Gaining Access

1
Gaining Access

• Guy WarnerNeSC Training Team

2
Policy for re-use

• This presentation can be re-used for academic
  purposes.
• However if you do so then please let
  training-support_at_nesc.ac.uk know. We need to
  gather statistics of re-use no. of events,
  number of people trained. Thank you!!

3
Acknowledgements

• Some of the slides in this presentation are based
  on / motivated by
• The presentation given by Carl Kesselman at the
  GGF Summer School 2004. This presentation may be
  found at
• http//www.dma.unina.it/murli/GridSummerSchool200
  4/curriculum.htm
• Lectures given by Richard Sinott and John Watt at
  the University of Glasgow. These lectures may be
  found at
• http//csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN
  at First Latinamerican Grid Workshop, Merida,
  Venezuela. This presentation may be found at
• http//agenda.cern.ch/fullAgenda.php?idaa044965

4
The Problem

• QuestionHow does a user securely access the
  Resource without having an account on the
  machines in between or even on the Resource?
• QuestionHow does the Resource know who a user
  is and that they are allowed access?

5
Overview
Security
Authentication
Grid SecurityInfrastructure
Encryption Data Integrity
Authorization
6
Approaches to Security 1
The Poor Security House
7
Approaches to Security 2
The Paranoid Security House
8
Approaches to Security 3
The Realistic Security House
9
Approaches to Grid Security

• The Poor Security Approach
• Use unencrypted communications.
• No or poor (easily guessed) identification means.
• Private identification (key) left in publicly
  available location.
• The Paranoid Security Approach
• Dont use any communications (no network at all).
• Dont leave computer unattended.
• The Realistic Security Approach
• Encrypt all sensitive communications
• Use difficult to break identification means.
• Keep identification secure at all times (e.g.
  encrypted on a memory stick).
• Only allow access to trusted users.

10
The Risks of Poor User Security

• Launch attacks to other sites
• Large distributed farms of machines, perfect for
  launching a Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and
  access sensitive information
• Massive distributed storage capacity ideal for
  example, for swapping movies.
• Damage caused by viruses, worms etc.
• Highly connected infrastructure means worms
  spread faster than on the internet in general.

11
Authentication and Authorization
Mongolian Yak Inspector

• Authentication
• Are you who you claim to be?
• Authorisation
• Do you have access to the resource you are
  connecting to?

12
The Trust Model
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
13
Public Private Key
Bob
Alice
Life Savings
Life Savings
Life Savings
14
Public Key Infrastructure (PKI)

• PKI allows you to know that a given key belongs
  to a given user.
• PKI builds off of asymmetric encryption
• Each entity has two keys public and private.
• Data encrypted with one key can only be decrypted
  with other.
• The public key is public.
• The private key is known only to the entity.
• The public key is given to the world encapsulated
  in a X.509 certificate.

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
15
Certificates

• Similar to passport or drivers license Identity
  signed by a trusted party

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
16
Certificate Authorities

• A small set of trusted entities known as
  Certificate Authorities (CAs) are established to
  sign certificates
• A Certificate Authority is an entity that exists
  only to sign user certificates
• Users authenticate themselves to CA, for example
  by use of their Passport or Identity Card.
• The CA signs its own certificate which is
  distributed in a secure manner.

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
17
Delegation and Certificates

• Delegation The act of giving an organization,
  person or service the right to act on your
  behalf.
• For example A user delegates their
  authentication to a service to allow programs to
  run on remote sites.

18
User Authorisation to Access Resource
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
19
User Responsibilities

• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your
  certificate has been compromised.
• Do not launch a delegation service for longer
  than your current task needs.

If your certificate or delegated service is used
by someone other than you, it cannot be proven
that it was not you.
20
Summary
21
The Practical

• You should have been given an information sheet
  containing your username and password needed for
  logging on to your account on pub-234.nesc.ed.ac.
  uk the server to be used in this tutorial.
• Login to your workstation
• Use the putty program to connect to
  pub-234.nesc.ed.ac.uk
• Open a browser window and follow the link from
  http//homepages.nesc.ac.uk/gcw/NGS
• Follow the instructions from there.

22

• http//homepages.nesc.ac.uk/gcw/NGS