session6 security emidio

INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

Grid Security

Emidio Giorgio INFN Cataniaemidio.giorgio "at" ct.infn.it

With thanks for some slides to EGEE and Globus, UNICORE colleagues

1lunedì 6 luglio 2009


INFSO-RI-508833 2

What is Grid security?

• Grid intrinsically enables VO concept• What is needed in terms of security for

a VO ?

• Why security is needed on Grids ?

The Grid problem is to enable “coordinated resource sharing and problem solving in dynamic, multi-institutional virtual

organizations.”

From ”The Anatomy of the Grid” by Ian Foster at. al



INFSO-RI-508833 6

Security issues in grids

• Launch attacks to other sites– Large distributed farms of machines, perfect for launching a

Distributed Denial of Service attack.

• Illegal or inappropriate data distribution and access sensitive information– Massive distributed storage capacity ideal for example, for

sharing illegaly movies.– Growing number of users have data that must be private –

biomedical imaging for example

• Damage caused by viruses, worms etc.– Highly connected infrastructure means worms could

spread faster than on the internet in general.



INFSO-RI-508833 3

Virtual Organization concept

• VO for each application, workload or community• Carve out and configure resources for a

particular use and set of users • The more dynamic the better…



INFSO-RI-508833 4

Problems at network level

Participants of a grid communicate over the Internet• How can communication endpoints be identified?

– Authentication• How can a secure channel established between two

partners?– Encryption– Non-repudiation– Integrity

User Grid service



INFSO-RI-508833 5

Problems at VO level

• What are VO members allowed to do?– Authorization

• How can services act on behalf of a user? – How can a service access the user’s sites”?– How can a job which is started by the broker access the

user’s private data?

User Storage Element

Broker ComputingElement


INFSO-RI-508833


www.eu-egee.org

Grid Security Infrastructure (GSI)



INFSO-RI-508833 8

Grid Security Infrastructure

Security at network level:Public key infrastructure (PKI)



INFSO-RI-508833 9

Basis of security & authentication

• Asymmetric encryption…

• …. and Digital signatures …– A hash derived from the message and encrypted with the signer’s

private key– Signature is checked by decrypting with the signer’s public key

• Are used to build trust– That a user / site is who they say they are– And can be trusted to act in accord with agreed

policies

Encrypted text

Private Key Public Key

Clear text message

Clear text message



INFSO-RI-508833 10

Basis of Public Key Infrastructure

• Every networked entity (user/machine/software) is assigned with two keys: one private key and one public key– it is impossible to derive the

private key from the public one– a message encrypted by one

key can be decrypted only by the other one.

• Concept (simplified version):– Public keys are exchanged

– The sender encrypts using receiver’s public key

– The receiver decrypts using his/her private key;

Paul’s keys

public private

John Paulciao 3$r ciao3$r

John Paulbye %i4 bye%i4



INFSO-RI-508833 13

Entity identity

• Since I’m the only one with access to my private key, you know I signed the data associated with it

• But, how do you know that you have my correct public key?

• X509 certificates

?



INFSO-RI-508833 14

Public and private keys

• Public key is wrapped into a “certificate file”

• Certificate files are created by trusted third parties: Grid Certification Authorities (CA)

• Private key is stored in encrypted file – protected by a passphrase

• Private key is created by the grid user

Certificate

Public key

Subject:/C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Emidio GiorgioIssuer: C=IT, O=INFN, OU=Catania, CN=INFN CAExpiration date: Mar 05 08:08:10 2008 GMTSerial number: 9504 (0x2520)Optional Extensions

CA Digital signature

1. Hash of Public key & metadata, 2. Encript hash with CA’s private key



INFSO-RI-508833 16

Certification Authorities



INFSO-RI-508833 16

Certification Authorities

• Grid users’ must generate private and public key• Public key must be signed by a recognized CA

– CAs can establish a number of people “registration authorities” RAs: Personal visit to the nearest RA instead of the national CA

• CAs web of trust: Per continent

• Per countryo Per region

• http://www.igtf.net/– http://www.gridpma.org/– http://www.apgridpma.org/– http://www.tagpma.org/


http://www.gridpma.org/

http://www.gridpma.org/

http://www.apgridpma.org

http://www.apgridpma.org


INFSO-RI-508833 17

Issuing a grid certificate

Certification

Authority

CA root certificate



INFSO-RI-508833 17


Private Key encrypted on local disk:

passphrase

User generatespublic/private

key pair in browseror in files.

Certification

Authority

CA root certificate

Instructions, tutorials (should be) on CA

homepages



INFSO-RI-508833 17



passphrase

CertRequest

Public Key

State of Illinois

ID



User sends public key to CA and shows RA proof

of identity.

Certification

Authority

CA root certificate


homepages



INFSO-RI-508833 17



passphrase

CertRequest

Public Key

State of Illinois

ID




of identity.

CA signature links identity and public key in

certificate. CA informs user.

Certification

Authority

CA root certificate


homepages



INFSO-RI-508833 17



passphrase

CertRequest

Public Key

State of Illinois

ID

Cert




of identity.



Certification

Authority

CA root certificate


homepages



INFSO-RI-508833 17



passphrase

CertRequest

Public Key

State of Illinois

ID

Cert




of identity.



Certification

Authority

CA root certificate


homepages

the browser used for certificate download must be the same used for request



INFSO-RI-508833

Certificate request example• Check the official CA for your country, find how the RA

has to identify you and then fill the web form

15



INFSO-RI-508833

Certificate request example/2

16

After a couple of working days, an email is sent to the user with the URL where to download the certificate

The browser used for the certificate download must be the same used for request


06/07/2009 Slide

How to Apply for Certificates to use in the German e-Science Infrastructure D-Grid

Accepted Certification Authorities are DFN and GridKA www.d-grid.de User Portal Access to the

Resources guides to application pages The certification policy expects you to contact a

Registration Authority (RA) which has to validate your request

Select a RA Apply for a user certificate Print out the reply and fill in your identity card details Contact RA with your identity card in person (DFN) or

with a copy of your ID-card by mail (GridKA) Receive your certificate by e-mail and include it in your

browser where your private key resides


http://www.d-grid.de/

http://www.d-grid.de/


INFSO-RI-508833

Export your certificate/1

18



INFSO-RI-508833

Export your certificate/2

19



INFSO-RI-508833

Export on different formats

• Certificate is released in PKCS12 format, but other middleware may need a different one

20

griduser@gridx:~/.globus$ openssl pkcs12 -nocerts -in cert.p12 -out userkey.pemEnter Import Password: (insert your certificate password)MAC verified OKEnter PEM pass phrase: (insert your Enter PEM pass phrase)Verifying - Enter PEM pass phrase: (reinsert your Enter PEM pass phrase)griduser@gridx:~/.globus$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pemEnter Import Password: (insert your certificate password)MAC verified OKgriduser@gridx:~/.globus$ griduser@gridx:~/.globus$ chmod 400 userkey.pem griduser@gridx:~/.globus$ chmod 644 usercert.pem



INFSO-RI-508833

the GILDA CA• https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php• Training CA --> not included in EuGridPMA • Used for training purposes

– simplified access procedure– no identification performed

21


https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php

https://gilda-security.ct.infn.it/CA/mgt/restricted/ucert.php


INFSO-RI-508833 18

User’s private key and certificate

• Keep your private key secure – if possible on a USB drive only

• Do not loan your certificate to anyone• Report to your CA if your certificate has been compromised.• Private key and certificate can:

– Stored in your browser– Stored in files using different file format (PEM, P12, …)

• Typical situation on Globus, gLite, ARC middleware based grids:

$ ls -l .globustotal 24-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem



INFSO-RI-508833 18

User’s private key and certificate

• Keep your private key secure – if possible on a USB drive only

• Do not loan your certificate to anyone• Report to your CA if your certificate has been compromised.• Private key and certificate can:

– Stored in your browser– Stored in files using different file format (PEM, P12, …)

• Typical situation on Globus, gLite, ARC middleware based grids:

If your certificate is used by someone other than you, it cannot be proven that it was not you.

$ ls -l .globustotal 24-rw-r--r-- 1 giorgio users 1806 Mar 3 2008 usercert.pem-r-------- 1 giorgio users 1910 Mar 3 2008 userkey.pem



INFSO-RI-508833 19

Problems at network level

Members of a VO communicate over the Internet• How can communication endpoints be identified?

– Authentication• How can a secure channel established between two

partners?– Encryption– Non-repudiation– Integrity

User Grid service



INFSO-RI-508833 20

Security at VO level

• Implementation of services for users authorization (what an user is allowed to do) depends from the middleware– VOMS (gLite), XUUDB (UNICORE), etc..


INFSO-RI-508833


www.eu-egee.org

Thank you!

Questions?


session6 security emidio

Education

public key public key

escience public key

escience infsori

grid private key

signers public key

escience vo

escience grid users

private keysenabling