Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

Published byKevin Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation."— Presentation transcript:

1 GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation Center Ra’nanna, 28 September 2005

2 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 2 What is PKI? Public Key Infrastructure: Basis for authentication, integrity, confidentiality, non-repudiation Asymmetric encryption Digital signatures –A hash derived from the message and encrypted with the signer’s private key –Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust mode –Keys trusted only if signed by a trusted third party (Certification Authority) –A CA certifies that a key belongs to a given principal Certificate: held in two parts –Public key + principal information + CA signature –Private key: only the owner (should) use this Encrypted text Private Key Public Key Clear text message

3 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 3 Digital Certificates A’s digital signature is safe if: 1. A’s private key is not compromised 2. B knows A’s public key How can B be sure that A’s public key is really A’s public key and not someone else’s? –A third party guarantees the correspondence between public key and owner’s identity, by signing a document which contains the owner’s identity and his public key (Digital Certificate) –Both A and B must trust this third party Two models: –X.509: hierarchical organization; –PGP: “web of trust”.

4 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 4 AA and Certificates X 509 Digital certificate is the basis of AA in EGEE Certification Authorities (CAs) –~one per country; builds network of “Registration Authorities” who issue certificates CAs are mutually recognized – to enable international collaboration – International Grid Trust Federation http://www.gridpma.org/http://www.gridpma.org/ For Europe region CAs: –http://eugridpma.org/http://eugridpma.org/ –http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.htmlhttp://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html CA certificates – issued to –Users: you get a Certificate and use it to access grid services –Sites providing resources Uses Public Key Infrastructure –Private key – known only to you –Public key included in your certificate

5 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 5 CAs in Europe

6 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 6 Certificate Request Private Key encrypted on local disk Cert Request Public Key Cert User generates public/private key pair. User send public key to CA and then appears before CA with TZ/passport. CA confirms identity, signs certificate and sends back to user.

7 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 7 Digital certificates The goal of authorization and authentication of users and resources is done through digital certificates, in X.509 format Certification Authority Certification Authority (CA) Digital CertificatesIssue Digital Certificates for users and machines Check the identity and the personal data of the requestor –Registration Authorities (RAs) do the actual validation CA’s periodically publish a list of compromised certificates –Certificate Revocation Lists (CRL): contain all the revoked certificates yet to expire CA certificates are self-signed For each player, a CA guarantees its authenticity with a certificate

8 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 8 X.509 Certificates An X.509 Certificate contains: –o–owner’s public key; –i–identity of the owner; –i–info on the CA; –t–time of validity; –S–Serial number; –d–digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

9 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 9 Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA

10 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 10 GRID Security: the players Large and dynamic population Different accounts at different sites Personal and confidential data Heterogeneous privileges (roles) Desire Single Sign-On Users “Group” data Access Patterns Membership “Groups” Sites Heterogeneous Resources Access Patterns Local policies Membership Grid

11 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 11 Requirements for AuthN and AuthZ Support multiple VOs across –Administrative domains –National borders –Via Internet Single sign-on –Multiple services –Delegation Scalability: –N,000 users –M,000 CPUs –Without M*N million usernames / passwords… Security INTERNET

12 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 12 Who are the CAs? 46 CA’s so far –Armenia, Austria, Belgium, Canada, CERN, France (4), China, Cyprus (2), Czech Republic (2), Estonia, Germany (4), Greece, Hungary, Ireland, Israel, Italy, Netherlands, Nordics, Pakistan, Poland, Portugal (2), Russia (2), South East Europe (Balkans), Slovakia, Slovenia, Spain, Switzerland (4), Taiwan, UK, US(3) All required to have a CP/CPS –Certificate Policy/Certificate Practice Statement

13 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 13 IUCC CP/CPS Israel’s is located at: http://certificate.iucc.ac.il/ca/IUCC_CP-CPS_1_5.pdf –78 certificates issued so far –22 computer –56 human

14 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 14 IUCC CP/CPS Highlights Authentication –TZ or Passport –Visual identification (only in person) via CA (no RAs yet) Key sizes (minimum) –User and host: 1024 bit –IUCC CA: 2048 bit Validity –IUCC CA: 5 years –Entity: maximum 1 year

15 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 15 LIST of Israeli CA and RAs Eddie Aronovich, Certificate Authority Manager eddiea@tau.ac.il, 03-6406915eddiea@tau.ac.il University Namee-mailphone Hebrew Ayelet Hashachar Drori ayeleth@savion.cc.huji.ac.il 02-6584475 Haifa Herakel Endrawes herakel@univ.haifa.ac.il 04-8249249 Technion Anne Weillanne@tx.technion.ac.il 04-8294997 Weizmann Pierre Choukroun pierre@weizmann.ac.il 08-9343038 BGU Amir Zofnatzofnat@bgu.ac.il 08-6479449 Open-U Reuven Avivaviv@openu.ac.il 09-7781252 TAU Avi Raberavir@tauex.tau.ac.il 03-6409117

16 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 16 IUCC CA

17 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 17 IUCC Request

18 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 18 IUCC Request – part 2

19 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 19 Cyprus CA

20 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 20 Cyprus RA

21 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 21 CA CP/CPS Every CA must provide a CP/CPS (combined) –RFC2527 preferred Cross-evaluation of CP/CPS by every CA Manager –tries to make up for lack of auditing –provide trust guidelines for “local” site administrators –Every CA Manager should inspect all other CP/CPSs

22 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 22 CA “Minimum Requirements” Security – machine with CA private key not connected to any network – All CA’s issue a CRL (Certification Revocation List) with a 30-day lifetime (updated ~ weekly) – Relying parties must update every 24 hrs – Audit logs must be kept

23 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 23 Certificate Information To get cert information run grid-cert-info [scampana@grid019:~]$ grid-cert-info -subject /C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461 Options for printing cert information -all-startdate -subject-enddate -issuer-help

24 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 24 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. IT IS YOUR PASSPORT AND CREDIT CARD

25 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 25 Grid Security Infrastructure - proxies de facto standard for Grid middleware Based on PKI To support…. –Single sign-on: to a machine on which your certificate is held –Delegation: a service can act on behalf of a person –Mutual authentication: both sides must authenticate to the other ….GSI introduces proxy certificates –Short-lived certificates signed with the user’s certificate or a proxy –Reduces security risk, enables delegation CA and user included in the proxy.... See practical later

26 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 26 Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004

27 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 27 User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004

28 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 28 Authentication, Authorisation in LCG Authentication –User certificate signed by CA –Connects to UI by ssh –Downloads certificate –Invokes Proxy server –Single logon – to UI - then Grid Security Infrastructure identifies user to other machines Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by CE –gridmapfile maps user to local account UI CA VO mgr Personal/ once VO database Gridmapfiles on CE GSI VO service Daily update LCG

29 Enabling Grids for E-sciencE GRID Workshop Authorisation and Authentication via X.509 29 Questions? hank@efes.iucc.ac.il

Download ppt "GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security on Grid Roberto Barbera Univ. of Catania and INFN

Security on Grid Roberto Barbera Univ. of Catania and INFN
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google