Document Sample
Security-embrace-tutorial Powered By Docstoc
					 Grid Security
 EMBRACE Grid Tutorial,
 Helsinki, 16 June 2006

Heinz Stockinger
Swiss Institute of Bioinformatics
Lausanne, Switzerland
 I guess you all know that …

                            Qu i ckTi m e™ a nd a                      Quic kT ime™ and a
                TIFF (Un co mp res se d) de c omp res so r   T IF F (Unc ompres sed) decompres s or
                   a re ne ed ed to se e th is pi c tu re.      are needed to s ee this pic ture.                                                                           Grid Security - n° 2
 How about that one?

                                          Q uic kT ime ™ a n d a
                              T IFF ( Un co m pr e ss e d) d ec o mp r es s or
                                  a re n ee d ed to s e e th is p ictu r e.                                                      Grid Security - n° 3
  What does this have to do with

 Well,   it’s all about codes and access to

 In        Grid computing:
          Limit access to resources
          Use standard computer security                    Grid Security - n° 4
 Motivation: Security in the Grid
  In      industry, several security standards exist:
          Public Key Infrastructure (PKI)
                PKI keys
                SPKI keys (focus on authorisation rather than certificates)
                RSA
          Secure Socket Layer (SSL)
                SSH keys
          Kerberos

  Need          for a common security standard for Grid services
          Above standards do not meet all Grid requirements (e.g.
           delegation, single sign-on etc.)

  Grid      community mainly uses X.509 PKI for the Internet
          Well established and widely used (also for www, e-mail, etc.)                                                    Grid Security - n° 5
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 6
  Distribution               of resources: secure access is a basic requirement
          secure communication, secure data, resources etc.
          security across organisational boundaries
          single sign-on for users of the Grid

  Three         basic concepts:
          Secure communication:                                        Qui ckTi me™ and a

                 Data Encryption
                                                              TIFF (Uncompresse d) de comp re ssor
                                                                are ne eded to see th is pi cture.


          Authentication: Who am I?
                “Equivalent” to a pass port, ID card etc.

          Authorisation: What can I do?
                Certain permissions, duties etc.                                                                          Grid Security - n° 7
    Data Encryption

   Symmetric encryption: same                Asymmetric encryption: different
    key (“secret”) used for                    keys used for encryption and
    encryption and decryption                  decryption
         Kerberos, DES / 3DES, IDEA
                                                    RSA, DSA

               Clear text                             Clear text
               message                                message

              Encryption                              Encryption

                                                                      Key A
              Encrypted                               Encrypted
                text                                    text
                              Shared key
              Decryption                              Decryption

                                                                      Key B
               Clear text                             Clear text
               message                                message                                             Grid Security - n° 8

 Do    we want authorised users or anonymous access
    to our service?

 How            can I prove how I am?
          In private life: people have passports, identity cards
                Issued by a certain authority
          In office life: we use ids and passwords to access computers                                         Grid Security - n° 9
 Certificate = “Grid Passport”
                                            Public   Key Infrastructure:
                                                 Use a public and private key

               QuickTime™ and a
     TIFF (Un compressed) decompressor      Grid   Certificate:
        are neede d to see this picture.

                                                 Name
                                                 Issuer (Certificate Authority)
                                                 Valitidy

   A passport has several important
   items                                            Grid Security - n° 10
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 11
    Public Key Infrastructure (PKI)
   Asymmetric encryption

      Clear text                            Encrypted                          Clear text
      message                                 text                             message
                              Private Key                   Public Key

   Digital signatures
         A hash derived from the message and encrypted with the signer’s private
         Signature checked decrypting with the signer’s public key

   Allows key exchange in an insecure medium using a trust model
         Keys trusted only if signed by a trusted third party (Certification Authority)
         A CA certifies that a key belongs to a given principal

   Certificate
         Public key + information about the principal + CA signature
         X.509 format most used

   PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.                                                  Grid Security - n° 12
 PKI – Example

   Entity A (Alice)                                Entity B (Bob)

                                                 public key
    public key e                                 private key
    private key d
                                                wishing to send a message m to A:
                                                   ciphertext   c = Ee(m)

  applies the decryption transformation

           m = Dd(c).
                              encryption transformation Ee
                              decryption transformation Dd                                                   Grid Security - n° 13
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 14
 X.509 certificates and authentication

                                                       A                                            B

                                                                  A’s certificate

                                                               Verify CA signature
         Structure of a X.509 certificate
                                                                  Random phrase

                        Public key
                                                           Encrypt with A’ s private key
   Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968
                                                                Encrypted phrase
   Expiration date: Aug 26 08:08:14 2005 GMT
   Serial number: 625 (0x271)

                                                           Decrypt with A’ s public key
              CA Digital signature

                                                           Compare with original phrase

                                                            Performace !                                                           Grid Security - n° 15
 X.509              alias ISO/IEC/ITU 9594-9

  X.509         is ITU Standard:
          ITU-T Recommendation X.509 (1997 E). Information technology -
           Open Systems Interconnection - The Directory: Authentication
          Defines a certificate format (originally based on X.500 Directory
           Access Protocol)
                Latest standard: X.509 version 3 certificate format

  X.509         certificate includes:
          User identification (someone’s subject name)
          Public key
          A “signature” from a Certificate Authority (CA) that:
                Proves that the certificate came from the CA.
                Vouches for the subject name
                Vouches for the binding of the public key to the subject                                                 Grid Security - n° 16
 Involved entities

                              Certificate Authority CA


       Public key
       Private key
                                           (site offering services)
       certificate                                           Grid Security - n° 17
 Certification Authorities
  Issue       certificates for users, programs and machines

  Check         the identity and the personal data of the requestor
          Registration Authorities (RAs) do the actual validation

  Manage           Certificate Revocation Lists (CRLs)
          They contain all the revoked certificates yet to expire

  CA      certificates are self-signed

  In      Grid projects on certain CAs are mutually recognised                                          Grid Security - n° 18
 Certificate classification
    User certificate
          issued to a physical person
          DN= C=CH, O=CERN, OU=GRID, CN =John Smith
          the only kind of certificate good for a client, i.e. to send Grid jobs etc.

    Host certificate
          issued to a machine (i.e. a secure web server, etc.)
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID,

    Grid host certificate
          issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.)
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID, CN=host/

    Service certificate
          issued to a program running on a machine
          request signed with a user certificate
          DN= C=CH, O=CERN, OU=GRID, CN=ldap/                                                              Grid Security - n° 19
 Grid Certificate

 A   certificate needs to be requested from a
    Certificate Authority

 When    using the Grid Security Infrastructure (GSI),
    the certificate consists of two parts:
          usercert.pem
          userkey.pem                      Grid Security - n° 20
 X.509 Certificate Example (1)
 openssl              x509 –in ~/.globus/usercert.pem –text
         Version: 3 (0x2)                                              X509.3 – with extensions
         Serial Number: 199 (0xc7)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA                     Issuer CA
            Not Before: Sep 25 10:33:05 2005 GMT         long term certificate
          Not After :Sep 24 10:33:05 2006 GMT
       Subject: O=Grid, O=CERN,, CN=Joe User                user identification
         Subject Public Key Info:
    Public Key Algorithm: rsaEncryption                  public key
    RSA Public Key: (1024 bit)
                 Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38:
    […]                                                                  Grid Security - n° 21
 X.509 Certificate Example (2)
   X509v3 extensions:

          X509v3 Basic Constraints: critical                       Certificate extensions
          X509v3 Subject Key Identifier:

          X509v3 CRL Distribution Points:                                    Certificate Revocation      List
          X509v3 Issuer Alternative Name:
          X509v3 Certificate Policies:
          Netscape Cert Type:

            SSL Client, S/MIME, Object Signing                     client/user Certificate
            Netscape Base Url:
     Signature Algorithm: md5WithRSAEncryption
       54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13:      [...]       Signature on the information                                                                              Grid Security - n° 22
 Private Key Example

       openssl rsa -in ~/.globus/userkey.pem –text
    Enter PEM pass phrase:
    Private-Key: (1024 bit)
    modulus: [...]
    publicExponent: ..... (0x......)
    privateExponent: [...]
    prime1: [...]                              private parameters
    prime2: [...]
    exponent1: [...]
    exponent2: [...]
    coefficient: [...]
    writing RSA key
    -----BEGIN RSA PRIVATE KEY----- PEM encoded private key
    -----END RSA PRIVATE KEY-----                                         Grid Security - n° 23
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 24
 Globus Grid Security Infrastructure (GSI)

    de facto standard for Grid middleware

    Based on PKI

    Implements some important features
          Single sign-on: no need to give one’s password every time
          Delegation: a service can act on behalf of a person
          Mutual authentication: both sides must authenticate to the other

    Introduces proxy certificates
          Short-lived certificates including their private key and signed with the
           user’s certificate                                                  Grid Security - n° 25
 GSI General Overview

                                                      Proxies and delegation (GSI
                                                      Extensions) for secure single

                                        Proxies and Delegation

                                          PKI                          SSL for
  PKI for                                               SSL/           Authentication
                                       (CAs and
  credentials                                           TLS            and message

Based on Slide from Globus Tutorial                                                  Grid Security - n° 26
 Virtual Organizations and authorization
     Grid users must belong to a Virtual Organization
           Sets of users belonging to a collaboration
           Each VO user has the same access privileges to Grid resources

     VOs maintain a list of their members
           The list is downloaded by Grid machines to map user certificate
            subjects to local “pool” accounts: only mapped users are
            authorized in LCG

            "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam
            "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms
            "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice

           Sites decide which VOs to accept                       grid-mapfile                                              Grid Security - n° 27
 Globus command line interface: certificate and
 proxy management

     Get information on a user certificate
           grid-cert-info[-help] [-file certfile] [OPTION]...
               -all                    whole certificate
               -subject | -s           subject string
               -issuer | -I            Issuer
               -startdate | -sd        Start of validity
               -enddate | -ed          End of validity

     Create a proxy certificate
           grid-proxy-init

     Destroy a proxy certificate
           grid-proxy-destroy

     Get information on a proxy certificate
           grid-proxy-info                                      Grid Security - n° 28
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 29
 Secure your services - but how?

                              client program     user certificate

                              Security library

                              Security library

                                   Server           host certificate

                               Authorisation                             Grid Security - n° 30
 Different kinds of services
  “Simple”           services with standard socket communication
          Any service written in C/C++, Java, Python, Perl, etc.
                Use GSI libraries e.g. provided by Globus Toolkit 2
                The libraries handle certificate based authentication

          Often considered a 1st generation “Grid services”

  Web           services
          Based on SOAP
          2nd generation “Grid services”

  Web           sites                                              Grid Security - n° 31
 API: GSS-API and GSS Assist
     GSS-API (Generic Security Services Application Programming
      Interface) is a generic API for client-server authentication (RFC-
      2743, 2744)
           Traditionally, it interfaces to Kerberos
           The Globus project interfaced it to GSI
           Communication is kept separate: it just creates data buffers, does not
            move them
           Rather complicated to use…
           Documentation at

     GSS-API as user interface to GSI:
           C API
           Java API (

     The Globus GSS Assist routines are designed to simplify the use of
      the GSSAPI: they are a thin layer over them                                               Grid Security - n° 32
 Globus extensions
    Credential import and export
          To pass credentials from a process to another or storing them in a file
          Export to 1) an opaque buffer, or 2) a file in GSI native format
          gss_import_cred(), gss_export_cred()

    Delegation an any time
          A lot more flexible than standard GSS-API delegation
                Delegation at times other than context establishment
                Possible to delegate credentials different than those used for context establishment: even for
                 different mechanisms!
                      Ex.: delegate a Kerberos credential over a context established with GSI
          gss_init_delegation(), gss_accept_delegation()

    Credentials extension handling
          support for credential information other than just the identity

    Set context options at the server side
    Documentation
          ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h                                                                       Grid Security - n° 33
 Web Service Security
  Transport              level security
          SOAP messages are transmitted encrypted
          used by some gSOAP GSI plugins
          Based on SSL/TSL

  Message              level security
          WS-Security
                set of SOAP extensions to implement integrity and confidentiality in
                 Web Services
                <Security> header contains the security-related information

          WS-SecureConversation
                defines how to establish secure contexts and exchange keys

          Performance issue
          Used in Globus Toolkit 4                                                    Grid Security - n° 34
 Performance - Mutual Authentication
  Having          secure connections creates a performance overhead
  Let’s         have a look at the detailed steps        Bob - Alice
          Bob uses proxy to create a request (incl. public key, about 2000
          Alice uses private key to sign the request - sends signed cert.
           back (in addition, CAs have to match)
                Alices generates a random message and sends it to Bob, asking Bob to
                 encrypt it.
                Bob encrypts the message using his private key, and sends it back to
                 Alice. Alice decrypts the message using Bobs's public key. If this
                 results in the original random message, then Alice knows that Bob is
                 who he says he is.
          Now that Alice trusts Bob's identity, the same operation must
           happen in reverse.
          By default, all further message exchange is not encrypted !                                                Grid Security - n° 35
 Some performance numbers

                                         QuickTime™ an d a
                                TIFF (Uncompressed) decompressor
                                   are need ed to see this picture .

      Cryptography is CPU intensive
      WS Secure Conversation symmetrical cryptography only

      Source:                                            Grid Security - n° 36
 Securing Web sites (Portals)
  HTML         web is is not a web service
          Web service provides a programmable interface via SOAP
          A Web page is purely HTML (potentially generated by tools such
           as JSP, etc.)

  One       can still use Grid security for that purpose

  Need        to load certificate into the web browser

  Server  side (Web server) needs to use Grid security
          Example: provide modules for Apache
           server                                      Grid Security - n° 37
 Security Overview


  Public Key Infrastructure

  Grid Certificates (X.509)

  Grid Security Infrastructure (GSI)

  Securing Services

  GSI in Practice            Grid Security - n° 38
 GSI Authentication using Globus


user                                service

                              VO        Grid Security - n° 39
  Certificate Request /                   Obtaining a certificate



 user                                                                service


                               once in every year
                                    VO                                        Grid Security - n° 40
  Certificate Signing



 user                          cert signing         service


                                              VO                       Grid Security - n° 41
  Preparation for Registration in VO



 user                            cert signing                      service



                 Goal: user needs to register with a certain VO                                      Grid Security - n° 42



 user                            cert signing                          service

                               convert                Account
     cert.pkcs12                                       Registration


                once for the
            lifetime of the VO
            (only the DN not the
          keys, so they may change)                   Usage
                                                       guidelines                                          Grid Security - n° 43
  Starting a Session with Globus



 user                            cert signing                        service



                                                      every 12/24
                                                         hours                                        Grid Security - n° 44
 You must have a valid certificate from a trusted CA!

  „login”:         grid-proxy-init

       short lifetime certificate: 24 hours
       Enter PEM pass phrase:

  checking           the proxy: grid-proxy-info -subject
       /O=Grid/O=CERN/ User/CN=proxy

 -> use the Grid services

  „logout”:          grid-proxy-destroy                                 Grid Security - n° 45
  Certificate Request for a Host


grid-cert-request                                                      grid-cert-request

 user                            cert signing                                     service

     cert-request                                                      host-request



                                                  once in every year                                                     Grid Security - n° 46
  Signing the Certificate


grid-cert-request                                     cert signing grid-cert-request

 user                            cert signing                                   service

     cert-request                                                  host-request

     certificate                                                   host-cert

                           grid-proxy-init                                                   Grid Security - n° 47
  Configuration on the Server


grid-cert-request                                        cert signing grid-cert-request

 user                            cert signing                                      service

     cert-request                                                     host-request
                                                cert/crl update
     certificate                                                      host-cert
                               convert                                ca-certificate
                                  registration                        crl

                                                                In EDG:
                                                             updated every
                                                              night/week                                                      Grid Security - n° 48
 You must have the trusted CA certificates in files and the VO-
  LDAP server(s) URL configured.

  Registering                a trusted CA
          /etc/grid-security/certificates: hashed cert, crl and url

  Generating             a gridmap file: mkgridmap
          /etc/grid-security/gridmap: DN -> userid/gid mapping
          See Authorisation

  Generating     host/service certificate:
       grid-cert-request –host
       (see user certificates for the whole process)                                            Grid Security - n° 49
 Service: CA Certificates

     ls    /etc/grid-security/certificates
    0ed6468a.0                c35c1972.0                d64ccb53.0
    0ed6468a.crl_url          c35c1972.crl_url          d64ccb53.crl_url
    0ed6468a.r0               c35c1972.r0               d64ccb53.r0
    0ed6468a.signing_policy   c35c1972.signing_policy   d64ccb53.signing_policy
    16da7552.0                cf4ba8c8.0                df312a4e.0
    16da7552.crl_url          cf4ba8c8.crl_url          df312a4e.crl_url
    16da7552.r0               cf4ba8c8.r0               df312a4e.r0
    16da7552.signing_policy cf4ba8c8.signing_policy     df312a4e.signing_policy

    In General:
    *.0 … CA certificate
    *.r0 … Certificate Revocation List (CRL)                                                       Grid Security - n° 50
 Service: a certificate
      cat      c35c1972.signing_policy

     access_id_CA                 X509                   '/C=CH/O=CERN/CN=CERN CA'

     pos_rights                   globus       CA:sign

     cond_subjects           globus   '"/C=ch/O=CERN/*" "/C=CH/O=CERN/*"
       "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'

      openssl           x509 -in c35c1972.0 –text
           Issuer: C=CH, O=CERN, CN=CERN CA              [...] the issuer and the subject are the same

           Subject: C=CH, O=CERN, CN=CERN CA             [...] self signed certificate

           X509v3 extensions:

              X509v3 Basic Constraints: critical

                 CA:TRUE                                 [...] it may be used to sign other certificates

             Netscape Cert Type:

                 SSL CA, S/MIME CA, Object Signing CA     it is a CA certificate                                                                      Grid Security - n° 51
 Certificate Revocation List (CRL)
  openssl            crl -in c35c1972.r0 –text
 Certificate Revocation List (CRL):

       Version 1 (0x0)

       Signature Algorithm: md5WithRSAEncryption

       Issuer: /C=CH/O=CERN/CN=CERN CA             the issuer is the CA itself

       Last Update: Jul 1 17:53:17 2002 GMT

       Next Update: Aug 5 17:53:17 2002 GMT        next update: shall be checked

 Revoked Certificates:

    Serial Number: 5A                              the revoced certificate’s number

       Revocation Date: May 24 16:45:52 2002 GMT

    Signature Algorithm: md5WithRSAEncryption      Signature – as usual                                                           Grid Security - n° 52
  cat      /etc/grid-security/gridmap
 "/O=Grid/O=Globus/ Odor" odor

 "/O=Grid/O=CERN/ Paolo Martucci" pietro

 "/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/" aliprod

 "/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/" aliprod

 "/O=Grid/O=CERN/ Jones" jones

 "/O=Grid/O=CERN/ Tierney" btierney

 "/O=Grid/O=CERN/ Azemoon" azemoon

 "/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/" yannick                                                               Grid Security - n° 53
    CA – Certificate Authority

    CP – Certificate Policy

    CPS – Certificate Practice Statement

    CRL – Certificate Revocation List

    GSI – Grid Security Infrastructure

    GSS – Generic Security Service

    PKI – Public Key Infrastructure

    SSL – Secure Socket Layer

    TLS – Transport Layer Security

    VO – Virtual Organization

    VOMS - Virtual Organization Membership Service                           Grid Security - n° 54
    Security          is important for Grid middleware:
            In particular in commercial use

    Security solutions need to be integrated from the very
                                             “We had a security concept from the very beginning
                                             but decided to deal with security later”

    Grid      security relies on PKI
            Requires: authentication & authorisation

    Basic       entities:
            Users – CA (Certificate Authorities) – Resource Providers

                   Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides
  The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic
    area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-512092.                                                                 Grid Security - n° 55

Shared By: