably establish communications between two key pairs Relies on a (supposedly) difficulty problem, e.g., factoring large numbers

50. EGEE and LCG tutorial, June 2004 - 50 How does it work? Example 1: Alice Bob (e,n)(e,n)(d,n)(d,n) (e,n)(e,n) E e,n (m) = m e mod(n) D d,n (c) = c d mod(n) m = D(E(m)) = E(D(m)) (reversibility) if a.o. ifde = 1 mod(  (p,q)) where  (p,q) = (p-1)(q-1) and (p-1) prime relative to e m c=E e,n (m) n = pq c D d,n (c) → m (d,e,p,q)(d,e,p,q) public space

51. EGEE and LCG tutorial, June 2004 - 51 6-bit RSA key generation Take a (small) value e = 3 Generate a set of primes (p,q), each with a length of k/2 bits, with (p-1) prime relative to e. (p,q) = (11,5)  (p,q) = (11-1)(5-1) = 40; n=pq=55 find d, in this case 27 [3*27 = 81 = 1 mod(40)] Public Key: (3,55) Private Key: (27,55) E e,n (m) = m e mod(n) D d,n (c) = c d mod(n) m = D(E(m)) = E(D(m)) (reversibility) if a.o. ifde = 1 mod(  (p,q)) where  (p,q) = (p-1)(q-1)

52. EGEE and LCG tutorial, June 2004 - 52 Message Exchange Encryption: Bob thinks of a plaintext m(<n) = 18 Encrypt with Alice’s public key (3,55) c=E 3;55 (18)=18 3 mod(55) = 5832 mod(55) = 2 send message “2” Decryption: Alice gets “2” she knows private key (27,55) E 27;55 (2) = 2 27 mod(55) = 18 ! If you just have (3,55), it’s hard to get the 27… (3,55) E e,n (m) = m e mod(n) D d,n (c) = c d mod(n) m = D(E(m)) = E(D(m)) if a.o. ifde = 1 mod(  (p,q)) where  (p,q) = (p-1)(q-1)

53. EGEE and LCG tutorial, June 2004 - 53 What can be done? Confidentiality no-one but the recipient can read what you say Message integrity encrypt a digest of your message with a private key Non-repudiation similar to integrity This encryption works both ways with 2 key pairs