Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Published byAnastasia Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they."— Presentation transcript:

1 Grid Security 1

2 Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they claim to be -> use certificates and CAs )  Confidential - only invited to understand conversation (use encryption) Need to support security across organizational boundaries  No centrally managed security system Need to support “single sign-on” for users of grid  Delegation of credentials for computations that involve multiple resources and/or sites  allowing or denying access to services based on policies (authorization) 2

3 Identity & Authentication Each entity should have an identity Authenticate: Establish identity  Is the entity who he claims he is ?  Examples: Driving License Username/password Stops masquerading imposters A secure communication should ensure that the parties involved in the communication are who they claim to be.

4 Authorization Establishing rights What can a certain identity do ? Examples:  Are you allowed to be on this flight ? Passenger ? Pilot ?  Unix read/write/execute permissions Must authenticate first

5 Single Sign-on Important for complex applications that need to use Grid resources  Enables automation of processing  Allows remote processes and resources to act on user’s behalf --> Delegation  Enables easy coordination of varied resources

6 Encryption Encryption is the process of taking some data and a key and feeding it into a function and getting encrypted data out Encrypted data is, in principal, unreadable unless decrypted Encryption Function

7 Decryption Decryption is the process of taking encrypted data and a key and feeding it into a function and getting out the original data –Encryption and decryption functions are linked Decryption Function

8 Asymmetric Encryption Encryption and decryption functions that use a key pair are called asymmetric –Keys are mathematically linked

9 Public and Private Keys With asymmetric encryption each user will be assigned a key pair: a private key and a public key Private key is known only to owner Public key is given away to the world Encrypt with public key, can decrypt with only private key Message Privacy -> integrity of the message is guaranteed

10 Public Key Infrastructure (PKI) PKI allows you to know that a given public key belongs to a given user PKI builds off of asymmetric encryption: –Each entity has two keys: public and private –The private key is known only to the entity GSI is based on PKI The public key is given to the world encapsulated in a X.509 certificate Owner

11 Digital Signatures Digital signatures allow the world to –determine if the data has been tampered –verify who created a chunk of data Sign with private key, verify with public key Message Integrity

12 Certificates Central concept in GSI authentication –A public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity –The certificate can be used to verify that a public key belongs to an individual Every user, resource and service on Grid is identified via a certificate Contains: –Subject name (identifies entity) –Corresponding public key –Identity of the CA that has signed the cert (to certify that the public key and the identity both belong to the subject) –The digital signature of the CA

13 Certificates the public key is embedded in the digital certificate, which needs to be signed by this trusted CA.  This way, any one who trusts the CA, can verify the validity of the public key, meaning that it confirms that this public key belongs to the rightful owner. GSI certs are encoded in a X509 certificate format

14 Certification Authorities (CAs) A Certification Authority is an entity that exists to sign user certificates A CA issues digital certificates which contain a public key and the identity of the owner.  CA attests that the public key contained in the certificate belongs to the person/organization/server/entity noted in the certificate.  CA's obligation in such schemes is to verify applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. if (user trusts the CA) && (user can verify the CA's signature) then user can also verify that a certain public key does indeed belong to whoever is identified in the certificate

15 Many CA’s exist Indeed, many CA providers exist ESNet:  DOEGrids (doegrids.org) ESnet operates the DOE Grids Certificate Services to support Scientists and Engineers working on DOE related scientific efforts. This service is designed to support the new Computational Grids being deployed around the world. The service issues Identity Certificates to individual subscribers and Service certificates for Grid Services. The business model in Grids is the formation of Virtual Organizations (VO) focused on a particular scientific topic. They are currently supporting a number of VOs engaged in DOE research (among which OSG, and in particular the OSGEDU VO, to which you belong). This VO (and others) require the use of certificates that are trusted in the global research community. ESnet is actively working with the Global Grid Forum, the European Data Grid and Cross Grid CA managers to insure that DOE Grids Certificates have the widest possible acceptance.  ESNet Root  NorduGrid  Russian Data Intensive Grid

16 Globus Security: GSI - is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. Based on PKI Uses Secure Socket Layer for authentication and message protection  Encryption  Signature Adds features needed for Single-Sign On  Proxy Credentials  Delegation

17 Authorization - Gridmap Gridmap is a list of mappings allowed DNs --> user name Controlled by administrator Open read access "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde (in /etc/grid-security/grid-mapfile directory)

18 GSI: Credentials In the GSI system each user has a set of credentials they use to prove their identity on the grid  Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase  Good for security, inconvenient for repeated usage  Do not lose this phrase !

19 GSI: Proxy Credentials Proxy credentials are short-lived credentials created by user  Proxy is signed by owner, rather than the CA  Short term binding of user’s identity to alternate private key  Same effective identity as certificate SIGN

20 GSI: Proxy Credentials A proxy credential contains  The proxy certificate (signed by the user, and not CA)  Corresponding private key can be kept unencrypted for easy repeated access Therefore, once a proxy is created and stored, user cn use proxy certificate and private key for mutual authentication without entering a password Chain of trust  Trust CA -> Trust User Certificate -> Trust Proxy

21 Authorization components GUMS VOMS VOMRS

22 GUMS = Grid User Management System is a Grid Identity Mapping Service It maps the credential for each incoming job at a site to an appropriate site credential, and communicates the mapping to the gatekeeper. GUMS is particularly well suited to a heterogeneous environment with multiple gatekeepers; it allows the implemenation of a single site-wide usage policy, thereby providing better control and security for access to the site's grid resources. Read more at http://grid.racf.bnl.gov/GUMS/.http://grid.racf.bnl.gov/GUMS/

23 VOMS = Virtual Organization Membership Sevice is a system that manages real-time user authorization information for a VO designed to maintain only general information regarding the relationship of the user with his VO, e.g., groups he belongs to, certificate-related information, and capabilities he should present to resource providers for special processing needs. it maintains no personal identifying information besides the certificate. When a user submits a job, assuming the user is in good standing, VOMS also creates the necessary short-term credentials (extended proxy), required by grid resources before allowing the job to run.

24 VOMRS = VO Management Registration Service major component of the extension to VOMS. VOMRS is a server that provides the means for registering members of a VO, and coordination of this process among the various VO and grid resource administrators maintains additional information on each VO member as required by individual grid resource providers, and some institution- and site-specific information. VOMRS relies on the VOMS system to generate extended proxies for users as needed

25 Grid Security - in practice - steps: Get certificate from relevant CA  DOEGrids in our case Request to be authorized for resources  Meaning you will be added to the OSGEDU VOMS (for example) Generate proxy as needed  Using grid-proxy-init Run clients  Authenticate  Authorize  Delegate as required Numerous resources, different CAs, numerous credentials

Download ppt "Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Similar presentations

Ads by Google