Multimedia communication by dffhrtcv3

VIEWS: 3 PAGES: 25

									Grid Security




                Javed Ahmed(07K-0992)
                PhD (CS) NU FAST
                Karachi Campus
                shahanijaved@gmail.com
Approaches to Security
Stakeholders in Grid
Grid Security Concept

   Virtual Organization
   Computing Elements
   Storage Elements
Grid Security

   It is Three dimensional
       Authentication/Authorization/Delegation
       Application & Middleware Security
       Data Security
Authentication/Authorization/Delegation

   Authentication:
       the user is who he claims himself to be
   Authorization:
       the user is allowed to use some resources
   Delegation:
       the user allows a job to act on his behalf
Authentication

   Done with X.509 certificates
   Analogy with ID Cards
Authorization


   Resource specific
   Every site wants to fine-tune
   Need for organization (VO) level tuning
Delegation

   New key pair generated remotely on server
   Proxy cert and public key sent to client
   Clients signs proxy cert and returns it
   Server (usually) puts proxy in /tmp
Application & Middleware Security

   OS Vulnerabilities
   Middleware Vulnerabilities
Site Security

   Subnets
   Firewall
   Required port Blocking
PKI: Public Key Infrastructure

   User (or entity) gets a related key pair:
       one private key, known only to the user
       one public key, distributable to the world
   A message encrypted with one key requires the other
    key for decryption
Key Reciprocity

   Data encrypted using the public key requires the
    private key for decryption.
       If you know my public key, you can send me via an
        open channel a message only I can read.
   Data encrypted using the private key requires the
    public key for decryption.
       If my public key decrypts an encrypted message I
        have sent via an open channel, then only I could have
        sent it.
How Keys Get Around

   Public keys can be freely distributed
       Allows messages to be encrypted just for you.
   Your private key doesn’t get around.
       Period. That’s why it’s private.
X.509 Certificates

   Keys can be distributed as encapsulated in an X.509
    certificate.
   The X.509 certificate associates the public key with a
    qualified name.
   The X.509 certificate is also signed by a trusted
    issuer.
Who Issues a Certificate?

   A certificate authority (CA) is a trusted entity who
    signs and issues X.509 credentials
   Examples: NCSA Alliance, DOEgrid CA
   In the so-called “real world”: VeriSign
   Each credential identifies its CA
       X.509 Certificate = “License”
   Identifies you and your institution
   Can’t be self-created
   Created for you by your institution
   Getting one isn’t an instantaneous process
What’s in an X.509 Certificate?

   Entity’s qualified name
   Entity’s public key
   Name of the issuing CA
   Signature of issuing CA
   Validity dates (start and end dates)
   Other stuff — version information, etc.
Why Use Proxy Certificates?

   A certificate usually lasts a year
       If it’s stolen, it’s still good for the rest of the year
            unless it’s revoked by being placed on a certificate
             revocation list (CRL)
                 And your utility actually checks the CRL.
                      With any frequency
   A proxy certificate usually lasts 12 hours
       Minimizes the possible mischief
Akenti Authorization

    Minimal local Policy Files (authorization files): Who to trust,
     where to look for certificates.
    Based on the following digitally signed certificates:
         X.509 certificates for user identity and authentication
         UseCondition certificates containing stakeholder policy
         Attribute certificates in which a trusted party attests that a
          user possesses some attribute, e.g. training, group
          membership
    Can be called from any application that has an
     authenticated user’s identity certificate and a unique
     resource name, to return that user’s privileges with respect
     to the resource.
Akenti Authorization model
                               Akenti Server Architecture
                                                                                Cache
                                                                               Manager




                                                                       Fetch
                                                                      Certificate
                   DN              Resource
 Client                             Server
                                                  Akenti
                                                               DN
               Identity (X509)                                  DN
               certificate on behalf
               of the user.

                                               Log                        Internet
                                              Server




      Use condition or attribute
      certificates                                LDAP     Database                    File
                                                                           Web
                                                            Server                   Servers
                                                                          Server

DN        Identity certificates
                                                               Certificate Servers
Virtual Organization
Management Service
Q&A
                    Reference

1. D. A. AGARWAL, S. R. SACHS, W.E.JOHNSTON 1998 The Reality
   of Collaboratories Computer Physics Communications, 110, 134141
2. AKENTI.XSD 2003 Akenti Certificate schema
   http://wwwitg.lbl.gov/Akenti/docs/AkentiCertificate.xsd.
3. R. ALFIERI, R. CECCHINI, V. CIASCHINI, L. DELL’AGNELLO, A.
   FROHNER, A. GIANOLI, K.LORENTEY AND F. SPATARO 2003,
   VOMS, An Authorization System for Virtual Organizations presented
   at the 1st European Across Grids Conference, Santiago de
   Compostela, February 13-14, 2003
4. APACHE 2002a Apache Software Foundation http://www.apache.org
5. APACHE 2002b Apache Module Registry, http://modules.apache.org/
6. APACHE 2002c Apache XML Project; http://xml.apache.org/

								
To top