Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Published byRandolph Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach."— Presentation transcript:

1 INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach and Education National e-Science Centre mjm@nesc.ac.uk With thanks for some slides to EGEE and Globus colleagues Minor changes and adaptation for Bulgarian users by Stanislav Spasov - spasov@acad.bg

2 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 2 Security Overview Grid Security Infrastructure Authentication Encryption & Data Integrity Authorization Security

3 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 3 The Problems - 1 How does a user securely access the Resource without having an account with username and password on the machines in between or even on the Resource? How does the Resource know who a user is? How are rights controlled? Authentication: how is identity of user/site communicated? Authorisation: what can a user do? User Resource

4 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 4 The Problems -2: reducing vulnerability Launch attacks to other sites –Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. Illegal or inappropriate data distribution and access sensitive information –Massive distributed storage capacity ideal for example, for swapping movies. –Growing number of users have data that must be private – biomedical imaging for example Damage caused by viruses, worms etc. –Highly connected infrastructure means worms could spread faster than on the internet in general.

5 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 5 Basis of security & authentication Asymmetric encryption… …. and Digital signatures … –A hash derived from the message and encrypted with the signer’s private key –Signature is checked by decrypting with the signer’s public key Are used to build trust –That a user / site is who they say they are –And can be trusted to act in accord with agreed policies Encrypted text Private Key Public Key Clear text message

6 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 6 Public Key Algorithms Every user has two keys: one private and one public: –it is impossible to derive the private key from the public one; –a message encrypted by one key can be decrypted only by the other one. Concept - simplified version: –Public keys are exchanged –The sender encrypts using receiver’s public key –The reciever decrypts using their private key; John’s keys public private PaulJohn ciao3$rciao3$r

7 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 7 Digital Signature Paul calculates the h hh hash of the message Paul encrypts the hash using his p pp private key: the encrypted hash is the d dd digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get A, using Paul’s p pp public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key John message Digital Signature Paul message Digital Signature message Digital Signature Hash A Paul’s keys publicprivate Hash B Hash A = ?

8 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 8 Digital Certificates How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s? –A third party signs a certificate that binds the public key and Paul’s identity. –Both John and Paul trust this third party Certification Authority The “trusted third party” is called a Certification Authority (CA).

9 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 9 X.509 Certificates An X.509 Certificate contains:  owner’s public key;  identity of the owner;  info on the CA;  time of validity;  Serial number;  Optional extensions –digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature

10 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 10 Certification Authorities User’s identity has to be certified by one of the national Certification Authorities (CAs) Resources are also certified by CAs CAs are mutually recognized http://www.gridpma.org/, http://www.gridpma.org/ http://www.eugridpma.org/,http://www.eugridpma.org/ CAs each establish a number of people “registration authorities” RAs

11 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 11 Grid Security Infrastructure - proxies To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates –Short-lived certificates signed by the user’s certificate or a proxy –Reduces security risk, enables delegation

12 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 12 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate

13 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 13 User Responsibilities Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

14 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 14 AA Summary Authentication –User obtains certificate from Certificate Authority –Connects to UI by ssh UI is the user’s interface to Grid –Uploads certificate to UI –Single logon – to UI - create proxy –then Grid Security Infrastructure uses proxies Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by resource: Gridmapfile (or similar) maps user to local account UI CA VO mgr Annually VO database Gridmapfiles for grid services GSI VO service Daily update

15 Enabling Grids for E-sciencE INFSO-RI-222667 Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives – Sofia, 17.03.2009 15 Links for Further Information The definitive sources: http://www.egee.nesc.ac.uk/ http://glite.web.cern.ch/ http://glite.web.cern.ch/glite/documentation/default.asp Read The … Fine Manual: https://edms.cern.ch/file/722398//gLite-3-UserGuide.html https://edms.cern.ch/file/722398//gLite-3-UserGuide.pdf But also: http://wiki.egee-see.org/ http://www.grid.bas.bg/ http://ca.acad.bg

Download ppt "INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Similar presentations

Ads by Google