Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of Security Standards in the Grid CSE 225 High Performance and Computational Grids Spring 2000 Prepared By

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview of Security Standards in the Grid CSE 225 High Performance and Computational Grids Spring 2000 Prepared By"— Presentation transcript:

1 Overview of Security Standards in the Grid CSE 225 High Performance and Computational Grids Spring 2000 Prepared By kwalsh@ucsd.edu

2 Objectives : Gain familiarity with computer and network security standards. Gain understanding of security requirements in Grid environments. Gain understanding of some standards based security technologies present in Grid environments. Learn about various Grid security models and system approaches to security. Learn about some test bed implementations of security enabled Grid projects.

3

4

5 Security Domains Intradomain - internal to a given location or single organization. Contained security boundary. Interdomain - encompasses two or more locations or organizations. Agreed on security boundaries and protocols between organizations.

6 Security - The Protection of Assets Prevention: take measure that protect your assets from damage Detection: take measures that allow you to detect when an asset has been damaged, and who caused the damage. Reaction: take measures that allow you to recover your assets or recover from damage to your assets.

7 Computer Security Confidentiality: prevention of unauthorized disclosure of information. Integrity: prevention of unauthorized withholding of information. Availability: prevention of unauthorized withholding of information or resources.

8 Network Security (1) Trusted Networks Identification and Authentication Discretionary Access Control Labels and Mandatory Access Control Audit

9 Technology - Cryptography DES (Data Encryption Standard) DSA (Digital Signature Algorithm) RSA (Rivest, Shamir, and Adelman) Blowfish IDEA (International Data Encryption Algorithm) AES (Advanced Encryption Standard)

10 Technology - SSH (1) SSH is a packet-based binary protocol that implements a transport layer security mechanism. Encompasses authentication, key exchange, encryption, and integrity. TCP/IP is used as the transport usually Basically an end to end encrypted tunnel SSH logins the most prevalent between domains.

11 Technology - SSH (2)

12 Technology - PGP Pretty Good Privacy Public Domain Popular for email and email of files PGP user builds key ring of all public keys he has been given. When message of file received from contact, can decrypt if key is on key ring

13 Shortcomings of PGP in distributed systems Reasonable basis for key management among friends, but once it passes the bounds of direct friends, the credibility becomes strained. Example –Carol’s key is P1 signed with P2 –Alice’s key is P2 signed with P4 –Carol’s key is P1 signed with P5 What is the last certificate said Carol’s key is P3 signed with P5?

14 Kerberos (1) Supports authentication in distributed systems. Used for authentication between intelligent processes, client to server tasks or workstation to other hosts. Basis of Kerberos is central server that provides authenticated tokens, called tickets.

15 Kerberos (2) Initiating Kerberos Session

16 Kerberos (3) Obtaining a ticket to access file

17 Kerberos (4) Strengths No password communicated on the network. Cryptographic protection against spoofing. Limited period of validity Time stamps to prevent replay attacks Mutual authentication

18 Kerberos (5) Shortcomings in distributed systems Requires continuous availability of a trusted ticket granting service. Authenticity of servers requires a trusted relationship between the ticket granting server and every server. Requires timely transactions. Subverted workstation can save and later replay user passwords. Does not scale well.

19 Public Key Infrastructure (1) PKI: consists of software and procedures put in place by an organization Supports the use of Public Keys for authentication and identifying users, services, and confirming digital signatures. Public keys usually conform to the X.509 standard for certificates, and usually are based on the RSA public/private key encryption algorithm

20 Public Key Infrastructure (2) Goals Application enabler Secure Sign-On –Secure “Single” Sign Security End-User Transparency Comprehensive Security

21 Public Key Infrastructure (3) Components and Services Certification Authority Certificate repository Certificate Revocation Key backup and recovery Automatic key update Key history management Cross-certification Support for non-repudiation Time stamping Client software

22 Public Key Infrastructure (4) Current Standards Activities X.509 PKIX X.500 LDAP S/MIME IPsec TLS

23 Section Break Security in Legion and Globus

24 Security in Legion (1) Design Principals 1- As in the Hippocratic Oath, do no harm! 2- Caveat emptor - let the buyer beware. 3- Small is beautiful.

25 Security in Legion Standards X.509 ? Keberos ?

26 Security in Legion Legion Security Model

27 Security in Legion (2) Basic Concepts Every object provides certain known member functions - MayI, CanI, Iam, and Delegate. (Can be defaulted to NIL.) Two objects associated with each operation: a responsible agent (RA) and a calling agent (CA) Every invocation of member function is performed in the context of a certificate which contains the Legion Object ID. Certificate digitally signed by maker

28 Security in Legion

29 Legion users responsible for own security. Object might trust that the CA is correct. Policies defined by objects themselves. Every class defines a special member function, MayI. MayI defines the security objects for a class. Every member function invocation permitted only if MayI sanctions it.

30 Security in Legion Automatic invocation of outgoing calls

31 Security in Legion Authentication aided by use of Legion certificates - based on public-key cryptography by default. Must know private key to authenticate. MayI functions can code their own authentication protocols Every Legion object required to supply special member function Iam for authentication purposes.

32 Security in Legion Login establishes user identity and creates responsibility agent for user. Login is building block for authentication and delegation. Object can delegate new certificate to delegate rights. Delegation policy defined by object.

33 Security in Legion Future Work Legion does not specify any particular encryption. Future standardization? Legion eschews distinguished trusted objects - centralized key management server Composition of a security policy

34 Security in Globus (1) Standards Standards subscribed to: –Generic Security Services (GSS) RFC 2078 –Secure Socket Layer (SSL) [SSleay] –Public Key Cryptography based on X.509 certificates –Kerberos

35 Security in Globus (2)

36 Security in Globus (3) Security Requirements Single sign-on Protection of credentials Interoperability with local security solutions Exportability Uniform credentials/certification infrastructure Support for secure group communication Support for multiple implementations

37 Layered Architecture Applications Core Services Metacomputing Directory Service GRAM Globus Security Interface Heartbeat Monitor Nexus Gloperf Local Services LSF CondorMPI NQEEasy TCP SolarisIrixAIX UDP High-level Services and Tools DUROCglobusrunMPINimrod/GMPI-IOCC++ GlobusViewTestbed Status GASS

38 Security in Globus (4) assumes grid consists of multiple trust domains assumes resource pool and user population are large and dynamic interoperate with local security solutions - local security policies differ authentication exportable - cannot directly or indirectly require use of bulk privacy

39 Security in Globus (5) uniform credentials/certification - a user will be associated differently with site it has access to single logon - number of processes used in a computation will be dynamic access control

40 Security in Globus (8)

41 Security in Globus (6) Grid Security Infrastructure GSI provides authentication and data integrity (data signing, not encryption) services for Unix and Windows client/server programs Can utilize an X.509 PKI GSI library is layered on top of the SSLeay Performs the X.509 certificate handling and SSL protocol.

42 Single sign-on via “grid-id” User User Proxy GlobusCredential Site 1 Kerberos GRAM Process GSI Ticket Site 2 Public Key GRAM GSI Certificate Process Authenticated interprocess communication CREDENTIAL GSSAPI: multiple low-level mechanisms Mutual user-resource authentication Mapping to local ids Assignment of credentials to “user proxies”

43 Security in Globus (7)

44

45 Summary Computer security is machine access centric Network security is network access centric Grid security is application centric Inter-domain communications based upon common security standards such as PKI. Metacomputing approach that embrace security standards will be more widely adopted.

46

47

Download ppt "Overview of Security Standards in the Grid CSE 225 High Performance and Computational Grids Spring 2000 Prepared By"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.

Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.

Similar presentations

Ads by Google