grid security mike jones an overview of methods used to create a secure grid. ral 10 june 2003
TRANSCRIPT
Grid Security
Mike Jones
An overview of methods used to create a secure grid.
RAL 10 June 2003
TOC
● CRLs
● Authorisation
● VO Management
● Firewalls
● Security in services
● Best Practices
● Grid Security
● PKI Overview
● PGP and all that
● Signing and Encryption
● Trust
● x509 certificates
● GSI
● Globus Security
● Host Configuration
● User Setup
Grid Security● Authentication, Authorisation and
Accounting (AAA)● Generic Security Services (GSS)
– Public Key Infrastructure (PKI)
– x509 Certificates and pkcs12 etc.
– Kerberos – Shared Secrets (Needham-Schroder)
– TSL, SSLeay, OpenSSL
● Grid Security Infrastructure (GSI)– Delegation, Third Party, Single Sign On
– Proxy Certificates
Grid Security
● Making sure there are no back doors● Trustable users
● Trustable Software
– Not Spyware– Not Broken (or at least someone creates updates)
● Cryptography...
PKI Overview● Symmetric (eg DES) vs Assymetric (eg
RSA)● Shared Key vs Pubic and
Private Key● Public Key: [e and
N] – where N=pq product of two
large primes
● (p-1)(q-1) is almost prime
– and e (almost prime too)● To encrypt/decrypt with Public Key: c= m e
mod N
PKI Overview● Symmetric (eg DES) vs Assymetric (eg
RSA)● Shared Key vs Pubic and
Private Key● Public Key: [e and
N] – where N=pq product of two
large primes
● (p-1)(q-1) is almost prime
– and e (almost prime too)
● Private Key: [d and N]
– where
e×d =1mod p 1 q 1
● To encrypt/decrypt with Public Key:● To decrypt/encrypt with Private Key:
c= m emod N
m= c d mod N
PGP/GPG
● Zimmermann: security in data transfer for public– Encrypt data using a symmetric key
– Lookup RSA Public Key of recipient
– Encrypt the symmetric key with RSA
– Send the encrypted key & encrypted message
● Included: Key gen. with “entropy gathering device”, Data encryption, Data signing, and easy UI
Pretty Good Privicy / Gnu Privicy Guard
● We've discussed encryption/decryption● To Sign - encryption message with private key.● Everyone should be able to read it so create a
Hash and encrypt that instead.● Hash is a one way digest of the message by a
specific algorythm (eg SHA1 or MD5)● Encrypt the hash and enclude it in the
message.● Verify by making the hash and decrypting the
signature
Signing and Encrypting
● We rely on ourselves to get true public keys
● Chain of trust rules● A public key may be digitally signed by many people
● some of whom you may trust.
● CA method (Certificate Authority)● CA has a “root certificate” and a document called
CP/CPS http://www.grid-support.ac.uk/ca/cps
● You choose to trust on the basis of CP/CPS.
● CA signs your certificate (your public key).
● Large scale CAs are difficult and costly (~£220 per cert)
Trust
Policy and Practice
● Proxy Certificate● Features:
– Issuer (Me! pretending to be a CA)
– Short Lived
– Contains Unencrypted RSA Key
– Special Subject
– Includes my certificate (the Issuer)
● Breaks x509 Standard● Requires Subject-
Issuer constraint
GSI modificationsCertificate: Data: Version: 3 (0x2) Serial Number: 127 (0x7f) Signature Algorithm: md5WithRSAEncryption Issuer: C=UK, O=eScience, OU=Manchester, L=MC, CN=michael jones Validity Not Before: Jan 5 16:43:48 2003 GMT Not After : Jan 6 04:48:48 2003 GMT Subject: C=UK, O=eScience, OU=Manchester, L=MC, CN=michael jones, CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:99:16:b5:ff:4b:f4:90:48:7b:8e:95:8c:e0:8a: b8:ad:51:c3:74:9f:e2:e7:ba:61:ee:1c:d8:f7:bc: 96:66:57:3a:01:36:1a:e1:e1:55:7e:f8:64:2e:c7: f5:d4:23:b1:42:3e:0b:61:1c:fb:fd:5f:06:f6:2f: 57:b7:81:1c:ff Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption a9:9a:e0:33:70:29:0a:9c:57:02:1a:80:c1:f1:c2:6e:6c:34: 3d:f3:3e:32:49:83:c8:b1:c6:21:d9:3c:84:d3:5d:17:ca:d6: fa:96:b0:37:e2:4d:95:08:b7:3e:1f:6c:4a:79:7d:83:5e:21: 43:5d:42:60:2f:2c:5d:61:f9:e8:82:97:82:9b:89:cb:a4:ae: 97:0c:26:df:39:76:15:a6:38:53:8f:7a:f5:6f:ed:d6:76:ae: a9:28:db:52:69:1c:e8:25:cf:7b:31:10:a1:49:2d:bb:91:eb: af:d3:e7:d0:6d:28:21:3c:d8:16:3b:7c:4e:c9:94:d2:ff:23: 4e:2a-----BEGIN CERTIFICATE-----MIIB9DCCAV2gAwIBAgIBfzANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVSzERMA8GA1UEChMIZVNjaWVuY2UxEzARBgNVBAsTCk1hbmNoZXN0ZXIxCzAJBgNVBAcTAk1DMRYwFAYDVQQDEw1taWNoYWVsIGpvbmVzMB4XDTAzMDEwNTE2NDM0OFoXDTAzMDEwNjA0NDg0OFowajELMAkGA1UEBhMCVUsxETAPBgNVBAoTCGVTY2llbmNlMRMwEQYDVQQLEwpNYW5jaGVzdGVyMQswCQYDVQQHEwJNQzEWMBQGA1UEAxMNbWljaGFlbCBqb25lczEOMAwGA1UEAxMFcHJveHkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmRa1/0v0kEh7jpWM4Iq4rVHDdJ/i57ph7hzY97yWZlc6ATYa4eFVfvhkLsf11COxQj4LYRz7/V8G9i9Xt4Ec/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAKma4DNwKQqcVwIagMHxwm5sND3zPjJJg8ixxiHZPITTXRfK1vqWsDfiTZUItz4fbEp5fYNeIUNdQmAvLF1h+eiCl4KbicukrpcMJt85dhWmOFOPevVv7dZ2rqko21JpHOglz3sxEKFJLbuR66/T59BtKCE82BY7fE7JlNL/I04q-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIIBOQIBAAJBAJkWtf9L9JBIe46VjOCKuK1Rw3Sf4ue6Ye4c2Pe8lmZXOgE2GuHhVX74ZC7H9dQjsUI+C2Ec+/1fBvYvV7eBHP8CAwEAAQJALQNWhDiLMpl9axFiGOvxHVU7SWFx0H0nKmJlEYLsHi73PAypPdQ1pdzHUC84YK2kMl2yZqkAnFig+FaZQcuCgQIhAMhBtmaTIjlZ2HkG7IQqogU2PzpprUjVrVc3uFI0agQfAiEAw7PPPLXfBvfKeya1JkImVwzLO+6LGlxdk1rH4PkuyyECICE6FgOrAhC2AZ8DMRc047EtsQwGIMRm/93q1uB85eJNAiBnXv3zKnnw20gXvr1mxQAtcPOU546QUQOYhxYXDmgaIQIgPmKJ5LH+a0culVI0PnUvlEWawENIXZzHMuInQ0K0mMc=-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIIFBDCCA+ygAwIBAgIBfzANBgkqhkiG9w0BAQQFADBwMQswCQYDVQQGEwJVSzERMA8GA1UEChMIZVNjaWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMCQ0ExLTArBgkqhkiG9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51azAeFw0wMjEwMzExNTUwNTlaFw0wMzEwMzExNTUwNTlaMFoxCzAJBgNVBAYTAlVLMREwDwYDVQQKEwhlU2NpZW5jZTETMBEGA1UECxMKTWFuY2hlc3RlcjELMAkGA1UEBxMCTUMxFjAUBgNVBAMTDW1pY2hhZWwgam9uZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaW/Xrg+vHmQ53By3I44U5Ehtqniu2K/PNk2J69r858VTnNYXSoHW1gbmWR3CzCZID2+Ro8/tTSHFL6xkfqpk6Stckdk91IYVRAtReEP1xHSCkrg4LH1q3TYF1tXfcIJRfSFOKOrzc75Dtj9zEktGZ4jgaTxo22/lB5Okr4WVg9AgMBAAGjggJBMIICPTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCA+gwLAYJYIZIAYb4QgENBB8WHVVLIGUtU2NpZW5jZSBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBS/AAJLOkWmuOtm5PLuymCduNGyDTCBmgYDVR0jBIGSMIGPgBQCOksRo5aAiw3TFSsIpY4w2rLaqKF0pHIwcDELMAkGA1UEBhMCVUsxETAPBgNVBAoTCGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMTAkNBMS0wKwYJKoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWuCAQAwKQYDVR0SBCIwIIEeY2Etb3BlcmF0b3JAZ3JpZC1zdXBwb3J0LmFjLnVrMD0GCWCGSAGG+EIBBAQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vaW1wb3J0Q1JMMD0GCWCGSAGG+EIBAwQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vaW1wb3J0Q1JMMDwGCWCGSAGG+EIBBwQvFi1odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vcmVuZXdVUkwwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NhLmdyaWQtc3VwcG9ydC5hYy51ay9jZ2ktYmluL2ltcG9ydENSTDANBgkqhkiG9w0BAQQFAAOCAQEAOh+BqBqD/ywPe7YeKocxE9nKnsGe5EK1IlZ7AZgREymj2NI3gFisf0T3HroA9IvINAD/RCfCKlSLlemgAPg9YJLEmSty1LfdeL3JSgHXFB082W9geyOQjtY6LUU5Xrz9bXd7Hs9DjOQFTBuR5bvaPc2dBWu+IbDoQ7JLTsRPa04jngPSA4YbRGhgQV1kri1S4n2bmWBxf0oAHl2dFFlPS9ea7uABPYc2Fr8ks4T9YtHWIa479+HlUuzvaPRzTxtipvRHC2weKCNrJdOh9zf2VdaCfEmpHXFX5rx0cZQN3/whYxZUyQ9RHHq/XO99KCNzZITr8rZSicpIeDHo3bmRPw==-----END CERTIFICATE-----
Proxy Certificates
● grid-proxy-init [-cert cert.pem -key key.pem]
● $X509_USER_PROXY = /tmp/x509up_u`id -u`
● Contains certificate chain from but excluding CA● Contains unencrypted key● Has a short lifetime● is read only to owner
● Limited Proxies on remote resources ~/.globus/.gass_cache
● grid-proxy-destroy
Globus Security● Authentication using GSI extension to GSS
– Third Party data transfer
– Single Sign-on
– Delegation
● Authorisation using grid-mapfile– Access to user level unix on remote machines
– you get: terminal, a home directory, a group, a quota, access to basic IP (firewall allowing), access to queues (depending on jobmanager and advertising), access to CPU-sets, etc. systems are notoriously heterogeneous (outside HEP they are very hetrogeneous)
– For stability could use Distributed Computing tools already available: http(s), afs?
● Acounting still at Research Group Level– Currently records: Who, When and Which Job-manager
– Need much more: for Cost and Legal (80-90% mallaous attacks come from within!)
AA steps on a grid
● Host must identify itself to the grid (client or service)
● Users must recognise the host● Users must identify themselves to the
host● The host must recognise the user's
identity● The host must allow the grid-user to
become a local user
Host Security Setup
● To Identify the host– /etc/grid-security/hostcert.pem
● openssl pkcs12 -in hostcert.p12 -nokey -clcerts -out hostcert.pem
– /etc/grid-security/hostkey.pem● openssl pkcs12 -in hostcert.p12 -nodes -nocerts -out
hostkey.pem
● hostkey.pem must be readable to root only
Host Setup Cont.
● To identify the incoming grid-userNB – We're actually not identifying the grid user. We're
identifying that the incoming request has access to the grid-user's private-key/proxy-private-key
– /etc/grid-security/certificates/<hash>.0
– /etc/grid-security/certificates/<hash>.r0
– /etc/grid-security/certificates/<hash>.signing_policy
– /etc/grid-security/certificates/<hash>.crl_url (borrowed from EDG)
CRL Practical
● Example of how to manage CRLS● Download
http://www.man.ac.uk/~zzcgumj/crls/crls.tgz
● Unpack in /etc/grid-security/certificates● crl.sh does this:
● read *.crl_url
● Download CRLs
● Check type (convert to pem) and Verify CRL
● Makefile_crl does this:● create symbolic link to <hash>.r0
Authorisation
● Globus uses grid-mapfile
Akenti engine - Attribute certificate (+ ...) -> Capability Certificate
CAS – Assersion in proxy from CAS Server + Community Authz
VOM – Web portal for management + .....
VOMS – cf CAS, signed VOMS assersions added to proxy by client
PERMIS – Role Based Access Control via X509 Attribute certificates
Firewalls
● Firewalls prevent attacks by blocking access:– on specified ports/port-ranges
– from/to certain servers
● $GLOBUS_TCP_PORT_RANGE
GSIssh Security
● On port 2222 or 22 ● Can be configured with/without password authz on any port
● Host certificate (uses /etc/host[cert|key].pem)
● Server authenticates itself to client● Client can (must in L2G) authenticate
itself with a Grid certificate● Same configuration files as openssh
except GSS is Globus not Kerberos● Safer that ssh in that there is trust – proxy
trade-off
GridFTP Security
● (x)inetd listens port 2811● Data transfered not encrypted● Accepts Limited proxies● Based on wuftpd● Notes on Third Party Transfer
– GSI authentication to both servers
– One server told to listen on certain port for connection from other
– Other server told to connect on that port
● Can be setup with chroot
Globus Gatekeeper Security
● (x)inetd listens on port 2119● GSI authentication● grid-map authorisation● Allows access to command shell
GASS
● GASS server via gatekeeper● GSI Authentication using limited
proxies● uses https for authentication and
encryption however, is not compatible with normal https clients.
● Is run on demand under non-privileged account on random port.
MyProxy
● port 7512● Allows full proxies to be created on a
trusted server● Proxies can be created by
authentication with limited proxies to MyProxy server.
Security of other services
● GSIklog/GSSklog client and daemon
● GSI to AFS server; AFS grid-mapfile; token via SSL; Accepts Limited Proxies
● Kx509● Kerberos Security wrapper to CA service
● GridCVS● Globus GSS gserver
● Gridsite● x509 certificates in web browsers with GACL
● Slashgrid (/grid)● DN based file system using coda
Best Practices
● Use firewall but allow ports for traffic● Keep private keys private
– Do not send them over the net (sniffed traffic can be cracked)
– Do not store them on network file systems (ACLs are often forgotten)
– Do not leave user certs in No DES format (buys time if private key is stolen)
● Always keep on top of advisories● Keep map-files, CRLS and accounts up-
to-date
Useful GSI and Openssl Commands
● grid-cert-info -file cert.pem● grid-proxy-info● openssl x509 -in cert.pem -noout XXXX
● where XXXX = -text | -subject | -hash | -modulus | ...
● openssl pkcs12 -in certkey.p12● P12 contains cert key and chain to CA
● openssl crl -CApath /etc/grid-security/certificates
-inform PEM -verify -in crl.pem● openssl rsa -in key.pem -modulus
~oO FIN Oo~
Questions?
CAS
1. CAS reply, includingrestricted proxy cred:
CAS Server
What rights does the communitygrant to this user?
User
1. CAS request, authenticated with
Resource Server
Do the proxy restrictions authorize this request?
3. Resource request, authenticated with CAS proxy
4. Resource reply
CAS-maintained
community policy
database
User credential
Community subject name
Community subject name Is this requestauthorized
for the community?
Local policyinformation
Policy restrictions
Policy restrictions
Slide From globus
Kerberos (1)● Ticket Granting
Ticket– [Session key, Time
Stamp, Lifetime & ID] encrypted with password
● Session key for
comms.
ASPasswordDatabase
TGS
kinit
Key Cache
I am
mikeTGT
Work Station
TGT
Session key
TGT
Key CacheSession Key
Kerberos Server
Service
ServiceData
Kerberos (2)● Ticket Granting
Ticket– [Session key, Time
Stamp, Lifetime & ID] encrypted with password
● Service Request
– Authenticator: encrypted [ID, IP, Time Stamp and (short) Time to Live]
– Service Ticket: [Service Key, ID, IP, Time Stamp & Lifetime] encrypted with service password
ASPasswordDatabase
TGS
kinit
Key Cache
I am
mikeTGT
Service Request
Work Station
TGT
Session key
TGT
Key CacheSession Key
Authe
nticat
or
ID, IP & Service
Kerberos Server
ID, IP & TimeAuthenticator
Service
Reque
st
Service Ticket
Service Ticket
Service Key
+ Service Key
ID, IP & TimeAuthenticatorService Ticket Service Ticket
Key CacheAuthenticator
ServiceData
AFS
● Kerberos steps 1 & 2 (AFS server is Kerberos Server)
● Directory Structures everything in /afs/realm/...
● Access Control– Based on AFS ACL
– Groups or users can be given rlidwka
– These apply to DIRECTORIES
– New directories inherit parent directories' ACLs
– File rights take unix owner's rights ie -rwxr-xr-x
– Watch out: $HOME/mail, $HOME/.globus, etc.