Docstoc

Security-embrace-tutorial

Document Sample
Security-embrace-tutorial Powered By Docstoc
					 Grid Security
 EMBRACE Grid Tutorial,
 Helsinki, 16 June 2006




Heinz Stockinger
Swiss Institute of Bioinformatics
Lausanne, Switzerland
 I guess you all know that …




                            Qu i ckTi m e™ a nd a                      Quic kT ime™ and a
                TIFF (Un co mp res se d) de c omp res so r   T IF F (Unc ompres sed) decompres s or
                   a re ne ed ed to se e th is pi c tu re.      are needed to s ee this pic ture.




Heinz.Stockinger@isb-sib.ch                                                                           Grid Security - n° 2
 How about that one?




                                          Q uic kT ime ™ a n d a
                              T IFF ( Un co m pr e ss e d) d ec o mp r es s or
                                  a re n ee d ed to s e e th is p ictu r e.




Heinz.Stockinger@isb-sib.ch                                                      Grid Security - n° 3
  What does this have to do with
  computing?




 Well,   it’s all about codes and access to
    information

 In        Grid computing:
          Limit access to resources
          Use standard computer security



Heinz.Stockinger@isb-sib.ch                    Grid Security - n° 4
 Motivation: Security in the Grid
  In      industry, several security standards exist:
          Public Key Infrastructure (PKI)
                PKI keys
                SPKI keys (focus on authorisation rather than certificates)
                RSA
          Secure Socket Layer (SSL)
                SSH keys
          Kerberos

  Need          for a common security standard for Grid services
          Above standards do not meet all Grid requirements (e.g.
           delegation, single sign-on etc.)

  Grid      community mainly uses X.509 PKI for the Internet
          Well established and widely used (also for www, e-mail, etc.)



Heinz.Stockinger@isb-sib.ch                                                    Grid Security - n° 5
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 6
 Introduction
  Distribution               of resources: secure access is a basic requirement
          secure communication, secure data, resources etc.
          security across organisational boundaries
          single sign-on for users of the Grid

  Three         basic concepts:
          Secure communication:                                        Qui ckTi me™ and a



                 Data Encryption
                                                              TIFF (Uncompresse d) de comp re ssor
                                                                are ne eded to see th is pi cture.

             



          Authentication: Who am I?
                “Equivalent” to a pass port, ID card etc.


          Authorisation: What can I do?
                Certain permissions, duties etc.




Heinz.Stockinger@isb-sib.ch                                                                          Grid Security - n° 7
    Data Encryption

   Symmetric encryption: same                Asymmetric encryption: different
    key (“secret”) used for                    keys used for encryption and
    encryption and decryption                  decryption
         Kerberos, DES / 3DES, IDEA
                                                    RSA, DSA
     
                                                




               Clear text                             Clear text
               message                                message


              Encryption                              Encryption

                                                                      Key A
              Encrypted                               Encrypted
                text                                    text
                              Shared key
              Decryption                              Decryption

                                                                      Key B
               Clear text                             Clear text
               message                                message




Heinz.Stockinger@isb-sib.ch                                             Grid Security - n° 8
 Authentication


 Do    we want authorised users or anonymous access
    to our service?



 How            can I prove how I am?
          In private life: people have passports, identity cards
                Issued by a certain authority
          In office life: we use ids and passwords to access computers




Heinz.Stockinger@isb-sib.ch                                         Grid Security - n° 9
 Certificate = “Grid Passport”
                                            Public   Key Infrastructure:
                                                 Use a public and private key




               QuickTime™ and a
     TIFF (Un compressed) decompressor      Grid   Certificate:
        are neede d to see this picture.

                                                 Name
                                                 Issuer (Certificate Authority)
                                                 Valitidy




   A passport has several important
   items

Heinz.Stockinger@isb-sib.ch                                            Grid Security - n° 10
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 11
    Public Key Infrastructure (PKI)
   Asymmetric encryption

      Clear text                            Encrypted                          Clear text
      message                                 text                             message
                              Private Key                   Public Key

   Digital signatures
         A hash derived from the message and encrypted with the signer’s private
          key
         Signature checked decrypting with the signer’s public key

   Allows key exchange in an insecure medium using a trust model
         Keys trusted only if signed by a trusted third party (Certification Authority)
         A CA certifies that a key belongs to a given principal

   Certificate
         Public key + information about the principal + CA signature
         X.509 format most used

   PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.
Heinz.Stockinger@isb-sib.ch                                                  Grid Security - n° 12
 PKI – Example



   Entity A (Alice)                                Entity B (Bob)

                                                 public key
    public key e                                 private key
    private key d
                                                wishing to send a message m to A:
                                                   ciphertext   c = Ee(m)

  applies the decryption transformation

           m = Dd(c).
                              encryption transformation Ee
                              decryption transformation Dd



Heinz.Stockinger@isb-sib.ch                                                   Grid Security - n° 13
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 14
 X.509 certificates and authentication

                                                       A                                            B

                                                                  A’s certificate



                                                               Verify CA signature
         Structure of a X.509 certificate
                                                                  Random phrase

                        Public key
                                                           Encrypt with A’ s private key
   Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968
   Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA
                                                                Encrypted phrase
   Expiration date: Aug 26 08:08:14 2005 GMT
   Serial number: 625 (0x271)

                                                           Decrypt with A’ s public key
              CA Digital signature

                                                           Compare with original phrase




                                                            Performace !
Heinz.Stockinger@isb-sib.ch                                                           Grid Security - n° 15
 X.509              alias ISO/IEC/ITU 9594-9

  X.509         is ITU Standard:
          ITU-T Recommendation X.509 (1997 E). Information technology -
           Open Systems Interconnection - The Directory: Authentication
           Framework
          Defines a certificate format (originally based on X.500 Directory
           Access Protocol)
                Latest standard: X.509 version 3 certificate format

  X.509         certificate includes:
          User identification (someone’s subject name)
          Public key
          A “signature” from a Certificate Authority (CA) that:
                Proves that the certificate came from the CA.
                Vouches for the subject name
                Vouches for the binding of the public key to the subject




Heinz.Stockinger@isb-sib.ch                                                 Grid Security - n° 16
 Involved entities

                              Certificate Authority CA




User

       Public key
       Private key
                                           Resource
                                           (site offering services)
       certificate




Heinz.Stockinger@isb-sib.ch                                           Grid Security - n° 17
 Certification Authorities
  Issue       certificates for users, programs and machines

  Check         the identity and the personal data of the requestor
          Registration Authorities (RAs) do the actual validation

  Manage           Certificate Revocation Lists (CRLs)
          They contain all the revoked certificates yet to expire

  CA      certificates are self-signed

  In      Grid projects on certain CAs are mutually recognised




Heinz.Stockinger@isb-sib.ch                                          Grid Security - n° 18
 Certificate classification
    User certificate
          issued to a physical person
          DN= C=CH, O=CERN, OU=GRID, CN =John Smith
          the only kind of certificate good for a client, i.e. to send Grid jobs etc.

    Host certificate
          issued to a machine (i.e. a secure web server, etc.)
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch

    Grid host certificate
          issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.)
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch

    Service certificate
          issued to a program running on a machine
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch




Heinz.Stockinger@isb-sib.ch                                                              Grid Security - n° 19
 Grid Certificate




 A   certificate needs to be requested from a
    Certificate Authority

 When    using the Grid Security Infrastructure (GSI),
    the certificate consists of two parts:
          usercert.pem
          userkey.pem




Heinz.Stockinger@isb-sib.ch                      Grid Security - n° 20
 X.509 Certificate Example (1)
 openssl              x509 –in ~/.globus/usercert.pem –text
 Certificate:
    Data:
         Version: 3 (0x2)                                              X509.3 – with extensions
         Serial Number: 199 (0xc7)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA                     Issuer CA
         Validity
            Not Before: Sep 25 10:33:05 2005 GMT         long term certificate
          Not After :Sep 24 10:33:05 2006 GMT
       Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe User                user identification
         Subject Public Key Info:
    Public Key Algorithm: rsaEncryption                  public key
    RSA Public Key: (1024 bit)
                 Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38:
    […]
Heinz.Stockinger@isb-sib.ch                                                                  Grid Security - n° 21
 X.509 Certificate Example (2)
   X509v3 extensions:

          X509v3 Basic Constraints: critical                       Certificate extensions
                  CA:FALSE
          X509v3 Subject Key Identifier:
                  71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53

          X509v3 CRL Distribution Points:                                    Certificate Revocation      List
                                URI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL
          X509v3 Issuer Alternative Name:
                  email:service-grid-ca@cern.ch
          X509v3 Certificate Policies:
                  Policy: 1.3.6.1.4.1.96.10.1.2.1
          Netscape Cert Type:

            SSL Client, S/MIME, Object Signing                     client/user Certificate
            Netscape Base Url:
                  http://service-grid-ca.web.cern.ch/service-grid-ca/
     Signature Algorithm: md5WithRSAEncryption
       54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13:      [...]       Signature on the information




Heinz.Stockinger@isb-sib.ch                                                                              Grid Security - n° 22
 Private Key Example

       openssl rsa -in ~/.globus/userkey.pem –text
    Enter PEM pass phrase:
    Private-Key: (1024 bit)
    modulus: [...]
    publicExponent: ..... (0x......)
    privateExponent: [...]
    prime1: [...]                              private parameters
    prime2: [...]
    exponent1: [...]
    exponent2: [...]
    coefficient: [...]
    writing RSA key
    -----BEGIN RSA PRIVATE KEY----- PEM encoded private key
    -----END RSA PRIVATE KEY-----



Heinz.Stockinger@isb-sib.ch                                         Grid Security - n° 23
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 24
 Globus Grid Security Infrastructure (GSI)

    de facto standard for Grid middleware

    Based on PKI

    Implements some important features
          Single sign-on: no need to give one’s password every time
          Delegation: a service can act on behalf of a person
          Mutual authentication: both sides must authenticate to the other

    Introduces proxy certificates
          Short-lived certificates including their private key and signed with the
           user’s certificate




Heinz.Stockinger@isb-sib.ch                                                  Grid Security - n° 25
 GSI General Overview



                                                      Proxies and delegation (GSI
                                                      Extensions) for secure single
                                                      Sign-on


                                        Proxies and Delegation

                                          PKI                          SSL for
  PKI for                                               SSL/           Authentication
                                       (CAs and
  credentials                                           TLS            and message
                                      Certificates)
                                                                       protection

Based on Slide from Globus Tutorial
Heinz.Stockinger@isb-sib.ch                                                  Grid Security - n° 26
 Virtual Organizations and authorization
     Grid users must belong to a Virtual Organization
           Sets of users belonging to a collaboration
           Each VO user has the same access privileges to Grid resources


     VOs maintain a list of their members
           The list is downloaded by Grid machines to map user certificate
            subjects to local “pool” accounts: only mapped users are
            authorized in LCG

            ...
            "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam
            "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms
            "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice
            ...

           Sites decide which VOs to accept                       grid-mapfile



Heinz.Stockinger@isb-sib.ch                                              Grid Security - n° 27
 Globus command line interface: certificate and
 proxy management

     Get information on a user certificate
           grid-cert-info[-help] [-file certfile] [OPTION]...
               -all                    whole certificate
               -subject | -s           subject string
               -issuer | -I            Issuer
               -startdate | -sd        Start of validity
               -enddate | -ed          End of validity


     Create a proxy certificate
           grid-proxy-init

     Destroy a proxy certificate
           grid-proxy-destroy

     Get information on a proxy certificate
           grid-proxy-info




Heinz.Stockinger@isb-sib.ch                                      Grid Security - n° 28
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 29
 Secure your services - but how?



                              client program     user certificate

                              Security library


                              Security library

                                   Server           host certificate

                               Authorisation




Heinz.Stockinger@isb-sib.ch                             Grid Security - n° 30
 Different kinds of services
  “Simple”           services with standard socket communication
          Any service written in C/C++, Java, Python, Perl, etc.
                Use GSI libraries e.g. provided by Globus Toolkit 2
                http://www.globus.org/security/
                The libraries handle certificate based authentication

          Often considered a 1st generation “Grid services”

  Web           services
          Based on SOAP
          2nd generation “Grid services”

  Web           sites




Heinz.Stockinger@isb-sib.ch                                              Grid Security - n° 31
 API: GSS-API and GSS Assist
     GSS-API (Generic Security Services Application Programming
      Interface) is a generic API for client-server authentication (RFC-
      2743, 2744)
           Traditionally, it interfaces to Kerberos
           The Globus project interfaced it to GSI
           Communication is kept separate: it just creates data buffers, does not
            move them
           Rather complicated to use…
           Documentation at http://docs.sun.com/app/docs/doc/816-1331
            http://www.gnu.org/software/gss/manual/html_node/index.ht
            ml

     GSS-API as user interface to GSI:
           C API
           Java API (http://www-unix.globus.org/cog/java/)

     The Globus GSS Assist routines are designed to simplify the use of
      the GSSAPI: they are a thin layer over them


Heinz.Stockinger@isb-sib.ch                                               Grid Security - n° 32
 Globus extensions
    Credential import and export
          To pass credentials from a process to another or storing them in a file
          Export to 1) an opaque buffer, or 2) a file in GSI native format
          gss_import_cred(), gss_export_cred()

    Delegation an any time
          A lot more flexible than standard GSS-API delegation
                Delegation at times other than context establishment
                Possible to delegate credentials different than those used for context establishment: even for
                 different mechanisms!
                      Ex.: delegate a Kerberos credential over a context established with GSI
          gss_init_delegation(), gss_accept_delegation()

    Credentials extension handling
          support for credential information other than just the identity

    Set context options at the server side
    Documentation
          http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf
          ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h




Heinz.Stockinger@isb-sib.ch                                                                       Grid Security - n° 33
 Web Service Security
  Transport              level security
          SOAP messages are transmitted encrypted
          used by some gSOAP GSI plugins
          Based on SSL/TSL

  Message              level security
          WS-Security
                set of SOAP extensions to implement integrity and confidentiality in
                 Web Services
                <Security> header contains the security-related information
                http://www-128.ibm.com/developerworks/library/ws-secure/

          WS-SecureConversation
                defines how to establish secure contexts and exchange keys

          Performance issue
          Used in Globus Toolkit 4
Heinz.Stockinger@isb-sib.ch                                                    Grid Security - n° 34
 Performance - Mutual Authentication
  Having          secure connections creates a performance overhead
  Let’s         have a look at the detailed steps        Bob - Alice
          Bob uses proxy to create a request (incl. public key, about 2000
           bytes)
          Alice uses private key to sign the request - sends signed cert.
           back (in addition, CAs have to match)
                Alices generates a random message and sends it to Bob, asking Bob to
                 encrypt it.
                Bob encrypts the message using his private key, and sends it back to
                 Alice. Alice decrypts the message using Bobs's public key. If this
                 results in the original random message, then Alice knows that Bob is
                 who he says he is.
          Now that Alice trusts Bob's identity, the same operation must
           happen in reverse.
          By default, all further message exchange is not encrypted !




Heinz.Stockinger@isb-sib.ch                                                Grid Security - n° 35
 Some performance numbers



                                         QuickTime™ an d a
                                TIFF (Uncompressed) decompressor
                                   are need ed to see this picture .




      Cryptography is CPU intensive
      WS Secure Conversation symmetrical cryptography only

      Source: http://webservices.sys-con.com/read/204424.htm


Heinz.Stockinger@isb-sib.ch                                            Grid Security - n° 36
 Securing Web sites (Portals)
  HTML         web is is not a web service
          Web service provides a programmable interface via SOAP
          A Web page is purely HTML (potentially generated by tools such
           as JSP, etc.)

  One       can still use Grid security for that purpose

  Need        to load certificate into the web browser

  Server  side (Web server) needs to use Grid security
    technologies
          Example: http://wwww.gridsite.org provide modules for Apache
           server




Heinz.Stockinger@isb-sib.ch                                      Grid Security - n° 37
 Security Overview

  Introduction

  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice



Heinz.Stockinger@isb-sib.ch            Grid Security - n° 38
 GSI Authentication using Globus

                              CA



user                                service




                              VO




Heinz.Stockinger@isb-sib.ch        Grid Security - n° 39
  Certificate Request /                   Obtaining a certificate


                                    CA

grid-cert-request

 user                                                                service

     cert-request




                               once in every year
                                    VO




 Heinz.Stockinger@isb-sib.ch                                        Grid Security - n° 40
  Certificate Signing

                                              CA

grid-cert-request

 user                          cert signing         service

     cert-request
     certificate



                                              VO




 Heinz.Stockinger@isb-sib.ch                       Grid Security - n° 41
  Preparation for Registration in VO

                                                CA

grid-cert-request

 user                            cert signing                      service

     cert-request
     certificate
                               convert
     cert.pkcs12


                                                VO



                 Goal: user needs to register with a certain VO


 Heinz.Stockinger@isb-sib.ch                                      Grid Security - n° 42
  Registration

                                                 CA

grid-cert-request

 user                            cert signing                          service

     cert-request
     certificate
                               convert                Account
     cert.pkcs12                                       Registration
                                  registration

                                                 VO


                once for the
            lifetime of the VO
            (only the DN not the
          keys, so they may change)                   Usage
                                                       guidelines

 Heinz.Stockinger@isb-sib.ch                                          Grid Security - n° 43
  Starting a Session with Globus

                                                 CA

grid-cert-request

 user                            cert signing                        service

     cert-request
     certificate
                               convert
     cert.pkcs12
                                  registration

                                                 VO
     proxy-cert
                           grid-proxy-init


                                                      every 12/24
                                                         hours

 Heinz.Stockinger@isb-sib.ch                                        Grid Security - n° 44
 Usage
 You must have a valid certificate from a trusted CA!

  „login”:         grid-proxy-init

       short lifetime certificate: 24 hours
       Enter PEM pass phrase:
       ...........................+++++
       ....................................+++++

  checking           the proxy: grid-proxy-info -subject
       /O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy

 -> use the Grid services

  „logout”:          grid-proxy-destroy




Heinz.Stockinger@isb-sib.ch                                 Grid Security - n° 45
  Certificate Request for a Host

                                                 CA

grid-cert-request                                                      grid-cert-request

 user                            cert signing                                     service

     cert-request                                                      host-request

     certificate
                               convert
     cert.pkcs12
                                  registration

                                                 VO
     proxy-cert
                           grid-proxy-init

                                                  once in every year



 Heinz.Stockinger@isb-sib.ch                                                     Grid Security - n° 46
  Signing the Certificate

                                                 CA

grid-cert-request                                     cert signing grid-cert-request

 user                            cert signing                                   service

     cert-request                                                  host-request

     certificate                                                   host-cert
                               convert
     cert.pkcs12
                                  registration

                                                 VO
     proxy-cert
                           grid-proxy-init




 Heinz.Stockinger@isb-sib.ch                                                   Grid Security - n° 47
  Configuration on the Server

                                                 CA

grid-cert-request                                        cert signing grid-cert-request

 user                            cert signing                                      service

     cert-request                                                     host-request
                                                cert/crl update
     certificate                                                      host-cert
                               convert                                ca-certificate
     cert.pkcs12
                                  registration                        crl
                                                 VO
     proxy-cert
                           grid-proxy-init

                                                                In EDG:
                                                             automatically
                                                             updated every
                                                              night/week

 Heinz.Stockinger@isb-sib.ch                                                      Grid Security - n° 48
 Service
 You must have the trusted CA certificates in files and the VO-
  LDAP server(s) URL configured.

  Registering                a trusted CA
          /etc/grid-security/certificates: hashed cert, crl and url

  Generating             a gridmap file: mkgridmap
          /etc/grid-security/gridmap: DN -> userid/gid mapping
          See Authorisation

  Generating     host/service certificate:
       grid-cert-request –host
       (see user certificates for the whole process)




Heinz.Stockinger@isb-sib.ch                                            Grid Security - n° 49
 Service: CA Certificates

     ls    /etc/grid-security/certificates
    0ed6468a.0                c35c1972.0                d64ccb53.0
    0ed6468a.crl_url          c35c1972.crl_url          d64ccb53.crl_url
    0ed6468a.r0               c35c1972.r0               d64ccb53.r0
    0ed6468a.signing_policy   c35c1972.signing_policy   d64ccb53.signing_policy
    16da7552.0                cf4ba8c8.0                df312a4e.0
    16da7552.crl_url          cf4ba8c8.crl_url          df312a4e.crl_url
    16da7552.r0               cf4ba8c8.r0               df312a4e.r0
    16da7552.signing_policy cf4ba8c8.signing_policy     df312a4e.signing_policy



    In General:
    *.0 … CA certificate
    *.r0 … Certificate Revocation List (CRL)


Heinz.Stockinger@isb-sib.ch                                                       Grid Security - n° 50
 Service: a certificate
      cat      c35c1972.signing_policy
     # EACL CERN CA

     access_id_CA                 X509                   '/C=CH/O=CERN/CN=CERN CA'

     pos_rights                   globus       CA:sign

     cond_subjects           globus   '"/C=ch/O=CERN/*" "/C=CH/O=CERN/*"
       "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'

      openssl           x509 -in c35c1972.0 –text
           Issuer: C=CH, O=CERN, CN=CERN CA              [...] the issuer and the subject are the same

           Subject: C=CH, O=CERN, CN=CERN CA             [...] self signed certificate

           X509v3 extensions:

              X509v3 Basic Constraints: critical

                 CA:TRUE                                 [...] it may be used to sign other certificates

             Netscape Cert Type:

                 SSL CA, S/MIME CA, Object Signing CA     it is a CA certificate



Heinz.Stockinger@isb-sib.ch                                                                      Grid Security - n° 51
 Certificate Revocation List (CRL)
  openssl            crl -in c35c1972.r0 –text
 Certificate Revocation List (CRL):

       Version 1 (0x0)

       Signature Algorithm: md5WithRSAEncryption

       Issuer: /C=CH/O=CERN/CN=CERN CA             the issuer is the CA itself

       Last Update: Jul 1 17:53:17 2002 GMT

       Next Update: Aug 5 17:53:17 2002 GMT        next update: shall be checked

 Revoked Certificates:

    Serial Number: 5A                              the revoced certificate’s number

       Revocation Date: May 24 16:45:52 2002 GMT

    Signature Algorithm: md5WithRSAEncryption      Signature – as usual




Heinz.Stockinger@isb-sib.ch                                                           Grid Security - n° 52
 Grid-mapfile
  cat      /etc/grid-security/gridmap
 "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor

 "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro

 "/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/Email=Franco.Semeria@bo.infn.it" aliprod

 "/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/Email=Marisa.Luvisetto@bo.infn.it" aliprod

 "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones

 "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney

 "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon

 "/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/Email=legre@clermont.in2p3.fr" yannick




Heinz.Stockinger@isb-sib.ch                                                               Grid Security - n° 53
 Abbreviations
    CA – Certificate Authority

    CP – Certificate Policy

    CPS – Certificate Practice Statement

    CRL – Certificate Revocation List

    GSI – Grid Security Infrastructure

    GSS – Generic Security Service

    PKI – Public Key Infrastructure

    SSL – Secure Socket Layer

    TLS – Transport Layer Security

    VO – Virtual Organization

    VOMS - Virtual Organization Membership Service


Heinz.Stockinger@isb-sib.ch                           Grid Security - n° 54
 Conclusion
    Security          is important for Grid middleware:
            In particular in commercial use

    Security solutions need to be integrated from the very
      beginning
                                             “We had a security concept from the very beginning
                                             but decided to deal with security later”




    Grid      security relies on PKI
            Requires: authentication & authorisation

    Basic       entities:
            Users – CA (Certificate Authorities) – Resource Providers


                   Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides
  The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic
    area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-512092.

Heinz.Stockinger@isb-sib.ch                                                                 Grid Security - n° 55

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:5/18/2012
language:
pages:55