Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in OSG Tuesday afternoon, 4:15pm Igor Sfiligoi Member of the OSG Security team University of California San Diego.

Published byCharles Lambert Modified over 7 years ago

Similar presentations

Presentation on theme: "Security in OSG Tuesday afternoon, 4:15pm Igor Sfiligoi Member of the OSG Security team University of California San Diego."— Presentation transcript:

1 Security in OSG Tuesday afternoon, 4:15pm Igor Sfiligoi Member of the OSG Security team University of California San Diego

2 2012 OSG User School Logistical reminder It is OK to ask questions  During the lecture  During the demos  During the exercises  During the breaks If I don't know the answer, I will find someone who likely does

3 2012 OSG User School Reminder – Single sign-on The user should use the same mechanism to submit jobs to any site  And there are 100s of them in OSG Hi. I am Igor

4 2012 OSG User School Passwords a non-starter We all know username/password is the preferred authentication mechanism  Almost everybody use it! But not a good solution for distributed systems  Uses a shared secret between the user and the service provider  And secrets stay secret only if few entities know it  Sharing passwords between sites a bad idea!

5 2012 OSG User School Adding an intermediary A better approach is to introduce a highly trusted intermediary Have been used in real life for ages  e.g. States as issuers of IDs/Passports  Getting the ID can be a lengthy process, but using it is easy afterwards Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID

6 2012 OSG User School Adding an intermediary A better approach is to introduce a highly trusted intermediary Have been used in real life for ages  e.g. States as issuers of Ids/Passports  Getting the ID can be a lengthy process, but using it is easy afterwards Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID Chain of trust. You are trusted because the site trusts the issuer, and the issuer trusted you.

7 2012 OSG User School Technical implementations Many technical solutions  x.509 PKI  Kerberos  OpenID  many more... All based on the same basic principle  Each has strengths and weaknesses  OSG standardized on x.509 Will not argue if it is the best one.

8 2012 OSG User School x.509 PKI Based on public key cryptography  A user has a (private,public) key pair  One signs, the other verifies The highly trusted entity is called a Certification Authority (CA)  The user is given a certificate  Cert. has user name in it  Cert. also contains the (priv,pub) key pair  Cert. has a limited lifetime  Cert. is signed by the CA private key You should have one by now.

9 2012 OSG User School x.509 authentication Sites have CA public key pre-installed User authenticates by signing a site provided string and providing the public part of the cert Hi, here is my pub cert Please sign “10011011” Here it is “00111011” Associated Private Key Hi, Igor CA pub Igor's Pub Cert

10 2012 OSG User School Mutual authentication The OSG clients also require servers to authenticate  Same principle as before  The site's server owns a x.509 certificate  User client must have the CA pre-installed So we have mutual authentication

11 2012 OSG User School Impersonation Sometimes your jobs need to impersonate you  For example to access remote data Schedul er CE Job Hi... ehm... I am Igor SE Storage Element

12 2012 OSG User School Impersonation Sometimes your jobs need to impersonate you  For example to access remote data Schedul er CE Job Hi... ehm... I am Igor SE Storage Element Obviously will not work. The job does not have your private key. We have similar problems in real life, too e.g. attorney representing you in court Nobody will buy it that he is you, yet he can speak on your behalf

13 2012 OSG User School Proxy delegation The job is indeed not you Create a proxy certificate for the job  Add another level of trust delegation And send it with the job Schedul er CE Job Hi... I am Igor SE Storage Element

14 2012 OSG User School Proxy delegation The job is indeed not you Create a proxy certificate for the job  Add another level of trust delegation And send it with the job Schedul er CE Job Hi... I am Igor SE Storage Element YES! You are sending the proxy's private key to the WN.

15 2012 OSG User School Risk mitigation Proxy delegation is risky  Your proxy could be stolen In OSG, we mitigate by limiting lifetime  At most few hours recommended  After the proxy expires, the proxy is useless Can be annoying  Must keep renewing, if long running job! But we don't have anything better.

16 2012 OSG User School Risk mitigation Proxy delegation is risky  Your proxy could be stolen In OSG, we mitigate by limiting lifetime  At most few hours recommended  After the proxy expires, the proxy is useless Can be annoying  Must keep renewing, if long running job! But we don't have anything better. If using glideinWMS, Condor will automatically create a short lived proxy and keep re- delegating it. Completely transparent to you.

17 2012 OSG User School x.509 in Overlay systems x.509 is typically used in Overlay systems as well For glideinWMS, all communication between processes is mutually authenticated using x.509 (proxy) certificates

18 2012 OSG User School Authentication vs. Authorization Just because you can authenticate yourself, it does not mean you are authorized, too  e.g. your passport tells who you are, but does not allow you to drive a car x.509 PKI only covers authentication  Tells the site who you are Need a different mechanism for authorization

19 2012 OSG User School The naive approach is using a list  Since we do not want let just anyone in! However, the problem is scale  OSG has ~10,000 users!  Sites do not want to decide on a user-by-user basis! Per-user authorization not an option Server authorization is easy. Just require host name in the certificate name; CA will enforce this. The client decides which host to talk to.

20 2012 OSG User School Adding roles Sites want to operate on higher level concepts  Some kind of attribute Like in real life  Think about passport vs driver's license  Both tell a cop who you are (and to 1 st approx. are issued by the same entity)  But the driver's license tells him you are allowed to use a car, too  “Class:C”

21 2012 OSG User School Need for an attribute authority Users can have many roles  But don't want to have multiple certs  e.g. I may be running HEP jobs or School jobs So the attributes cannot come from the CA  And you would not just trust the user In OSG, we use VOMS  Virtual Organization Management System  OSG expects well organized VOs (e.g. CMS)

22 2012 OSG User School VO and VOMS VO decides who is worthy of an attribute  Site decides based on that attribute Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID VOM S Register Hi. I work for CMS Get proxy+attrs

23 2012 OSG User School VO and VOMS VO decides who is worthy of an attribute  Site decides based on that attribute Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID VOM S Register Hi. I work for CMS Get proxy+attrs Site still knows who you are and can act on your name alone. But they will do it only for exceptional cases.

24 2012 OSG User School More security considerations There is much more than authentication and authorization to security  But we don't have the time to cover everything Just briefly  Sharing of resources  Privacy  Acceptable conduct

25 2012 OSG User School Sharing of resources Modern CPUs are many-core, so  Very likely your job will be sharing the node with other jobs Sites will map your Grid name into UID  Hopefully unique... be sure to ask Standard *NIX protections  Act accordingly  e.g. no file should be world writable

26 2012 OSG User School Privacy By default, no privacy in OSG  Assume all your files are publicly readable  Apart from your proxy If you need privacy, you will have to take explicit measures  Both during network transfers, and  For files on disk x.509 can be used for encryption  But remember, proxy has new keys

27 2012 OSG User School Acceptable conduct Each OSG user is bound by its AUP (Acceptable User Policy)  And sites are allowed to have additional rules in place In a nutshell  Use only for the declared science purpose  Do not overload the system  Do not attempt to circumvent security Else, you will be banned!

28 2012 OSG User School Questions? Questions? Comments?  Feel free to ask me questions later: Igor Sfiligoi Upcoming sessions  Now – 5:00pm  Hands-on exercises  5:00pm - 7:00pm  On your own  7:00pm – 9:00pm  Evening work session (optional but recommended) 28

29 2012 OSG User School Security is serious business 29

Download ppt "Security in OSG Tuesday afternoon, 4:15pm Igor Sfiligoi Member of the OSG Security team University of California San Diego."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Similar presentations

Ads by Google