Presentation is loading. Please wait.

Presentation is loading. Please wait.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Published byLuke Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics."— Presentation transcript:

1 Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics

2 Military Technical Academy Bucharest, 2006 GLOBUS TOOLKIT  Security functionalities

3 Military Technical Academy Bucharest, 2006 The results of the research into grid technologies have been incorporated into a widely used software system called the Globus Toolkit® (GT) that uses specific security technologies: public key technologies to address issues of single sign-on, delegation, and identity mapping,public key technologies to address issues of single sign-on, delegation, and identity mapping, while supporting standardized APIs such as GSS-API.while supporting standardized APIs such as GSS-API. The Grid Security Infrastructure (GSI) is the name given to the portion of the Globus Toolkit that implements security functionality.

4 Military Technical Academy Bucharest, 2006 CAS – Community Authorization Service Security services such as CAS allow flexible, expressive policy to be created regarding multiple users in a VO. CAS allows a Virtual Organization to express the policy that has been outsourced to it by the resource providers in the VO. The policy regards resources distributed across a number of sites.

5 Military Technical Academy Bucharest, 2006  A CAS server issues assertions to the Virtual Organization users => granting them fine-grained access rights to resources.  Servers recognize and enforce the assertions.  In evaluating whether to allow the request, the resource checks both: the local policy andthe local policy and the VO policy expressed in the CAS assertionthe VO policy expressed in the CAS assertion

6 Military Technical Academy Bucharest, 2006 CAS allows a resource to remain the ultimate authority over that resource, CAS allows a resource to remain the ultimate authority over that resource, but it also allows the VO to control a subset of that enforced policy. but it also allows the VO to control a subset of that enforced policy. In turn, the VO can coordinate the policy across a number of resources In turn, the VO can coordinate the policy across a number of resources => to control the sharing of those resources by the VO. => to control the sharing of those resources by the VO. CAS is designed to be extensible to multiple services and is currently supported by the GridFTP server. CAS is designed to be extensible to multiple services and is currently supported by the GridFTP server.

7 Military Technical Academy Bucharest, 2006 PA – Policy Authority PA enforces on:  CAS-identity and  requestor's capabilities

8 Military Technical Academy Bucharest, 2006 Identity Mapping service ID Mapping service takes a user's identity in one domain and returns the identity in another domain. ID Mapping schemes provide identity mapping (Gridmap file) between: VO IDs andVO IDs and local IDslocal IDs => for authorization, access to local files, job startup rights, etc.

9 Military Technical Academy Bucharest, 2006 GT4 (Globus Toolkit version 4.0) It provides:  distinct WS and pre-WS Authentication and Authorization capabilities, which are build on the base of the standard X.509 end-entity Certificates  and a delegation mechanism based upon X.509 Proxy Certificates These are used to: identify persistent entities such as users and servers, andidentify persistent entities such as users and servers, and support the temporary delegation of privileges to other entities, respectively.support the temporary delegation of privileges to other entities, respectively.

10 Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE(GSI)

11 Military Technical Academy Bucharest, 2006 The Globus Toolkit uses the Grid Security Infrastructure (GSI) for enabling secure authentication and communication over an open network.  GSI provides a number of useful services for Grids, including mutual authentication and single sign-on.  GSI uses Public Key Cryptography as the basis for its functionality.  Many of the terms and concepts used in this description of GSI come from its use of public key cryptography.

12 Military Technical Academy Bucharest, 2006 GSI uses the TSL/SSL for its mutual authentication protocol If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, => then the two parties can prove to each other their identities.

13 Military Technical Academy Bucharest, 2006 After authentication, GSI identity is mapped by administer configuration to a local identity for authorization. => GSI identity is converted to local identity. => Local identity controls access to local files, job startup rights, etc.

14 Military Technical Academy Bucharest, 2006 Note: GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and GridFTP) is currently the only software which supports the delegation extensions to TLS (a.k.a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software.

15 Military Technical Academy Bucharest, 2006 GSI implements X.509 Proxy Certificates as extensions to the standard X.509 Certificate => to support:  dynamic naming of services,  delegation of rights, and  single sign-on.

16 Military Technical Academy Bucharest, 2006 Delegation Service is a new component in Globus Toolkit version 4.0. => This component provides an interface for delegation of credentials to a hosting environment. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication),If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user,or if there is a need to have agents (local or remote) requesting services on behalf of a user, => the need to re-enter the user's passphrase can be avoided by creating a proxy. => Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication, without entering a password.

17 Military Technical Academy Bucharest, 2006 A Proxy consists of a new certificate and a private key. The key pair that is used for the proxy (i.e. the public key embedded in the certificate and the private key), may be: either regenerated for each proxy, oreither regenerated for each proxy, or obtained by other means.obtained by other means. Proxies have limited lifetimes.

18 Military Technical Academy Bucharest, 2006 The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes.

19 Military Technical Academy Bucharest, 2006 When proxies are used, the mutual authentication process differs slightly. => The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. Step 1: During mutual authentication, the owner's public key (obtained from the owner's certificate) is used to validate the signature on the proxy certificate. Step 2: The CA's public key is then used to validate the signature on the owner's certificate.

20 Military Technical Academy Bucharest, 2006 This establishes a CHAIN OF TRUST from the CA => to the proxy through the owner

21 Military Technical Academy Bucharest, 2006 During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy => Each service decides whether it will allow authentication with a limited proxy (e.g., Job manager service requires a full proxy, GridFTP server allows either full or limited proxy to be used)

22 Military Technical Academy Bucharest, 2006 CONCLUSION: GSI extension to X.509 Identity Certificates allows user to:  dynamically assign identity and rights to service,  name services created on the fly, and  give them rights (i.e. set policy). => What is effectively happening is that: users create their own trust domain of services;users create their own trust domain of services; services trust each other with user acting as the trust rootservices trust each other with user acting as the trust root

23 Military Technical Academy Bucharest, 2006 MyProxy is an online credential repository => It ensures secure storage and management of users` credentials: simplifies certificate management;simplifies certificate management; allows users to selectively retrieve and use credentials for performing Grid operations;allows users to selectively retrieve and use credentials for performing Grid operations; handles credential renewal for long-running taskshandles credential renewal for long-running tasks X.509 proxy credentials can be stored in the MyProxy repository, protected by a passphrase, for later retrieval over the network. => This eliminates the need for manually copying private key and certificate files between machines. MyProxy can also be used for authentication to Grid portals and credential renewal with job managers.

24 Military Technical Academy Bucharest, 2006 GETTING ACCESS TO THE GRID  Authentication and Authorization  Delegation mechanism

25 Military Technical Academy Bucharest, 2006 Authentication and Authorization

26 Military Technical Academy Bucharest, 2006 Authentication & Authorization In Grid environments, your host will become a client in some cases, and a server in other cases. => Therefore, your host might be required: to authenticate another host andto authenticate another host and be authenticated by the host at the same time.be authenticated by the host at the same time. The mutual Authentication function of GSI: It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure.It proceeds with the Authentication steps, and changes the direction of hosts and redoes the procedure. Briefly speaking: Authentication is the process of sharing public keys securely with each otherAuthentication is the process of sharing public keys securely with each other Authorization is the process that MAPS your DN to a local user/group of a remote host.Authorization is the process that MAPS your DN to a local user/group of a remote host.

27 Military Technical Academy Bucharest, 2006 Mutual Authentication procedure

28 Military Technical Academy Bucharest, 2006 Delegation mechanism

29 Military Technical Academy Bucharest, 2006 Delegation mechanism  Remote delegation: where a user creates a proxy certificate at a REMOTE machine  Local delegation: where a user creates a proxy certificate at the LOCAL machine

30 Military Technical Academy Bucharest, 2006 REMOTE DELEGATION When you make a proxy to a remote machine, the proxy's private key is on the remote machine => The super-user of that machine can access your proxy's private key and conduct business under your name. This delegated credential can be vulnerable to attacks.This delegated credential can be vulnerable to attacks. In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example.In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the case with GRAM, for example. (The standardization of this proxy restriction is now going on under GSI Working Group of Grid Forum Security)  To distribute jobs to remote grid machines, and  Let them distribute their child jobs to other machines under your security policy. => The DELEGATION function of GSI can be used.

31 Military Technical Academy Bucharest, 2006 Delegation procedure of user’s proxy

32 Military Technical Academy Bucharest, 2006 If you are on the side of host A, => you can create your proxy at host B => to delegate your authority  This proxy acts as yourself, and submits a request to host C on your behalf. The next steps: the procedure to create your proxythe procedure to create your proxy (proxy creation) at a remote machine, and the procedure to submit a request to the other remote host on your behalf (proxy action)the procedure to submit a request to the other remote host on your behalf (proxy action)

33 Military Technical Academy Bucharest, 2006 Proxy creation 1. A trusted communication is created between host A and host B. 2. You request host B to create a proxy that delegates your authority. 3. Host B creates the request for your proxy certificate, and send it back to host A. 4. Host A signs the request to create your proxy certificate using your private key and sends it back to host B. 5. Host A sends your certificate to host B.

34 Military Technical Academy Bucharest, 2006 Proxy action 1. Your proxy sends your certificate and the certificate of your proxy to host C. 2. Host C gets your proxy's public key through the path validation procedure: a.Host C gets your subject and your public key from your certificate using CA's public key. b. Host C gets the proxy's subject and your proxy's public key from your proxy's certificate using your public key. c. The subject is a Distinguished Name similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name" The subject of proxy certificate is similar to its owner's (your) subject and is similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name/CN=proxy"

35 Military Technical Academy Bucharest, 2006 So in order to validate the proxy certificate, Host C just has to check that the words that eliminate the words "/CN=proxy" from the proxy's subject is just the same as your subject. => If it is validated, your proxy is authenticated by host C and able to act on your behalf. 3. The proxy encrypts a request message using its private key and sends it to Host C. 4. Host C decrypts the encrypted message using the proxy's public key and gets the request. 5. Host C runs the request under the authority of a local user. The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).The user is specified using a mapping file, which represents the mapping between the grid users (subject) and local users (local user name).

Download ppt "Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Similar presentations

Ads by Google