Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Published byGiovanna Stitt Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University."— Presentation transcript:

1 www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University

2 Overview Problems Glossary Encryption –Symmetric algorithms –Asymmetric algorithms: Public Key Infrastructure Certificates –Digital Signatures –X.509 certificates Grid Security –Proxy certificates –Command line interfaces Virtual Organization –Concept of VO and authorization Authentication and Authorization in gLite 2

3 Glossary Principal –An entity: a user, a program, or a machine Credentials –Some data providing a proof of identity Authentication –Verify the identity of a principal Authorization –Map an entity to some set of privileges Confidentiality –Encrypt the message so that only the recipient can understand it Integrity –Ensure that the message has not been altered in the transmission Non-repudiation –Impossibility of denying the authenticity of a digital signature The “Grid Security Infrastructure(GSI)” is the basis of (most) production grids Authentication and Authorization in gLite 3

4 4 Problems How does a user securely access the Resource without having an account on the machines of the Resource? How does the Resource know who a user is? How are rights and that they are allowed access? User Resource Authentication Authorization

5 Authentication and Authorization in gLite 5 Security!!! –Launch attacks to other sites  Large distributed farms of machines, perfect for launching a Distributed Denial of Service attack. –Illegal or inappropriate data distribution and access sensitive information  Massive distributed storage capacity ideal for example, for swapping movies.  Growing number of users have data that must be private – biomedical imaging for example –Damage caused by viruses, worms etc.  Highly connected infrastructure means worms could spread faster than on the internet in general. Problems

6 Cryptography Is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Symbology –Plaintext: M –Cyphertext: C –Encryption with key K 1 : E K 1 (M) = C –Decryption with key K 2 : D K 2 (C) = M Algorithms –Symmetric –Symmetric: K 1 = K 2 –Asymmetric –Asymmetric: K 1 ≠ K 2 Authentication and Authorization in gLite 6 K2K2 K1K1 MCM Encryption Decryption Alice Bob

7 Symmetric Algorithm Authentication and Authorization in gLite 7 AliceBob Hi3$rHi AliceBob Hi3$rHi3$r

8 Symmetric Algorithm Advantages: –Fast & Easy Problems: –How to distribute the key? –The number of keys needed is O(n 2 ) Examples: –DES (Digital Encryption Standard) –3DES (Triple DES) –AES (Digital Encryption Standard) –Blowfish Authentication and Authorization in gLite 8

9 9 Asymmetric Algorithms Private Key Public Key

10 Authentication and Authorization in gLite 10 Asymmetric Algorithm Bob’s keys public private Alice’s keys publicprivate AliceBob Hello3$rHello AliceBob Hellocy7Hell o 3$r cy7

11 Hash Function Converts any size of input into a fixed (smaller) size of output –Given h(x), it is difficult to compute x. –Given x, it is difficult to find x’ such that h(x) = h(x’). Usage –Verifying file integrity –Digitally Signature Examples –MD5 –SHA-1 Authentication and Authorization in gLite 11

12 Authentication and Authorization in gLite Digital Signature 12

13 Authentication and Authorization in gLite 13 Certification Authorities How can Bob be sure that Alice’s public key is really Alice’s public key and not someone else’s? –A third party certifies correspondence between the public key and Alice’s identity. –Both Bob and Alice trust this third party Certification Authority The “third party” is called a Certification Authority (CA).

14 Authentication and Authorization in gLite 14 Certification Authorities User’s identity has to be certified by one of the national Certification Authorities (CAs) Resources are also certified by CAs CAs are mutually recognized http://www.gridpma.org/ http://www.gridpma.org/ CAs each establish a number of people “registration authorities” RAs

15 Authentication and Authorization in gLite 15 X.509 Certificates An X.509 Certificate contains:  owner’s public key;  identity of the owner;  info on the CA;  time of validity;  Serial number;  Optional extensions –digital signature of the CA Public key Subject:C=CH, O=PKU, OU=GRID, CN=Liang Zhao 8968 Issuer: C=CH, O=IHEP, OU=GRID, CN=IHEP CA Expiration date: Nov 26 08:08:14 2007 GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature

16 Authentication and Authorization in gLite 16 The Grid Security Infrastructure every Grid transaction is mutually authenticated: 1. A sends his certificate; 2. B verifies signature in A’s certificate using CA public certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. 9. Repeat for A to verify B’s identity A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Based on X.509 PKI:

17 Authentication and Authorization in gLite 17 The Grid Security Infrastructure Default: message integrity checking –Not private – a test for tampering For private communication: –Encrypt all the message (not just hash) - Slower After A and B authenticated each other, for A to send a message to B: A B Generate hash from message Message + Encrypted hash Decrypt with A’ s public key Compare with decrypted hash Encrypt hash with A’ s private key Further encrypt hash with B’ s public key Decrypt with B’ s private key Generate hash from message

18 Authentication and Authorization in gLite 18 Certificate Request Private Key encrypted on local disk Cert Request Public Key ID Cert User generates public/private key pair in browser. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate

19 Authentication and Authorization in gLite 19 Grid Security Infrastructure - proxies To support delegation: A delegates to B the right to act on behalf of A proxy certificates extend X.509 certificates –Short-lived certificates signed by the user’s certificate or a proxy –Reduces security risk, enables delegation

20 Authentication and Authorization in gLite 20 User Responsibilities Keep your private key secure – on USB drive only Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

21 Authentication and Authorization in gLite 21 Evolution of VO management Before VOMS User is authorized as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs –Aggregate rights VO can have groups –Different rights for each  Different groups of experimentalists  … –Nested groups VO has roles –Assigned to specific purposes  E,g. system admin  When assume this role Proxy certificate carries the additional attributes voms-proxy-init VOMS – now in use on EGEE grid

22 Authentication and Authorization in gLite 22 Summary of AA - 1 Authentication based on X.509 PKI infrastructure –Trust between Certificate Authorities (CA) and sites, CAs and users is established (offline) –CAs issue (long lived) certificates identifying sites and individuals (much like a passport)  Commonly used in web browsers to authenticate to sites –In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates Proxies can –Be delegated to a service such that it can act on the user’s behalf –Include additional attributes (like VO information via the VO Membership Service VOMS) –Be stored in an external proxy store (MyProxy) –Be renewed (in case they are about to expire)

23 Authentication and Authorization in gLite 23 Summary of AA - 2 Authentication –User obtains certificate from Certificate Authority –Connects to UI by ssh (UI is the user’s interface to Grid) –Uploads certificate to UI –Single logon – to UI - create proxy –Grid Security Infrastructure Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by resource: Credentials in proxy determine user’s rights UI CA VO mgr Annually VO database Mapping to access rights GSI VO service Daily update

Download ppt "Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Practical using EGEE middleware: AA and simple job submission.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
Introduction of Grid Security

Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,

Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Similar presentations

Ads by Google