session6 security emidio
TRANSCRIPT
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Grid Security
Emidio Giorgio INFN Cataniaemidio.giorgio "at" ct.infn.it
With thanks for some slides to EGEE and Globus, UNICORE colleagues
1lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 2
What is Grid security?
• Grid intrinsically enables VO concept• What is needed in terms of security for
a VO ?
• Why security is needed on Grids ?
The Grid problem is to enable “coordinated resource sharing and problem solving in dynamic, multi-institutional virtual
organizations.”
From ”The Anatomy of the Grid” by Ian Foster at. al
2lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 6
Security issues in grids
• Launch attacks to other sites– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and access sensitive information– Massive distributed storage capacity ideal for example, for
sharing illegaly movies.– Growing number of users have data that must be private –
biomedical imaging for example
• Damage caused by viruses, worms etc.– Highly connected infrastructure means worms could
spread faster than on the internet in general.
3lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 3
Virtual Organization concept
• VO for each application, workload or community• Carve out and configure resources for a
particular use and set of users • The more dynamic the better…
4lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 4
Problems at network level
Participants of a grid communicate over the Internet• How can communication endpoints be identified?
– Authentication• How can a secure channel established between two
partners?– Encryption– Non-repudiation– Integrity
User Grid service
5lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 5
Problems at VO level
• What are VO members allowed to do?– Authorization
• How can services act on behalf of a user? – How can a service access the user’s sites”?– How can a job which is started by the broker access the
user’s private data?
User Storage Element
Broker ComputingElement
6lunedì 6 luglio 2009
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Grid Security Infrastructure (GSI)
7lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 8
Grid Security Infrastructure
Security at network level:Public key infrastructure (PKI)
8lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 9
Basis of security & authentication
• Asymmetric encryption…
• …. and Digital signatures …– A hash derived from the message and encrypted with the signer’s
private key– Signature is checked by decrypting with the signer’s public key
• Are used to build trust– That a user / site is who they say they are– And can be trusted to act in accord with agreed
policies
Encrypted text
Private Key Public Key
Clear text message
Clear text message
9lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 10
Basis of Public Key Infrastructure
• Every networked entity (user/machine/software) is assigned with two keys: one private key and one public key– it is impossible to derive the
private key from the public one– a message encrypted by one
key can be decrypted only by the other one.
• Concept (simplified version):– Public keys are exchanged
– The sender encrypts using receiver’s public key
– The receiver decrypts using his/her private key;
Paul’s keys
public private
John Paulciao 3$r ciao3$r
John Paulbye %i4 bye%i4
10lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 13
Entity identity
• Since I’m the only one with access to my private key, you know I signed the data associated with it
• But, how do you know that you have my correct public key?
• X509 certificates
?
11lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 14
Public and private keys
• Public key is wrapped into a “certificate file”
• Certificate files are created by trusted third parties: Grid Certification Authorities (CA)
• Private key is stored in encrypted file – protected by a passphrase
• Private key is created by the grid user
Certificate
Public key
Subject:/C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Emidio GiorgioIssuer: C=IT, O=INFN, OU=Catania, CN=INFN CAExpiration date: Mar 05 08:08:10 2008 GMTSerial number: 9504 (0x2520)Optional Extensions
CA Digital signature
1. Hash of Public key & metadata, 2. Encript hash with CA’s private key
12lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 16
Certification Authorities
13lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 16
Certification Authorities
• Grid users’ must generate private and public key• Public key must be signed by a recognized CA
– CAs can establish a number of people “registration authorities” RAs: Personal visit to the nearest RA instead of the national CA
• CAs web of trust: Per continent
• Per countryo Per region
• http://www.igtf.net/– http://www.gridpma.org/– http://www.apgridpma.org/– http://www.tagpma.org/
13lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Certification
Authority
CA root certificate
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Private Key encrypted on local disk:
passphrase
User generatespublic/private
key pair in browseror in files.
Certification
Authority
CA root certificate
Instructions, tutorials (should be) on CA
homepages
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Private Key encrypted on local disk:
passphrase
CertRequest
Public Key
State of Illinois
ID
User generatespublic/private
key pair in browseror in files.
User sends public key to CA and shows RA proof
of identity.
Certification
Authority
CA root certificate
Instructions, tutorials (should be) on CA
homepages
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Private Key encrypted on local disk:
passphrase
CertRequest
Public Key
State of Illinois
ID
User generatespublic/private
key pair in browseror in files.
User sends public key to CA and shows RA proof
of identity.
CA signature links identity and public key in
certificate. CA informs user.
Certification
Authority
CA root certificate
Instructions, tutorials (should be) on CA
homepages
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Private Key encrypted on local disk:
passphrase
CertRequest
Public Key
State of Illinois
ID
Cert
User generatespublic/private
key pair in browseror in files.
User sends public key to CA and shows RA proof
of identity.
CA signature links identity and public key in
certificate. CA informs user.
Certification
Authority
CA root certificate
Instructions, tutorials (should be) on CA
homepages
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 17
Issuing a grid certificate
Private Key encrypted on local disk:
passphrase
CertRequest
Public Key
State of Illinois
ID
Cert
User generatespublic/private
key pair in browseror in files.
User sends public key to CA and shows RA proof
of identity.
CA signature links identity and public key in
certificate. CA informs user.
Certification
Authority
CA root certificate
Instructions, tutorials (should be) on CA
homepages
the browser used for certificate download must be the same used for request
14lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificate request example• Check the official CA for your country, find how the RA
has to identify you and then fill the web form
15
15lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificate request example/2
16
After a couple of working days, an email is sent to the user with the URL where to download the certificate
The browser used for the certificate download must be the same used for request
16lunedì 6 luglio 2009
06/07/2009 Slide
How to Apply for Certificates to use in the German e-Science Infrastructure D-Grid
Accepted Certification Authorities are DFN and GridKA www.d-grid.de User Portal Access to the
Resources guides to application pages The certification policy expects you to contact a
Registration Authority (RA) which has to validate your request
Select a RA Apply for a user certificate Print out the reply and fill in your identity card details Contact RA with your identity card in person (DFN) or
with a copy of your ID-card by mail (GridKA) Receive your certificate by e-mail and include it in your
browser where your private key resides
17lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Export your certificate/1
18
18lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Export your certificate/1
18
18lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Export your certificate/1
18
18lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Export your certificate/2
19
19lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
Export on different formats
• Certificate is released in PKCS12 format, but other middleware may need a different one
20
griduser@gridx:~/.globus$ openssl pkcs12 -nocerts -in cert.p12 -out userkey.pemEnter Import Password: (insert your certificate password)MAC verified OKEnter PEM pass phrase: (insert your Enter PEM pass phrase)Verifying - Enter PEM pass phrase: (reinsert your Enter PEM pass phrase)griduser@gridx:~/.globus$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pemEnter Import Password: (insert your certificate password)MAC verified OKgriduser@gridx:~/.globus$ griduser@gridx:~/.globus$ chmod 400 userkey.pem griduser@gridx:~/.globus$ chmod 644 usercert.pem
20lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
the GILDA CA• https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php• Training CA --> not included in EuGridPMA • Used for training purposes
– simplified access procedure– no identification performed
21
21lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833
the GILDA CA• https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php• Training CA --> not included in EuGridPMA • Used for training purposes
– simplified access procedure– no identification performed
21
21lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 18
User’s private key and certificate
• Keep your private key secure – if possible on a USB drive only
• Do not loan your certificate to anyone• Report to your CA if your certificate has been compromised.• Private key and certificate can:
– Stored in your browser– Stored in files using different file format (PEM, P12, …)
• Typical situation on Globus, gLite, ARC middleware based grids:
$ ls -l .globustotal 24-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem
22lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 18
User’s private key and certificate
• Keep your private key secure – if possible on a USB drive only
• Do not loan your certificate to anyone• Report to your CA if your certificate has been compromised.• Private key and certificate can:
– Stored in your browser– Stored in files using different file format (PEM, P12, …)
• Typical situation on Globus, gLite, ARC middleware based grids:
If your certificate is used by someone other than you, it cannot be proven that it was not you.
$ ls -l .globustotal 24-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem
22lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 19
Problems at network level
Members of a VO communicate over the Internet• How can communication endpoints be identified?
– Authentication• How can a secure channel established between two
partners?– Encryption– Non-repudiation– Integrity
User Grid service
23lunedì 6 luglio 2009
Enabling Grids for E-sciencE
INFSO-RI-508833 20
Security at VO level
• Implementation of services for users authorization (what an user is allowed to do) depends from the middleware– VOMS (gLite), XUUDB (UNICORE), etc..
24lunedì 6 luglio 2009
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Thank you!
Questions?
25lunedì 6 luglio 2009