Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Status – Biomed meeting – Valencia, January 27th, 2006 EGEE Security status.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Status – Biomed meeting – Valencia, January 27th, 2006 EGEE Security status."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Status – Biomed meeting – Valencia, January 27th, 2006 EGEE Security status Remi Mollon, Christophe Blanchet Bioinformatics Centre of Lyon – PBIL Institute of Biology and Chemistry of Proteins IBCP – CNRS UMR 5086 Lyon – Gerland, France

2 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 2 Enabling Grids for E-sciencE INFSO-RI-508833 Outlines Bioinformatic requirements EGEE Security Overview Data Encryption Systems –JRA3 prototype on gLite –IBCP prototype on LCG-2 – … Benchmarks Data security status Next meetings

3 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 3 Enabling Grids for E-sciencE INFSO-RI-508833 Bioinformatic requirements Certificate management[DONE] –For all entities (like users, services, Web portals,...) –Renew and revoke mechanisms Fine grain access to data [IN PROGRESS] –Access Control Lists (ACL) support –The owner can do modifications Data encryption [IN PROGRESS] –Long-term storage of encrypted data –Transparent (unencrypted) access for authorized users Data anonymization [STOPPED] –Medical data (analyses, diagnoses, pictures,...) –Legislation problems in France According to Biomed requirement database, and Ake Edlund, JRA3 manager

4 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 4 Enabling Grids for E-sciencE INFSO-RI-508833 EGEE Security Overview (1) Main high-level security functionalities : –Single Sign On (SSO) [DONE]  A unique authentication to access to the entire grid –Data confidentiality and integrity (commercial context, patient's data,...) [IN PROGRESS] –Fine resource access control [IN PROGRESS]  Deny or grant access to a resource for a user, a group of users, a VO, a role,... –Pseudonymity [NOT STARTED]  Accessing the grid with a pseudonym instead of user real identity According to Ake Edlund, JRA3 manager

5 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 5 Enabling Grids for E-sciencE INFSO-RI-508833 EGEE Security Overview (2) Low-level security functionalities : –Monitoring & Logging [DONE]  Analysis : pre-event and post-event  Prevention : scan, attack and intrusion detection  Identification : responsibilization and non-repudiation –Authentication [DONE]  Trusted Third Party (TTP)  X.509 certificates with a Public Key Infrastructure (PKI) –Authorization [IN PROGRESS]  Virtual Organization (VO) – the Biomed VO for example user group with a common goal who want to share their resources  Delegation with proxy certificates : act on the behalf of someone else  VO Membership Service (VOMS) Management of VOs, roles, permissions,... According to Ake Edlund, JRA3 manager

6 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 6 Enabling Grids for E-sciencE INFSO-RI-508833 EGEE Security Overview (3) –Isolation  At local system level : [IN PROGRESS] Minimize user application consequences Local Credential MAPping Service (LCMAPS)  At network level : [FROZEN] Avoid virus/worm propagation, DDoS attacks,... Dynamic Connectivity Service –Encryption key management  User keys (tied to X.509 certificates) [DONE] manage by users themselves, or by dedicated service (MyProxy)  Data keys : long-term encrypted data storage Single key store [DONE] Techniques “M-of-N” [NONE] According to Ake Edlund, JRA3 manager

7 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 7 Enabling Grids for E-sciencE INFSO-RI-508833 Data encryption systems JRA3 MDMIBCP EncFile AvalaibilitygLite 1.5 on PPS LCG2 on production, not depend of a platform CipherAES, 256bits keys DecryptionExplicitImplicit EncryptionExplicit Enc/decrypt locationRAMRAM, on-the-fly Key StoreHydra AMGAPostgreSQL M-of-N techniqueNoneShamir share algorithm IntegrationC++ API Transparent to users, catch I/O calls DeployementMDM experience GPS@ Web portal and all its programs Link key to dataLFN+MetadataLFN AuthorizationgLiteLCG2

8 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 8 Enabling Grids for E-sciencE INFSO-RI-508833 Data encryption systems And other ones… –Third development from UPV Some details from Ignacio …

9 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 9 Enabling Grids for E-sciencE INFSO-RI-508833 EncFile Benchmarks

10 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 10 Enabling Grids for E-sciencE INFSO-RI-508833 Status of data security Anybody can get the list of all files (all VOs) on a SE –Just need to know the LRC_ENDPOINT « lcg-infosites --vo biomed lrc », from GOOGLE, keywords « LRC egee biomed » http://rm-biomed.in2p3.fr:8080/biomed/edg-local-replica-catalog/services/edg- local-replica-catalog Anybody can get the list of LFNs of a VO –Just need to know the RMC_ENDPOINT change “edg-local-replica-catalog” by “edg-replica-metadata-catalog” From GOOGLE, keywords: « RMC egee biomed » http://rm-biomed.in2p3.fr:8080/biomed/ edg-replica-metadata-catalog /services/edg-local-replica-catalog Some lcg-xx commands do not require nor proxy nor valid certificate. –Anybody can list/change/remove any LFN/alias « How anybody can do what he wants with all files stored on the EGEE grid: reality of data security on the EGEE grid »

11 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 11 Enabling Grids for E-sciencE INFSO-RI-508833 Status of data security (2) Some LCG commands don't require a valid proxy certificate –All commands that manage aliases: anybody can modify any file aliases –All commands that list elements (replica, GUID): anybody can list file entities –Even some core commands managing files ! –Sometimes the '--vo' parameter is taken as truth without any further checks

12 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 12 Enabling Grids for E-sciencE INFSO-RI-508833 Status of data security (3) Tests between 2 Vos: biomed and dteam –One file gridified with dteam VO –Then manipulated with biomed VO –Alias was deleted, and a new one was added with biomed VO (!!) –Odd listing command behaviour  lcg-la, lcg-lg, lcg-lr –2 independent catalogs  LRC = {(GUID, SFN)}  RMC = {(GUID, LFN)}  a GUID can be associated with a VO in the LRC and another in the RMC

13 R Mollon, C Blanchet - EGEE Security Status – Biomed – Valencia, January 27th, 2006 13 Enabling Grids for E-sciencE INFSO-RI-508833 Next meetings Next MWSG : March 7-8 at Cern –Biomed attendees: R. Mollon, C. Blanchet “Authorization” session at next GGF16 in Athens (February 13-17) –Biomed attendees: R. Mollon, C. Blanchet (co-organizer) –Agenda: http://www.ggf.org/gf/event_schedule/index.php?id=157 –Abstract:  “This workshop will consider short-term (now and next two years) Grid Authorization and Policy implementations, requirements and issues. It will investigate what improvements can be made to encourage and facilitate interoperability between Grid operational infrastructures. It will also consider lessons learned from today's implementations for the Grid security standards activities in GGF for the longer-term future. The workshop will highlight the Life Science perspective with requirements from the biomed VO in EGEE and in the overall biomedical community. »

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Status – Biomed meeting – Valencia, January 27th, 2006 EGEE Security status."

Similar presentations

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Enabling Grids for E-sciencE INFSO-RI-508833 GPSA grid portal for Bioinformatics, EGEE3 Athens, 20/04/2005 1 GPSA - Grid Protein Sequence Analysis on the.

Enabling Grids for E-sciencE INFSO-RI GPSA grid portal for Bioinformatics, EGEE3 Athens, 20/04/ GPSA - Grid Protein Sequence Analysis on the.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.

INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
Grid Data Management Assaf Gottlieb - Israeli Grid NA3 Team EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE tutorial,

Grid Data Management Assaf Gottlieb - Israeli Grid NA3 Team EGEE is a project funded by the European Union under contract IST EGEE tutorial,
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org FloodGrid application Ladislav Hluchy, Viet D. Tran Institute of Informatics, SAS Slovakia.

INFSO-RI Enabling Grids for E-sciencE FloodGrid application Ladislav Hluchy, Viet D. Tran Institute of Informatics, SAS Slovakia.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.
Www.consorzio-cometa.it FESR Consorzio COMETA Grid Introduction and gLite Overview Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione.

FESR Consorzio COMETA Grid Introduction and gLite Overview Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Similar presentations

Ads by Google