Title: Technologies for Grids and eBusiness Grid Security, GSI 15'01'08
1Technologies for Grids and eBusinessGrid
Security, GSI15.01.08
- Dr. Ramin YahyapourComputer Engineering
InstituteUniversity Dortmund
2Grid Security Infrastructure (GSI)
- Globus Toolkit implements GSI protocols and APIs,
to address Grid security needs - GSI protocols extends standard public key
protocols - Standards X.509 SSL/TLS
- Extensions X.509 Proxy Certificates Delegation
- GSI extends standard GSS-API
3Security Terminology
- Authentication Establishing identity
- Authorization Establishing rights
- Message protection
- Message integrity
- Message confidentiality
- Non-repudiation
- Digital signature
- Accounting
- Certificate Authority (CA)
4Public Key Infrastructure (PKI)
- PKI allows you to know that a given public key
belongs to a given user - PKI builds off of asymmetric encryption
- Each entity has two keys public and private
- Data encrypted with one key can only be decrypted
with other. - The private key is known only to the entity
- The public key is given to the world encapsulated
in a X.509 certificate
5Public Key Infrastructure (PKI) Overview
- X.509 Certificates
- Certificate Authorities (CAs)
- Certificate Policies
- Namespaces
- Requesting a certificate
- Certificate Request
- Registration Authority
6Certificates
- A X.509 certificate binds a public key to a name
- It includes a name and a public key (among other
things) bundled together and signed by a trusted
party (Issuer)
7Certificates
- Similar to passport or drivers license
8Certificates
- By checking the signature, one can determine that
a public key belongs to a given user.
Hash
Hash
?
Decrypt
Hash
Public Key from Issuer
9Certificate Authorities (CAs)
- A small set of trusted entities known as
Certificate Authorities (CAs) are established to
sign certificates - A Certificate Authority is an entity that exists
only to sign user certificates - The CA signs its own certificate which is
distributed in a trusted manner
10Certificate Authorities (CAs)
- The public key from the CA certificate can then
be used to verify other certificates
Hash
Hash
?
Decrypt
Hash
11Requesting a Certificate
- To request a certificate a user starts by
generating a key pair - The private key is stored encrypted with a pass
phrase the user gives - The public key is put into a certificate request
Encrypted On local disk
Certificate Request Public Key
12Certificate Issuance
- The user then takes the certificate to the CA
- The CA usually includes a Registration Authority
(RA) which verifies the request - The name is unique with respect to the CA
- It is the real name of the user
- Etc.
Certificate Authority
Certificate Request Public Key
State of Illinois
ID
13Certificate Issuance
Certificate Request Public Key
- The CA then signs the certificate request and
issues a certificate for the user
Certificate Authority
Sign
14Secure Socket Layer (SSL)
- Also known as TLS (Transport Layer Security)
- Uses certificates and TCP sockets to provide a
secured connection - Authentication of one or both parties using the
certificates - Message protection
- Confidentiality (encryption)
- Integrity
SSL/TLS
Certificates
TCP Sockets
15Why Grid Security is Hard
- Resources being used may be valuable the
problems being solved sensitive - Resources are often located in distinct
administrative domains - Each resource has own policies procedures
- Set of resources used by a single computation may
be large, dynamic, and unpredictable - Not just client/server, requires delegation
- It must be broadly available applicable
- Standard, well-tested, well-understood protocols
integrated with wide variety of tools
16Grid Security Requirements
17Candidate Standards
- Kerberos 5
- Fails to meet requirements
- Integration with various local security solutions
- User based trust model
- Transport Layer Security (TLS/SSL)
- Fails to meet requirements
- Single sign-on
- Delegation
18Grid Security Infrastructure (GSI)
- Extensions to standard protocols APIs
- Standards SSL/TLS, X.509 CA, GSS-API
- Extensions for single sign-on and delegation
- Globus Toolkit reference implementation of GSI
- SSLeay/OpenSSL GSS-API SSO/delegation
- Tools and services to interface to local security
- Simple ACLs SSLK5/PKINIT for access to K5, AFS
- Tools for credential management
- Login, logout, etc.
- Smartcards
- MyProxy Web portal login and delegation
- K5cert Automatic X.509 certificate creation
19GSI in ActionCreate Processes at A and B that
Communicate Access Files at C
User
Site A (Kerberos)
Site B (Unix)
Computer
Computer
Site C (Kerberos)
Storage system
20Grid Security Infrastructure (GSI)
Proxies and delegation (GSI Extensions) for
secure single Sign-on
Proxies and Delegation
SSL/ TLS
PKI (CAs and Certificates)
SSL for Authentication And message protection
PKI for credentials
21Globus Security Review
- GSI extends existing standard protocols APIs
- Based on standards SSL/TLS, X.509, GSS-API
- Extensions for single sign-on and delegation
- The Globus Toolkit provides
- Generic Security Services API (GSS-API) on GSI
protocols - The GSS-API is the IETF standard for adding
authentication, delegation, message integrity,
and message confidentiality to applications. - Various tools for credential management,
login/logout, etc.
22Kerberos Security
- Some Grids use a Kerberos GSS-API.
- As far as tools and APIs go, this is not visible.
(Thats the point of GSS-API!) - However, it is NOT interoperable with GSI based
versions of the Globus Toolkit - Various differences of Kerberos vs GSI
- The security files created under the covers are
different - Different commands to login, logout, etc.
- We will discuss security using GSI (PKI).
23Obtaining a Certificate
- The program grid-cert-request is used to create a
public/private key pair and unsigned certificate
in /.globus/ - usercert_request.pem Unsigned certificate file
- userkey.pem Encrypted private key file
- Must be readable only by the owner
- Mail usercert_request.pem to ca_at_globus.org
- Receive a Globus-signed certificate
- Place in /.globus/usercert.pem
- Other organizations use different approaches
- NCSA, NPACI, NASA, etc. have their own CA
24Your New Certificate
Certificate Data Version 3 (0x2)
Serial Number 28 (0x1c) Signature
Algorithm md5WithRSAEncryption Issuer
CUS, OGlobus, CNGlobus Certification
Authority Validity Not
Before Apr 22 192150 1998 GMT Not
After Apr 22 192150 1999 GMT Subject
CUS, OGlobus, ONACI, OUSDSC, CNRichard
Frost Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (1024 bit)
Modulus (1024 bit)
00bf4c9bae51e5adac544f12523a69
ltsnipgt
b4e154e78757b7d061
Exponent 65537 (0x10001) Signature Algorithm
md5WithRSAEncryption 59866edfdd945d
26f523c189838e3c97fcd8 ltsnipgt
8dcd7c7e4968157e5f242354caa22
7f13517
25Certificate and Key Data
26Certificate Information
- To get cert information run grid-cert-info
- grid-cert-info -subject
- /CUS/OGlobus/OANL/OUMCS/CNIan Foster
- Options for printing cert information-all -sta
rtdate-subject -enddate-issuer -help
27Logging on to the Grid
- To run programs, authenticate to Globus
- grid-proxy-init
- Enter PEM pass phrase
- Creates a temporary, local, short-lived proxy
credential for use by our computations - Options for grid-proxy-init
- -hours ltlifetime of credentialgt
- -bits ltlength of keygt
- -help
28grid-proxy-init Details
- grid-proxy-init creates the local proxy file.
- User enters pass phrase, which is used to decrypt
private key. - Private key is used to sign a proxy certificate
with its own, new public/private key pair. - Users private key not exposed after proxy has
been signed - Proxy placed in /tmp, read-only by user
- NOTE No network traffic!
- grid-proxy-info displays proxy details
29Grid Sign-On With grid-proxy-init
User certificate file
User Proxy certificate file
Private Key (Encrypted)
Pass Phrase
30Destroying Your Proxy (logout)
- To destroy your local proxy that was created by
grid-proxy-init - grid-proxy-destroy
- This does NOT destroy any proxies that were
delegated from this proxy. - You cannot revoke a remote proxy
- Usually create proxies with short lifetimes
31Proxy Information
- To get proxy information run grid-proxy-info
- grid-proxy-info -subject
- /CUS/OGlobus/OANL/OUMCS/CNIan Foster
- Options for printing proxy information-subject
-issuer-type -timeleft-strength -help - Options for scripting proxy queries-exists
-hours ltlifetime of credentialgt-exists -bits
ltlength of keygt - Returns 0 status for true, 1 for false
32Important Files
- /etc/grid-security
- hostcert.pem certificate used by the server in
mutual authentication - hostkey.pem private key corresponding to the
servers certificate (read-only by root) - grid-mapfile maps grid subject names to local
user accounts (really part of gatekeeper) - /etc/grid-security/certificates
- CA certificates certs that are trusted when
validating certs, and thus neednt be verified - ca-signing-policy.conf defines the subject names
that can be signed by each CA
33Important Files
- HOME/.globus
- usercert.pem Users certificate (subject name,
public key, CA signature) - userkey.pem Users private key (encrypted using
the users pass phrase) - /tmp
- Proxy file(s) Temporary file(s) containing
unencrypted proxy private key and certificate
(readable only by users account) - Same approach Kerberos uses for protecting
tickets
34Secure Services
- On most unix machines, inetd listens for incoming
service connections and passes connections to
daemons for processing. - On Grid servers, the gatekeeper securely performs
the same function for many services - It handles mutual authentication using files in
/etc/grid-security - It maps to local users via the gridmap file
35Sample Gridmap File
- Gridmap file maintained by Globus administrator
- Entry maps Grid-id into local user name(s)
Distinguished name
Local
username "/CUS/OGlobus/ONP
ACI/OUSDSC/CNRich Gallup
rpg "/CUS/OGlobus/ONPACI/OUSDSC/CNRichard
Frost frost "/CUS/OGlobus/OUSC/OUISI/CNC
arl Kesselman u14543 "/CUS/OGlobus/OAN
L/OUMCS/CNIan Foster itf
36ExampleSecure Remote Startup
- 1. Exchange certificates, authenticate,
delegate - 2. Check gridmap file
- 3. Lookup service
- 4. Run service program (e.g. jobmanager)
4.
2.
3.
1.
gatekeeper
client
37Delegation
- Delegation remote creation of a (second level)
proxy credential - New key pair generated remotely on server
- Proxy cert and public key sent to client
- Clients signs proxy cert and returns it
- Server (usually) puts proxy in /tmp
- Allows remote process to authenticate on behalf
of the user - Remote process impersonates the user
38Limited Proxy
- During delegation, the client can elect to
delegate only a limited proxy, rather than a
full proxy - GRAM (job submission) client does this
- Each service decides whether it will allow
authentication with a limited proxy - Job manager service requires a full proxy
- GridFTP server allows either full or limited
proxy to be used
39Restricted Proxies
- A generalization of the simple limited proxies
- Desirable to have fine-grained restrictions
- Reduces exposure from compromised proxies
- Embed restriction policy in proxy cert
- Policy is evaluated by resource upon proxy use
- Reduces rights available to the proxy to a subset
of those held by the user - A proxy no longer grants full impersonation
rights - Extensible to support any policy language
40Generic Security Service API
- The GSS-API is the IETF draft standard for adding
authentication, delegation, message integrity,
and message confidentiality to apps - For secure communication between two parties over
a reliable channel (e.g. TCP) - GSS-API separates security from communication,
which allows security to be easily added to
existing communication code. - Filters on each end of the communications link
- GSS-API Extensions defined in GGF draft
- Globus Toolkit components all use GSS-API
41Acknowledgements
- Slides and pictures are courtesy of third
parties. - Especially to mention are
- Globus Project, Argonne National Lab