Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester.

Published byEthelbert Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester."— Presentation transcript:

1 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester

2 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 2 Overview Public Key Cryptography Encrypting and Signing with a public key Proving its MY public key - CAs Connecting with a key - ssh Connecting with a certificate - https Delegating - Globus proxies Passports vs Visas Access control lists - GGF Putting the grid into the OS - SlashGrid Extending HTTPS - G-HTTPS

3 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 3 Public Key Cryptography This is one of the most interesting and downright useful areas of applied maths Invented twice thanks to Official Secrets Act –by people at GCHQ 1970-4 (published 1998) –again by Diffie and Hellman at Stanford, 1976 Various algorithms exist –Most common is RSA, invented by Rivest, Shamir and Adelman in 1977 –Initially patented (expired in 2000) –Also subject to US export legislation, despite being simple enough to put on a T-Shirt!

4 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 4 RSA algorithm (simplified a bit) Say have public key n = pq, p and q are prime. Private key d, 3d = 1 (mod [[p-1][q-1]]) Encrypt message M (< n) as C = (M^3) mod n Decrypt message M = (C^d) mod n For example, n = 5 x 3 = 15, M=12 –d = 3 –C = 12^3 mod 15 = 3 –M’ = 3^3 mod 15 = 12 !! However, if I don’t know p and q, I can’t get d. If n=pq is very big, I can’t easily find prime numbers such that p q = n

5 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 5 Encrypting with public key I can generate public and private keys I publish my public key You can turn a message into a number and encrypt it Only I, who also know the private key, can decrypt it This solves one of the ancient problems of cryptography, going back to Greeks etc –how to first get the encryption “secret” from the recipient to the sender in a secure way

6 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 6 Simple application: secret emails Internet email is pretty insecure Anyone who can listen on the network can see what’s in the emails as they go past But using public and private keys, people can encrypt a message and include it in an email Keys and messages are base64-encoded blobs of text like this: -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAOd5Zstqe+PGkfg4T8e3tDAr3ykv79ErTvERwFlO64/6IA5KkpMK FizFR3hZmnC8lrS+5DItxdGkUo7y03mMMUsCAwEAAQJBAKQv0qA62cHJGcTtfHl3 bpI0rEg0vnCpvYb1RnCSsDggo4Banb7/ak2a/QrvfWoyt4Y60PE/6ypGvgiy6eqM d+ECIQD8+88SCzXjDoNHxfjceTdeS2ZcA2xHdoL9179guWUM0wIhAOo78FEVh45/ DagJRqXWNo81Sp1fk5LaIkmVXx2akh6pAiEAj2PCeH22K14cdt/1MDHceivOdrTR +Kdpk6tno9ExP1UCIQChLwHeKjyP+CpDma596/y7a2afCOgaQ/UYQaukSXuHkQIg ZQFJimvH4ZZjErleQ+KsmyI2NuTk2/EDQxbnpyN35+g= -----END RSA PRIVATE KEY-----

7 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 7 Signing emails This technology doesn’t only allow us to encrypt messages –I can use my private key to generate a digital “signature” –Using my public key, you can verify that only I could have generated it –This gives both simple signing (you can verify the source) and non-repudiation (you can prove the same key signed a group of messages and I can’t deny it) Signature is another block of text at the end of the original message in plaintext

8 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 8 Proving it’s MY public key However, other people still have to verify it really is MY public key they are using –What if I can’t physically give you the key? Certificate Authorities (CAs) / Trusted 3rd Parties resolve this They sign other people’s public keys, along with a unique name -> “a certificate” –You still have to get the CA public key somehow So: I can get my public key signed, put it on my webpage and you can verify it’s really mine –it’s hasn’t been replaced by a hacker, say

9 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 9 Certificate Authority namespaces CA needs to have some unique naming for individuals Could use Name + Postal Address, or Email Address. In practice, use an X500 hierarchy: –/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab We use the UK HEP CA and now also the general e-Science CA at RAL –We are now directly responsible for names under /C=UK/O=eScience/OU=Manchester/L=HEP/… –New CA requires us to check some photo ID

10 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 10 Connecting with a key ssh uses RSA and similar algorithms Server generates a key pair to identify itself Users can generate key pairs to use instead of passwords –At CERN, SLAC etc, put your public key in ~/.ssh/authorized_keys When you connect, ssh checks if server key pair is the same as last time –but, the first time, it has to take it on trust –would be better to use a signed certificate, rather than just a public key

11 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 11 Connecting with a certificate You’re probably familiar with https websites –eg for credit card orders from Easyjet These use RSA etc to secure the connection Hosts have certificates rather than just public keys –in cert name have …/CN=www.easyjet.com So web browser can verify you’re really giving your credit card number to Easyjet Also, if you put a user certificate into the browser, webserver can verify who you are

12 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 12 GridSite GridSite system has user authentification –Written here and used for www.gridpp.ac.uk Maintains lists of users in different groups Each directory has a list of groups who can modify its webpages Tools on website allow you to upload files, edit pages Group admins can modify the membership of their group too Devolves the work of maintaining the site down to each subgroup

13 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 13 Other services using certificates Globus’s grid services use the same idea: –GridFTP for bulk file transfers –GRAM for job submission –GSI-ssh: normal ssh modified to use server and user certificates rather than just key pairs Since both Globus and https use the same, X509 format certificates, Grid/Web can be integrated Only need to get 1 user certificate, both for purely Grid and https Web sites.

14 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 14 Globus Delegation In normal https, I can prove who I am to the website, but that’s it –Globus extended this idea with delegation When I contact a remote host, it also makes a new, temporary key pair with my name –I agree to sign the public key, like a CA does My programs on the host can then contact other hosts with the “proxy” = chain of certs A 2nd remote host can check I authorised all this, by checking the chain of certs one by one –no need to take 1st host’s word for it!

15 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 15 “Single sign-on” Delegation allows you to just sign on once Do grid-proxy-init command once each day –locally delegates proxy as /tmp/x509up_uXX Each Globus program looks for this when connecting: –globus-job-run for job submission –globus-url-copy for file copying –gsi-ssh for getting a remote command line EU DataGrid programs built with this do too: –dg-job-submit –dg-job-get-output

16 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 16 Delegation in jobs As the Grid becomes more complex, delegation becomes vital User at Site A submits a job –Job goes to Resource Broker at Site B –RB sends job to Site C which has spare CPUs –Job running at C reads data catalog at Site D –Job at C reads closest data replica from Site E –Job finishes hours later and sends output to file server back at Site A Delegation means not having to take other sites’ “word for it” - which wouldn’t scale up

17 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 17 Passports vs Visas Globus uses grid-mapfile - lists mapping of certificate name to local unix user ID –if you’re “on the list” then you are in This is equivalent to a Passport + a Ban / Invitation List New systems being built with a Visa model –when I make my initial proxy, I also include a signed statement from my organisation –this “attribute cert” proves my membership –since I can’t forge the Atlas signature, each site doesn’t need the list of “all Atlas Users”

18 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 18 Grid Access Control Lists Our GACL format provides a way of writing ACLs using Grid credentials –user certificate names, group certificates etc GridSite uses this format already Other projects (eg EDG Storage Element) taking it up Now part of the authorisation work in Global Grid Forum (GGF) –GGF: world wide standards body for Grids –I co-chair the Authorisation Working Group

19 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 19 SlashGrid: Grid filesystems Almost all EDG sites use Manchester’s pool accounts system –get a temporary Unix UID when you run a job SlashGrid adds to this by controlling disk access and file ownership –use GACL access control lists to say who owns each directory –enforced at kernel level so all programs see it Unix ID doesn’t matter: Grid ID does Also provides a remote filesystem using https –Like AFS, but Grid credentials and web servers

20 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 20 Extending HTTPS - G-HTTPS Normal HTTPS is already very Grid-like Work now underway to add more Grid features –need to avoid breaking existing HTTPS –our G-HTTPS proposal designed to do this Delegation from client to server –so get all the benefits discussed already Servers can return the ACL along with the file –so if I cache a copy locally, I know who I can share the copy with Relevant EDG groups involved; taking it to GGF

21 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 21 fileGridSite fileGridSite is a cut down version of GridSite –just does plain text/binary files –group/webpage management features removed A testbed for new HTTPS extensions Made possible by Mike Jones’ mod_ssl-GSI –this makes web servers understand Globus delegated proxies G-HTTPS lets the server get a delegated proxy itself fileGridSite aims to offer the same functions as a GridFTP server, but with HTTP/HTTPS

22 Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 22 Summary Public key cryptography provides privacy and authentification Certificate Authority infrastructure makes it scalable Lots of Web and now Grid tools have been built to use it Delegation makes Grids practical New tools for group membership, and disk/web access control being developed –much of it here at Manchester All this feeding into new Grid-wide standards

Download ppt "Andrew McNabGrid Certs, Manchester HEP, 8 Nov 2002Slide 1 What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester."

Similar presentations

DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Cryptographic Technologies

Cryptographic Technologies
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google