Technologies for Grids and eBusiness Grid Security, GSI 15'01'08

1
Technologies for Grids and eBusinessGrid
Security, GSI15.01.08

• Dr. Ramin YahyapourComputer Engineering
  InstituteUniversity Dortmund

2
Grid Security Infrastructure (GSI)

• Globus Toolkit implements GSI protocols and APIs,
  to address Grid security needs
• GSI protocols extends standard public key
  protocols
• Standards X.509 SSL/TLS
• Extensions X.509 Proxy Certificates Delegation
• GSI extends standard GSS-API

3
Security Terminology

• Authentication Establishing identity
• Authorization Establishing rights
• Message protection
• Message integrity
• Message confidentiality
• Non-repudiation
• Digital signature
• Accounting
• Certificate Authority (CA)

4
Public Key Infrastructure (PKI)

• PKI allows you to know that a given public key
  belongs to a given user
• PKI builds off of asymmetric encryption
• Each entity has two keys public and private
• Data encrypted with one key can only be decrypted
  with other.
• The private key is known only to the entity
• The public key is given to the world encapsulated
  in a X.509 certificate

5
Public Key Infrastructure (PKI) Overview

• X.509 Certificates
• Certificate Authorities (CAs)
• Certificate Policies
• Namespaces
• Requesting a certificate
• Certificate Request
• Registration Authority

6
Certificates

• A X.509 certificate binds a public key to a name
• It includes a name and a public key (among other
  things) bundled together and signed by a trusted
  party (Issuer)

7
Certificates

• Similar to passport or drivers license

8
Certificates

• By checking the signature, one can determine that
  a public key belongs to a given user.

Hash
Hash
?
Decrypt
Hash
Public Key from Issuer
9
Certificate Authorities (CAs)

• A small set of trusted entities known as
  Certificate Authorities (CAs) are established to
  sign certificates
• A Certificate Authority is an entity that exists
  only to sign user certificates
• The CA signs its own certificate which is
  distributed in a trusted manner

10
Certificate Authorities (CAs)

• The public key from the CA certificate can then
  be used to verify other certificates

Hash
Hash
?
Decrypt
Hash
11
Requesting a Certificate

• To request a certificate a user starts by
  generating a key pair
• The private key is stored encrypted with a pass
  phrase the user gives
• The public key is put into a certificate request

Encrypted On local disk
Certificate Request Public Key
12
Certificate Issuance

• The user then takes the certificate to the CA
• The CA usually includes a Registration Authority
  (RA) which verifies the request
• The name is unique with respect to the CA
• It is the real name of the user
• Etc.

Certificate Authority
Certificate Request Public Key
State of Illinois
ID
13
Certificate Issuance
Certificate Request Public Key

• The CA then signs the certificate request and
  issues a certificate for the user

Certificate Authority
Sign
14
Secure Socket Layer (SSL)

• Also known as TLS (Transport Layer Security)
• Uses certificates and TCP sockets to provide a
  secured connection
• Authentication of one or both parties using the
  certificates
• Message protection
• Confidentiality (encryption)
• Integrity

SSL/TLS
Certificates
TCP Sockets
15
Why Grid Security is Hard

• Resources being used may be valuable the
  problems being solved sensitive
• Resources are often located in distinct
  administrative domains
• Each resource has own policies procedures
• Set of resources used by a single computation may
  be large, dynamic, and unpredictable
• Not just client/server, requires delegation
• It must be broadly available applicable
• Standard, well-tested, well-understood protocols
  integrated with wide variety of tools

16
Grid Security Requirements
17
Candidate Standards

• Kerberos 5
• Fails to meet requirements
• Integration with various local security solutions
• User based trust model
• Transport Layer Security (TLS/SSL)
• Fails to meet requirements
• Single sign-on
• Delegation

18
Grid Security Infrastructure (GSI)

• Extensions to standard protocols APIs
• Standards SSL/TLS, X.509 CA, GSS-API
• Extensions for single sign-on and delegation
• Globus Toolkit reference implementation of GSI
• SSLeay/OpenSSL GSS-API SSO/delegation
• Tools and services to interface to local security
• Simple ACLs SSLK5/PKINIT for access to K5, AFS
  
• Tools for credential management
• Login, logout, etc.
• Smartcards
• MyProxy Web portal login and delegation
• K5cert Automatic X.509 certificate creation

19
GSI in ActionCreate Processes at A and B that
Communicate Access Files at C
User
Site A (Kerberos)
Site B (Unix)
Computer
Computer
Site C (Kerberos)
Storage system
20
Grid Security Infrastructure (GSI)

• GSI is

Proxies and delegation (GSI Extensions) for
secure single Sign-on
Proxies and Delegation
SSL/ TLS
PKI (CAs and Certificates)
SSL for Authentication And message protection
PKI for credentials
21
Globus Security Review

• GSI extends existing standard protocols APIs
• Based on standards SSL/TLS, X.509, GSS-API
• Extensions for single sign-on and delegation
• The Globus Toolkit provides
• Generic Security Services API (GSS-API) on GSI
  protocols
• The GSS-API is the IETF standard for adding
  authentication, delegation, message integrity,
  and message confidentiality to applications.
• Various tools for credential management,
  login/logout, etc.

22
Kerberos Security

• Some Grids use a Kerberos GSS-API.
• As far as tools and APIs go, this is not visible.
  (Thats the point of GSS-API!)
• However, it is NOT interoperable with GSI based
  versions of the Globus Toolkit
• Various differences of Kerberos vs GSI
• The security files created under the covers are
  different
• Different commands to login, logout, etc.
• We will discuss security using GSI (PKI).

23
Obtaining a Certificate

• The program grid-cert-request is used to create a
  public/private key pair and unsigned certificate
  in /.globus/
• usercert_request.pem Unsigned certificate file
• userkey.pem Encrypted private key file
• Must be readable only by the owner
• Mail usercert_request.pem to ca_at_globus.org
• Receive a Globus-signed certificate
• Place in /.globus/usercert.pem
• Other organizations use different approaches
• NCSA, NPACI, NASA, etc. have their own CA

24
Your New Certificate
Certificate Data Version 3 (0x2)
Serial Number 28 (0x1c) Signature
Algorithm md5WithRSAEncryption Issuer
CUS, OGlobus, CNGlobus Certification
Authority Validity Not
Before Apr 22 192150 1998 GMT Not
After Apr 22 192150 1999 GMT Subject
CUS, OGlobus, ONACI, OUSDSC, CNRichard
Frost Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (1024 bit)
Modulus (1024 bit)
00bf4c9bae51e5adac544f12523a69
ltsnipgt
b4e154e78757b7d061
Exponent 65537 (0x10001) Signature Algorithm
md5WithRSAEncryption 59866edfdd945d
26f523c189838e3c97fcd8 ltsnipgt
8dcd7c7e4968157e5f242354caa22
7f13517
25
Certificate and Key Data
26
Certificate Information

• To get cert information run grid-cert-info
• grid-cert-info -subject
• /CUS/OGlobus/OANL/OUMCS/CNIan Foster
• Options for printing cert information-all -sta
  rtdate-subject -enddate-issuer -help

27
Logging on to the Grid

• To run programs, authenticate to Globus
• grid-proxy-init
• Enter PEM pass phrase
• Creates a temporary, local, short-lived proxy
  credential for use by our computations
• Options for grid-proxy-init
• -hours ltlifetime of credentialgt
• -bits ltlength of keygt
• -help

28
grid-proxy-init Details

• grid-proxy-init creates the local proxy file.
• User enters pass phrase, which is used to decrypt
  private key.
• Private key is used to sign a proxy certificate
  with its own, new public/private key pair.
• Users private key not exposed after proxy has
  been signed
• Proxy placed in /tmp, read-only by user
• NOTE No network traffic!
• grid-proxy-info displays proxy details

29
Grid Sign-On With grid-proxy-init
User certificate file
User Proxy certificate file
Private Key (Encrypted)
Pass Phrase
30
Destroying Your Proxy (logout)

• To destroy your local proxy that was created by
  grid-proxy-init
• grid-proxy-destroy
• This does NOT destroy any proxies that were
  delegated from this proxy.
• You cannot revoke a remote proxy
• Usually create proxies with short lifetimes

31
Proxy Information

• To get proxy information run grid-proxy-info
• grid-proxy-info -subject
• /CUS/OGlobus/OANL/OUMCS/CNIan Foster
• Options for printing proxy information-subject
  -issuer-type -timeleft-strength -help
• Options for scripting proxy queries-exists
  -hours ltlifetime of credentialgt-exists -bits
  ltlength of keygt
• Returns 0 status for true, 1 for false

32
Important Files

• /etc/grid-security
• hostcert.pem certificate used by the server in
  mutual authentication
• hostkey.pem private key corresponding to the
  servers certificate (read-only by root)
• grid-mapfile maps grid subject names to local
  user accounts (really part of gatekeeper)
• /etc/grid-security/certificates
• CA certificates certs that are trusted when
  validating certs, and thus neednt be verified
• ca-signing-policy.conf defines the subject names
  that can be signed by each CA

33
Important Files

• HOME/.globus
• usercert.pem Users certificate (subject name,
  public key, CA signature)
• userkey.pem Users private key (encrypted using
  the users pass phrase)
• /tmp
• Proxy file(s) Temporary file(s) containing
  unencrypted proxy private key and certificate
  (readable only by users account)
• Same approach Kerberos uses for protecting
  tickets

34
Secure Services

• On most unix machines, inetd listens for incoming
  service connections and passes connections to
  daemons for processing.
• On Grid servers, the gatekeeper securely performs
  the same function for many services
• It handles mutual authentication using files in
  /etc/grid-security
• It maps to local users via the gridmap file

35
Sample Gridmap File

• Gridmap file maintained by Globus administrator
• Entry maps Grid-id into local user name(s)

Distinguished name
Local

username "/CUS/OGlobus/ONP
ACI/OUSDSC/CNRich Gallup
rpg "/CUS/OGlobus/ONPACI/OUSDSC/CNRichard
Frost frost "/CUS/OGlobus/OUSC/OUISI/CNC
arl Kesselman u14543 "/CUS/OGlobus/OAN
L/OUMCS/CNIan Foster itf
36
ExampleSecure Remote Startup

• 1. Exchange certificates, authenticate,
  delegate
• 2. Check gridmap file
• 3. Lookup service
• 4. Run service program (e.g. jobmanager)

4.
2.
3.
1.
gatekeeper
client
37
Delegation

• Delegation remote creation of a (second level)
  proxy credential
• New key pair generated remotely on server
• Proxy cert and public key sent to client
• Clients signs proxy cert and returns it
• Server (usually) puts proxy in /tmp
• Allows remote process to authenticate on behalf
  of the user
• Remote process impersonates the user

38
Limited Proxy

• During delegation, the client can elect to
  delegate only a limited proxy, rather than a
  full proxy
• GRAM (job submission) client does this
• Each service decides whether it will allow
  authentication with a limited proxy
• Job manager service requires a full proxy
• GridFTP server allows either full or limited
  proxy to be used

39
Restricted Proxies

• A generalization of the simple limited proxies
• Desirable to have fine-grained restrictions
• Reduces exposure from compromised proxies
• Embed restriction policy in proxy cert
• Policy is evaluated by resource upon proxy use
• Reduces rights available to the proxy to a subset
  of those held by the user
• A proxy no longer grants full impersonation
  rights
• Extensible to support any policy language

40
Generic Security Service API

• The GSS-API is the IETF draft standard for adding
  authentication, delegation, message integrity,
  and message confidentiality to apps
• For secure communication between two parties over
  a reliable channel (e.g. TCP)
• GSS-API separates security from communication,
  which allows security to be easily added to
  existing communication code.
• Filters on each end of the communications link
• GSS-API Extensions defined in GGF draft
• Globus Toolkit components all use GSS-API

41
Acknowledgements

• Slides and pictures are courtesy of third
  parties.
• Especially to mention are
• Globus Project, Argonne National Lab