An Authorization System for Grid Applications by 22NYo60


									An Authorization System for Grid Applications

Thesis Presentation    5th Dec 2006

Author:        Wang Xiao
Supervisor:    Professor Heikki Hämmäinen
Instructor:    MSc. Mikko Pitkänen

Place: 3 months in CERN, Geneva and other time in HIP, Espoo

   Background
   Objectives and Methodology
   Grid Introduction
   Grid Security
   VOMS
   Conclusion
   Future Study
   CERN- European Laboratory for Particle Physics
       Built in 1954, research area is widely ranged
       World Wide Web is developed from CERN
       Large Hardron Collider (LHC) Project: Powerful particle accelerator
        brings protons and ions into head-on collisions. LHC will need a lot
        of computing power as it can produce 40 million collisions per
        second, and will be 10 petabytes per year.
       Requirement for computing power equivalent to 100,000 of today’s
        fastest PC processors.
       LHC Computing Grid Project in CERN- LCG
   HIP- Helsinki Institute of Physics
   EGEE project
       Largest European Grid project is coordinated at CERN
Objective and Methodology

   Objective
       The objective is to study the Grid security systems, expecially
        focusing on Grid Authorization System VOMS- Vitual Organziation
        Membership Service

   Methodology
       Literature survey over alternative solutions and architectures
       Studying current design architecture
       Studying current implementation by looking into source code
Grid Introduction
   Grid is emerged as a new field
    of distributed computing,
    which focuses on the resource
    sharing securely among
    dynamic number of people and
   Grid can be a resource sharing
    infrastructure,a computing
    infrastructure or the next
    generation Internet.
     Grid Security
   Grid Security is a critical aspect of Grid service.

   Security: Authentication and Authorization
      Authentication: ID of the person
      Authorization: User’s ability to perform operations

   Grid Security Techniques
     Grid Security Infrastructures (GSI)
     EDG Java Security
Security Basics(1)
   Cryptography and Public Key Infrastructure (PKI)
       Symmetric-key encryption
       Asymmetric-key encryption
Security Basics(2)--Certificates

   X509v3 Certificate –driving license
       Most commonly used PKI standard.
       Certificate Authority (CA)
       Certificate contains public key information that is
        signed by the CA.
       Attribute Certificate, like Visa, binds a set of attributes
        of the user or other authorization information for the
Grid Security Infrastructure (GSI)

   Provides fundamentals services for Grid Security.

   Authentication: Makes use of Certificates
       User Certificate
       Server Certificate
       Mutual communications, the client and server
        exchange its certificate to make the authentication.
An Example of User Certificate
   Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number: 150 (0x96)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=CH, O=HIP, OU=TECH, CN=112 Test CA
         Validity
            Not Before: Jul 16 08:51:21 2004 GMT
            Not After: Jul 23 08:51:21 2004 GMT
         Subject: C=CH, O=HIP, OU=TECH, CN=Xiao
         Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                  00:c1:da:2e:5c:01:00:67:86:7c:b6:d0:69:43:f9:
                  0c:06:7b:83:85:35:19:6c:ea:ad:0c:ff:c5:4e:f3:
                  09:83:e4:39:08:63:df:4c:ab:43:4b:50:35:26:a4:
                  1b:42:f8:db:97:0c:4e:f1:55:93:10:d4:28:d7:eb:
                  86:58:3f:7c:6b
                Exponent: 65537 (0x10001)
     Signature Algorithm: md5WithRSAEncryption
         59:86:1c:fc:ab:38:3c:bb:6c:06:02:e9:50:7a:00:35:c7:0f:
         25:3b:f8:b1:f9:fa:5b:4a:95:99:03:a5:56:19:c0:5e:b7:a0:
         fb:5f:df:e7:26:50:d2:b1:b1:c5:1a:c4:d9:be:05:68:71:24:
         0e:42:12:59:b6:c4:90:a0:ef:8d:8e:bc:46:31:8c:c1:f7:65:
         1b:d7:dc:cb:51:07:3d:bb:a2:39:5b:5f:82:7c:06:64:82:e1:
         14:2d:d9:75:bd:bf:ee:2d:38:3a:ac:11:fb:91:12:79:f5:d4:
         a8:dd:0a:15:7f:e2:04:45:9b:5f:c4:dc:dd:ef:2c:a9:ae:6b:
         23:8c
Authorization in GSI
   Makes use of
   Maps the user
    to a local
    unix account
   Short for Virtual Organization Member Service
   A centralized service that is used to manage the
    authorization in Virtual Organization(VO) scope.
   Developed by EGEE
   Problem with Current grid-mapfile, not scalable as the
    number of users increase. Thus strong requirement for
Overview on Glite VOMS Environment
VOMS architecture
   User Server
   User Client
   Administration
   Administration
Use Case
1.   The client (user) and the VOMS server authenticate each other by
     using the normal Grid certificates.
2.   The client sends the request to the VOMS server.
3.   The Server checks the user certificate and the request.
4.   The Server signs the information that is retrieved from VOMS
     database based on the user request and sends the signed
     information back to the client. Here the VOMS server signature is
     used to verify that a trusted VOMS service has provided the
     authorization information that will be attached to the user’s proxy.
5.   The client then checks the information received from the server.
6.   The client application creates a proxy certificate on behalf of the
     user containing the information received from the VOMS server
     added as an extension to the user’s X509 certificate.

1.   Java solution for VOMS
2.   Shibboleth based AAI combined with VOMS
     and Grid
Future Studies

1.   Secure Resource Sharing techniques, scalablility and
     reliability for the system
2.   Usability of Grid

                                Thank You!

To top