Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication, Authorisation and Security

Published byCoral Scott Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication, Authorisation and Security"— Presentation transcript:

1 Authentication, Authorisation and Security
Shih-Chun Chiu Academia Sinica Grid Computing

2 Grid Security Infrastructure Encryption & Data Integrity
Security in gLite Security Authentication Grid Security Infrastructure Encryption & Data Integrity Authorization Authentication, Authorisation and Security

3 Basis of security & authentication
Symmetric encryption Asymmetric encryption…(Public Key Infrastructure) Private key and public key are in pair. it is impossible to derive one key from another key. a message encrypted by one key can be decrypted only by another one. Examples of public key algorithms: Diffie-Helmann (1977) RSA (1978) Encrypted text Private Key Public Key plain text Authentication, Authorisation and Security

4 An Example of Asymmetric Encryption
Public keys are exchanged Paul gets John’s public key.. Paul ciphers using the public key of John John decrypts using his private key; Public key algorithm: Make sure of data confidentiality John’s keys private public Paul John ciao 3$r Authentication, Authorisation and Security

5 Digital Signature Paul calculates the hash of the message
Paul encrypts the hash using his private key: the encrypted hash is the digital signature. Paul sends the signed message to John. John calculates the hash of the message Decrypts signature, to get Hash A, using Paul’s public key. If hashes equal: 1. message wasn’t modified; 2. hash A is from Paul’s private key (Paul encrypted it) Paul message Digital Signature message Hash A Digital Signature John Paul’s keys message Digital Signature Hash B = ? Hash A public private Authentication, Authorisation and Security

6 CA’s Digital Signature
Certificate Certificate It is based on Digital Signature mechanism. Grid authenticates users or resources by verifying their certificate. Certificate is issued by one of the national Certification Authorities. certificate Public Key User’s Information CA's information Time of validity CA’s Digital Signature Sign Certification Authorities. CA private key Authentication, Authorisation and Security

7 X.509 Certificates An X.509 Certificate contains:
owner’s public key; identity of the owner; info on the CA; time of validity; Serial number; Optional extensions digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature Authentication, Authorisation and Security

8 Example: X.509 Certificates
Authentication, Authorisation and Security

9 sign Proxy certificate information information user’s signature
user key user cert CA’s signature information information sign user’s signature proxy certificate proxy key Authentication, Authorisation and Security

10 sign Proxy delegation information information proxy1’s signature
proxy2 key proxy2 cert proxy1 key proxy1 cert user’s signature information sign Authentication, Authorisation and Security

11 Proxy delegation chain
Every proxy can represent the user Proxy certificates Short-lived certificates signed by the user’s certificate or a proxy It reduces the effort for the user to repeatedly show their identity when he or her want to access different resources. “Single sign on” can be attained. proxy2 key proxy2 cert proxy1’s signature information proxy1 key proxy1 cert user’s signature proxy3 key proxy3 cert proxy2’s signature proxy N key proxyN cert Proxy N-1r’s signature Sign Authentication, Authorisation and Security

12 Evolution of VO management
VOMS VO Administration : check which VO the user belongs to Add VO information on user’s proxy certificate. voms-proxy-init a gLite command to Contact the VOMS with user’s proxy certificate Retrieve the certificate that contains VO information on it. information User’s Digital Signature VO: TWGrid proxy certificate Authentication, Authorisation and Security

13 Summary of AA - 1 Authentication based on X.509 PKI infrastructure
Trust between Certificate Authorities (CA) and sites, CAs and users is established (offline) CAs issue (long lived) certificates identifying sites and individuals (much like a passport) Commonly used in web browsers to authenticate to sites In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates Proxies can Be delegated to a service such that it can act on the user’s behalf Include additional attributes (like VO information via the VO Membership Service VOMS) Be stored in an external proxy store (MyProxy) Be renewed (in case they are about to expire) Authentication, Authorisation and Security

14 Summary of AA - 2 VO service Daily update
Authentication User obtains certificate from Certificate Authority Connects to UI by ssh (UI is the user’s interface to Grid) Uploads certificate to UI Single logon – to UI - create proxy Grid Security Infrastructure Annually CA VO mgr UI VO service Authorisation User joins Virtual Organisation VO negotiates access to Grid nodes and resources Authorisation tested by resource: Credentials in proxy determine user’s rights VO database GSI Daily update Mapping to access rights Authentication, Authorisation and Security

15 User Responsibilities
Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. Authentication, Authorisation and Security

Download ppt "Authentication, Authorisation and Security"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Similar presentations

Ads by Google