Presentation is loading. Please wait.

Presentation is loading. Please wait.

It’s not about security... it’s about access! Grid Security Pieter van Beek.

Published byJohn Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "It’s not about security... it’s about access! Grid Security Pieter van Beek."— Presentation transcript:

1 It’s not about security... it’s about access! Grid Security Pieter van Beek

2 X.509 Certificates On the Life Science Grid (LSG) users need an X.509 certificate. This certificate are like a passport: authentication Certificates can have VO-extensions, which are like visas: authorization Certificates are issued by a Certificate Authorities (CAs). For the Netherlands this is DutchGrid: http://www.dutchgrid.nl/http://www.dutchgrid.nl/

3 Outline Logging in with PuTTY Symmetric and asymmetric encryption Digital signatures X.509 certificates Delegation X.509 proxy certificates VOMS extensions MyProxy Workload Management Syztemzzzzz… tutorGridSession tutor

4 Logging in on the User Interface (UI): gb-se-ams.els.sara.nl Use putty.exe 1.Enter the [Host Name] 2. as “Grid UI” 3.Click 4.Login as demoXX

5 Symmetric and asymmetric cryptography

6 Inspecting your keypair cd ~/.globus ls –l userkey.pem cat userkey.pem

7 Digital signatures

8 Certificate Body Issuer The issuer's Distinguished Name Validity Validity period of this certificate Subject The “Distinguished Name” (DN) of the user. Subject's public key Extensions Various bits of information Digital Signature Digest of the Certificate Body encrypted by the issuer’s private key X.509 Certificates are signed messages

9

10 CA Certificates: self-signed

11 Web-browsers come with trusted CA-certificates

12 Credential Delegation The problem: Write a “Letter of Proxy”: The solution:

13 Delegation works the same as Certification:

14 gb-se-ams:~/.globus demo01$ voms-proxy-init -voms tutor Cannot find file or dir: /home/demo01/.glite/vomses Enter GRID pass phrase: demo01 Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating temporary proxy............................................. Done Contacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" Done Creating proxy................................................................................................................. Done Your proxy is valid until Thu Jun 4 11:43:35 2009 gb-se-ams:~/.globus demo01$ openssl x509 –in $X509_USER_PROXY –text –noout | less gb-se-ams:~/.globus demo01$ voms-proxy-info -all subject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01/CN=proxy issuer : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 identity : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 type : proxy strength : 1024 bits path : /tmp/x509up_u1062 timeleft : 11:19:25 === VO tutor extension information === VO : tutor subject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 issuer : /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl attribute : /tutor/Role=NULL/Capability=NULL timeleft : 11:19:24 uri : voms.grid.sara.nl:30007 gb-se-ams:~/.globus demo01$ | gb-se-ams:~/.globus demo01$ voms-proxy-init -voms tutor Cannot find file or dir: /home/demo01/.glite/vomses Enter GRID pass phrase: demo01 Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating temporary proxy............................................. Done Contacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" Done Creating proxy................................................................................................................. Done Your proxy is valid until Thu Jun 4 11:43:35 2009 gb-se-ams:~/.globus demo01$ openssl x509 –in $X509_USER_PROXY –text –noout | less gb-se-ams:~/.globus demo01$ voms-proxy-info -all subject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01/CN=proxy issuer : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 identity : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 type : proxy strength : 1024 bits path : /tmp/x509up_u1062 timeleft : 11:19:25 === VO tutor extension information === VO : tutor subject : /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 issuer : /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl attribute : /tutor/Role=NULL/Capability=NULL timeleft : 11:19:24 uri : voms.grid.sara.nl:30007 gb-se-ams:~/.globus demo01$ | Certificate: Data: Version: 3 (0x2) Serial Number: 260 (0x104) Signature Algorithm: md5WithRSAEncryption Issuer: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01 Validity Not Before: Jun 3 21:38:35 2009 GMT Not After : Jun 4 09:43:35 2009 GMT Subject: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:e1:2f:d7:81:b8:42:cb:28:8f:ec:c8:cb:89: 16:7f:68:3d:07:ff:67:0d:97:15:91:22:ec:a3:be: 06:e7:d3:69:c9:b9:2a:f2:f5:9c:c7:00:b0:a4:16: fd:6c:cc:2b:85:6d:5c:4c:4b:de:a2:3f:77:85:e6: 2a:90:7a:f8:8f:7b:6f:68:25:44:20:5a:23:6e:9c: 61:2f:b6:ff:36:9a:72:05:06:f5:bf:21:81:f1:b7: 81:6f:9b:50:9e:37:1c:64:34:2b:c8:90:cb:f2:26: 4b:bd:cf:57:77:15:a7:1d:a1:15:5c:cd:2d:e3:fd: 25:10:0c:e1:6d:87:31:4b:df Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.8005.100.100.5: 0...0...0..^M0..v...0}.{0u.s0q1.0....&...,d....org1.0....&...,d....egee-ne1.0...U...Training Services1.0...U....users1.0...U....Demo User 01.....X0V.T0R1.0...U...dutchgrid1.0...U...hosts1.0...U....sara.nl1.0...U....voms.grid.sara.nl0^M..*.H..^M.........~....B;..E^.0{60"..2 0090603214334Z..20090604094334Z0Y0W. +.....Edd.1I0G.!..tutor://voms.grid.sara.nl:300070". /tutor/Role=NULL/Capability=NULL0...0.. +.....Edd...0.0.0...U.8....0...U.#..0.......,~~.......'qp...0.... +.....Edd Certificate: Data: Version: 3 (0x2) Serial Number: 260 (0x104) Signature Algorithm: md5WithRSAEncryption Issuer: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01 Validity Not Before: Jun 3 21:38:35 2009 GMT Not After : Jun 4 09:43:35 2009 GMT Subject: DC=org, DC=egee-ne, O=Training Services, OU=users, CN=Demo User 01, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:e1:2f:d7:81:b8:42:cb:28:8f:ec:c8:cb:89: 16:7f:68:3d:07:ff:67:0d:97:15:91:22:ec:a3:be: 06:e7:d3:69:c9:b9:2a:f2:f5:9c:c7:00:b0:a4:16: fd:6c:cc:2b:85:6d:5c:4c:4b:de:a2:3f:77:85:e6: 2a:90:7a:f8:8f:7b:6f:68:25:44:20:5a:23:6e:9c: 61:2f:b6:ff:36:9a:72:05:06:f5:bf:21:81:f1:b7: 81:6f:9b:50:9e:37:1c:64:34:2b:c8:90:cb:f2:26: 4b:bd:cf:57:77:15:a7:1d:a1:15:5c:cd:2d:e3:fd: 25:10:0c:e1:6d:87:31:4b:df Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.8005.100.100.5: 0...0...0..^M0..v...0}.{0u.s0q1.0....&...,d....org1.0....&...,d....egee-ne1.0...U...Training Services1.0...U....users1.0...U....Demo User 01.....X0V.T0R1.0...U...dutchgrid1.0...U...hosts1.0...U....sara.nl1.0...U....voms.grid.sara.nl0^M..*.H..^M.........~....B;..E^.0{60"..2 0090603214334Z..20090604094334Z0Y0W. +.....Edd.1I0G.!..tutor://voms.grid.sara.nl:300070". /tutor/Role=NULL/Capability=NULL0...0.. +.....Edd...0.0.0...U.8....0...U.#..0.......,~~.......'qp...0.... +.....Edd Trying it out

15 Starting a Grid session in theory… 1.Create a proxy certificate with short validity (hours) Contains VOMS credentials Allows “Single Sign-On”: Proxy private key doesn’t have a passphrase 2.Delegate this proxy to the Workload Management System (WMS) 3.Delegate another, long-lived proxy to the Proxy Server … and in practice: 1.normally, just type: startGridsession but today: tutorGridSession This returns a session name, needed to submit jobs. gb-se-ams:~/.globus demo01$ tutorGridSession tutor Now starting... Please enter your GRID password: demo01 voms-proxy-init -voms tutor --valid 120:00 -pwstdin Cannot find file or dir: /home/demo01/.glite/vomses Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating temporary proxy........................................ Done Contacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" Done Creating proxy.......................................... Done Your proxy is valid until Tue Jun 9 00:44:51 2009 Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating proxy................................................................................................................. Done Proxy Verify OK Your proxy is valid until: Tue Jun 9 00:44:52 2009 A proxy valid for 120 hours (5.0 days) for user /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 now exists on px.grid.sara.nl. Your delegation ID is: demo01 gb-se-ams:~/.globus demo01$ | gb-se-ams:~/.globus demo01$ tutorGridSession tutor Now starting... Please enter your GRID password: demo01 voms-proxy-init -voms tutor --valid 120:00 -pwstdin Cannot find file or dir: /home/demo01/.glite/vomses Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating temporary proxy........................................ Done Contacting voms.grid.sara.nl:30007 [/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl] "tutor" Done Creating proxy.......................................... Done Your proxy is valid until Tue Jun 9 00:44:51 2009 Your identity: /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 Creating proxy................................................................................................................. Done Proxy Verify OK Your proxy is valid until: Tue Jun 9 00:44:52 2009 A proxy valid for 120 hours (5.0 days) for user /DC=org/DC=egee-ne/O=Training Services/OU=users/CN=Demo User 01 now exists on px.grid.sara.nl. Your delegation ID is: demo01 gb-se-ams:~/.globus demo01$ |

16 Generation of a proxy B generates a public/private key pair for the proxy certificate. B uses the key pair to generate a certificate request, which will be sent to A using a secure channel. This certificate request includes the proxy's public key, but not the private key. Supposing A agrees to delegate its credentials to B, Organization A will use its private key to digitally sign the certificate request. A sends the signed certificate back to B using a secure channel. B can now use the proxy certificate to act on A's behalf. Notice how the proxy's private key is never transmitted between A and B. This is also true of A's private key.

Download ppt "It’s not about security... it’s about access! Grid Security Pieter van Beek."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
An Introduction to OSG Security Mine Altunay OSG Security Officer Fermi National Accelerator Laboratory.

An Introduction to OSG Security Mine Altunay OSG Security Officer Fermi National Accelerator Laboratory.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.

Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Similar presentations

Ads by Google