Grid Security Infrastructure Tutorial - Download as PowerPoint

Document Sample
Grid Security Infrastructure Tutorial - Download as PowerPoint Powered By Docstoc
					   Grid Security: Principles and
             Practice
               Rachana Ananthakrishnan
             Argonne National Laboratory


Acknowledgements: Jim Basney, NCSA Stephen Langella, OSU Tom Scavo,
NCSA Frank Siebenlist, ANL/UC Von Welch, NCSA
                                                                  1
                    Outline
   Basic grid security solutions
   Grid security tools
   Grid security at work
   Lab session




                                    2
      Basic Security Requirements
1.   Message Protection
     – Integrity
     – Privacy
2.   Identity for entities
3.   Authentication
4.   Single Sign On
5.   Delegation
6.   Authorization


                                    3
          1. Message Protection
   Sending message securely
   Integrity
    – Detect whether message has been
      tampered
   Privacy
    – No one other than sender and receiver
      should be able to read message




                                              4
                   Cryptography
   Enciphering and
    deciphering of
    messages in secret
    code
                                  0101001110
   Key
                                  1011110111
    – Collection of bits
    – Building block of
      cryptography
    – More bits, the
      stronger the key



                                               5
       Encryption and Decryption
   Encryption: Function
    that takes data and
    key and generated
    encrypted data         Encrypt

   Decryption: Function
    to convert encrypted
    data back to the
    original data using
    key
   Both functions are     Decrypt
    linked.


                                     6
          Asymmetric Encryption
   When data is
    encrypted with one
    key, the other key
                         Encrypt   Decrypt
    must be used to
    decrypt the data
   Well established
    algorithms

                         Decrypt   Encrypt




                                             7
          Public and Private Keys

   With asymmetric encryption each user can
    be assigned a key pair: a private and public
    key




         Private key is                Public key is
         known only to                 given away to
         owner                         the world



                                                       8
          Public and Private keys
   Anything encrypted
    with the public key
    can only be
    decrypted with the      Encrypt
    private key
   And vice versa
   Since the private key
    is known only to the
    owner, this is very
    powerful.
   Message Privacy         Decrypt



                                      9
              Digital Signatures
   Used to determine if
    the data has been
    tampered
   Also, identify who
    signed the data




                                   10
                Digital Signatures
   Digital signatures are
    generated by
    – Creating secure hash of
      the data                   Secure
    – encrypting the hash with    Hash
      my private key
   The resulting encrypted
    data is the signature        Encrypt

   This hash can then be
    decrypted only by my
    public key




                                           11
 Sender     Digital Signature
                                 Message
                                 altered!

     Sign

                                  Verify




                                           Sender’s
                       Message
                                           public key
Message
                                   Recipient
                                                        12
                  In Practice
   Established algorithms for signing and
    encrypting things
   Typical usage:
    – Data to sign/encrypt
    – Algorithm to use
    – Key strength
   Sign using your private key
   Encrypt using recipient's public key
   Inbuilt support in most applications
    requiring only configuration.

                                             13
              2. Entity Identity
   Since I’m the only
    one with access to
    my private key, you
    know I signed the
    data associated with
    it
   But, how do you
    know that you have
                                   ?
    my correct public
    key?


                                       14
    Public Key Infrastructure (PKI)
   PKI allows you to know
    that a given public key
    belongs to a given user
   PKI builds off of
    asymmetric encryption:
    – Each entity has two
      keys: public and private
    – The private key is
      known only to the entity
   The public key is given to
    the world encapsulated
    in a X.509 certificate


                                      15
                  Certificates
   A X.509 certificate
    binds a public key to
    a name
    (Distinguished               Name
    Name)                        Issuer
                                 Public Key
   Signed by a trusted          Validity
    party (issuer)               Signature
   Similar to passport
    or driver’s license



                                              16
                   Certificates
    Certificates are signed, so that tampering
     can be detected



    Name
    Issuer                 Verify
    Public Key
    Validity
    Signature

                                    Public Key from
                                         Issuer

                                                      17
                 Certificates
   Question: Who signs
    certificates?
                           Name
   Answer: A small set    Validity
    of trusted entities    Public Key
    known as
    Certification
    Authorities (CAs)
                                        Issuer?




                                                  18
     Certification Authorities (CAs)
   A Certification
    Authority is an entity
    that exists only to
    sign user certificates
                             Name: CA
   The CA signs it’s own    Issuer: CA
    certificate which is     CA’s Public Key
    distributed              Validity
                             CA’s Signature
   CA’s public key is
    used to verify
    signature on
    certificates issued


                                               19
              Certificate Policy
   Each CA has a Certificate Policy which
    states
    – who it will issue certificates to
    – how it identifies people to issue certificates
      to




                                                       20
         Requesting a Certificate
   To request a
    certificate a user
    starts by generating
    a key pair




                                    21
            Certificate Request
   The user then signs
    their own public key
    to form what is
    called a Certificate
    Request
                               Sign
   Email/Web upload


                           Certificate
                            Request

                           Public Key

                                         22
       Registration Authority (RA)
   The user then takes
    the certificate to a
    Registration
    Authority (RA)
   Vetting of user’s
    identity
   Often the RA
    coexists with the CA
                           Certificate
    and is not apparent     Request
    to the user                          ID
                           Public Key

                                              23
            Certificate Issuance
   The CA then takes                            Certificate
                                                  Request
    the identity from the
    RA and the public                        Public Key
    key from the
    certificate request      Name

   It then creates, signs
    and issues a
    certificate for the
    user
                                    Name
                                    Issuer
                                    Validity
                                    Public Key
                                    Signature                  24
          Certificate Revocation
   Why revoke:
    – Key compromised
    – Malicious user
   Certificate Revocation Lists (CRLs)
    – List of serial numbers revoked
    – Signed by CA
   Periodic Updates




                                          25
      User Certificates In Practice
   Typically stored as local files
    – Certificate file and Key file
    – Key file is encrypted with password
   Available through browsers
   Point applications to certificates
    – Use password for private key file access




                                                 26
          Trusted CA In Practice
   Resource chooses the CAs to trust
   CA certificates and CRLs are stored as files
    in the system
    – Privileged write access
    – Anyone can read
   CRLs updated regularly
   Other management tools exist




                                                   27
              3. Authentication
   Establish identity
   Is the entity who he claims he is ?
   Stops masquerading imposters
   In PKI world, does the entity have the
    private key for the corresponding
    certificate
   Mutual authentication




                                             28
       Secure Socket Layer (SSL)
   Protocol above a standard TCP/IP socket
   Same as “https” in browser, but using PKI
   Authentication:
    – Handshake protocol
    – Prove ownership of private key
    – Shared session secret
   Message protection
    – Using shared session secret



                                                29
         SSL Message Protection
   Session key
    – Symmetric
    – Faster peformance
                          Encrypt   Sign
    – Signature and
      Encryption
    – Short-lived
   Example:
    – Web servers
    – Globus Toolkit
      services

                          Message

                                           30
               Other mechanism
   WS Secure message
    – Security information along with message header
      used to establish identity
    – Each message individually secured
    – End to end security is feasible
   WS Secure Conversation
    – Handshake mechanism like SSL, but each message is
      individually secured
   Username/password
    – Used along with other methods to encrypt password.



                                                           31
                  In Practice
   Software libraries available for most of the
    authentication protocols
   Secure resources determine accepted
    authentication mechanism
   Applications leverage libraries and
    mechanism to use is mostly configuration




                                                   32
             4. Single Sign-on
   Need to access multiple machines
   Long term private key kept encrypted, not
    useful for repeated user




                                                33
Grid Security Infrastructure (GSI)
   Security libraries used in Globus
    – Build on PKI
    – Uses SSL by default
   Additionally provides single sign-on
    – Proxy credentials




                                           34
          GSI: Proxy Credentials
   Proxy credentials are short-lived
    credentials created by user
    – Proxy signed by user certificate private key
   Short term binding of user’s identity to
    alternate private key
   Same effective identity as certificate

Alice            SIGN

                                Alice

                                                     35
         GSI: Proxy Credentials
   Stored unencrypted for easy repeated
    access
   Chain of trust
    – Trust CA -> Trust User Certificate -> Trust
      Proxy
   Key aspects:
    – Generate proxies with short lifetime
    – Set appropriate permissions on proxy file
    – Destroy when done


                                                    36
                5. Delegation
   Enabling another entity to run on behalf of
    you
   E.g Service that runs a job needs to
    transfer files.
   Ensure
    – Limited lifetime
    – Limited capability
   GSI uses proxy certificates for delegation



                                                  37
          GSI Delegation




     Certificate Request




Delegated Credential       Certificate
                                         38
              6. Authorization
   Establishing rights of an identity
    – Can user do some action on some resource
   Identity based authorization
    – Establish identity using authentication
    – Check policy to see what identity can do
   Authorization with obligation
    – You can do the action, provided…




                                                 39
    Example: Gridmap Authorization
   Gridmap is a list of mappings from allowed
    DNs to user name
    "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc
    "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde

   ACL + some obligation
   Controlled by administrator
   Open read access




                                                         40
     Attribute-based Authorization
   Attributes are information about an entity
    – Employee of Argonne National Lab
    – Member of virtual organization ABC
   Identity based authorization may not scale
   Authorization policy can use attributes
    – You are allowed to transfer file /tmp/foo if
      you are member of VO ABC




                                                     41
     Attribute-based Authorization
   Attribute services
    – Entities used to manage attributes
    – Could have their own PKI identity
   Authorization services
    – Manage authorization policy
    – Could have their own PKI identity
   Secure resource must be configured to
    trust attribute/authorization service



                                            42
Security Tools




                 43
          Functionality Covered
   User registration management
   Credential management
   CA service
   Single Sign-on
   Trust root provisioning
   Authorization service
   Attribute service



                                   44
                       MyProxy
   Developed at National Center for Supercomputing
    Application (NCSA)
   Credential repository
    –   Multiple access mechanism
    –   Credential access from any machine.
    –   Access policy to control retrieval
    –   Delegation of credential
   Online CA
    – Short lived certificates
   Supports various authentication schemes
    – Passwords, Certificate, Kerberos



                                                      45
                        MyProxy Logon
      Provisions user’s machine
        – User certificate or proxy
        – Trusted CA certificate
        – Certificate Revocation List
      Maintains user’s PKI context
        – No need to manage credentials
        – Enabled server-side policy enforcement
        – CA certificates and CRLs are automatically
          provisioned

Reference: http://grid.ncsa.uiuc.edu/myproxy/          46
    Portal-based User Registration Service
                  (PURSE)
   Tool to handle user registration
     – Integrates Simple CA, MyProxy and user
       registration database aspects
   Credential management
     – User does not manage credentials
   Plugs-in as a backend to portal
     – Backend modules and sample portlets




                                                47
     Portal-Based User Registration Service
   Solicits use data
   Sends request to configured
    administrator
   If request approved
    – Creates credential
    – Stores in MyProxy server
    – User receives notification            Optional
                                             Review
    – Any portal based runs can
      access the credentials, user
      only uses
      username/password.
   If rejected
    – User receives notification

Reference: http://dev.globus.org/wiki/Incubator/PURSe   48
                    Shibboleth
   An INTERNET 2 project, used in educational
    institutions
   Motivation
    – Numerous sites with different authentication
      mechanisms
    – Multiple credentials to maintain (password, keys)
   Goal
    – Provide cross-domain single sign-on and attribute-
      based authorization while preserving user privacy
   Federation
    – Provides a common trust and policy framework



                                                           49
                            Shibboleth
     Identity provider
      – Creates and maintains user identity
     Service provider
      – Controls access to a resource




Reference: http://shibboleth.internet2.edu/
                                              50
  Shibboleth Browser Access(Simplified)
   Local
    Policy

                       Attributes
AuthZ Policy
   NCSA                                   ANL Identity
  Web Server                              Provider (IdP)
                       Asserts Identity

 Shib Service
  Provider
Trust ANL IdP
                          User
                         Privacy
Trusted                                        Single
 IdPs                                        credential

          Web server       ANL username
           Access          and password                    51
                   GridShib
   Motivation:
    – Many Grid VOs are focused on science or
      business other than IT support
    – Leverage Shibboleth deployments run by
      campuses
   GridShib enables secure attribute sharing
    between Grid virtual organizations and
    higher-educational institutions



                                                52
                             GridShib
    The goal of GridShib is to provide
     interoperability between the Globus
     Toolkit® and Shibboleth®
    Developed at NCSA and Globus
    Solution:
     – Shibboleth-powered client tools for the grid
     – Shibboleth-enabled online CA
          > Leverages exisiting identity providers
     – Grid Service Provider
          > Can process X509 Certificates

Reference: http://dev.globus.org/wiki/Incubator/GridShib   53
                     Dorian
   Developed by Cancer Biomedical
    Informatics Grid (caBIG)
   Provides:
    – Ease of grid account management
    – Use of domain specific credentials to
      access grid resources
   Two components:
    – Dorian Identity Provider
    – Dorian Identity Federation Service




                                              54
         Dorian Identity Provider
   Registration of users
   Authentication using domain specific
    mechanisms
    – Upon authentication, an assertion is given
      to user
   Administrative interface
    – Manage the registered user accounts
    – Set policy on accounts



                                                   55
       Identity Federation Service
   Accepts assertions from trusted identity
    providers
   Issues grid credentials
   Administrator interface
    – Manage trusted identity providers
    – Grid user account management /revocation




Reference: http://www.cagrid.org/mwiki/index.php?title=Dorian:Main   56
           Grid Trust Service (GTS)
   Trust root management and provisioning
    service
   Developed by Cancer Biomedical Informatics
    Grid (caBIG)
   Provides
    – Administrator interface for management of trusted
      CAs
    – Provisioning of CA certificates and CRLs
    – Levels of assurance
   Uses
    – Eases management of trusted root configuration
    – Ensure the latest trusted CA configuration for all
      clients

                                                           57
                     GTS: Interfaces
     Management
      – Add/update/remove CAs
      – Associate level of assurance with CA
      – Appropriate administrator credentials
        requried
     Client
      – Retrieve CA certificates and CRLs
      – Specify desired level of assurance


Reference: http://www.cagrid.org/mwiki/index.php?title=GTS:Main
                                                                  58
    Community Authorization Service
   Goal
     – Fine grained rights management
     – Provide query interface for resources and
       users
   Implemented as a web service
   Policy stored as tuple:
     – Entity, action, resource
     – E.g: Rachana’s DN, read, ice-
       ws01.pdc.kth.edu:/home/globus/foo
     – Internal groups for administration

                                                   60
                      CAS: Interfaces
      Administrator interface
       – Web service interface
       – Allows rights management on CAS tuples
      Query interface
       – Client or resource
       – Web services interface
       – Rights returned as standard assertions
       – Signed by CAS server, so secure



Reference: http://dev.globus.org/wiki/CAS/SAML_Utilities   61
                   CAS: Push usage
CAS Server
                                                 Signed    Trust CAS
                                                Assertio
                                                    n      Server

        Admin       Query                    Secure Resource
       Interface   Interface


                                Signed
                               Assertion


                                User right
                                assertion




                                                                  62
                     CAS: Pull usage
CAS Server
                                                     Trust CAS
                                Signed
                               Assertio              Server
                                   n

        Admin       Query                 Secure Resource
       Interface   Interface




                                                            63
Grid Security @ Work
Cancer Bio Informatics Grid
         (caBIG)


                              64
                        caBIG
   Funded by National Institute of Health
   Goal:
    – Relieve suffering and death due to cancer by the
      year 2015
   Requirement:
    – Investigators and research teams nationwide to
      work together
   Strategy:
    – Create scalable, actively managed organization that
      will connect members of the NCI-supported cancer
      enterprise by building a biomedical informatics
      network


                                                            65
caBig Security in Action




                           66
caBig Security in Action




                                      User authenticates
             Authenticate with         to local credential
          Local Credential Provider   provider using your
                                         everyday user
                                           credentials


             Identity Assertion

                                                   67
caBig Security in Action




                              Application
                              obtains grid
                           credentials from
                             Dorian using
                               assertion
                           provided by the
                            local provider.



                                              68
caBIG Security in Action




             Application
              uses grid         Grid
            credentials to   Credentials
           invoke secure
            grid services.




                                           69
caBig Security in Action




           Should I trust the
           credential signer?




                                   Grid Service
                                authenticates the
                                  user by asking
                                the GTS whether
                                 or not the signer
                                 of the credential
                                     should be
                                      trusted.

                                                     70
caBig Security in Action



          Authorization

           Grid Service
           asks Access         Is
          Control Policy   Authorized?
          whether or not
           the user can
          perform X and
            resource Y.




                                         71
caBig Security in Action




                           Is member of?




            Attribute
          Authorization
           Alternative

           Grid Service
           can enforce
           local policy
          based on user
          membership to
             groups
          maintained in
          Grid Grouper.



                                       72
caBig Security in Action




                           73
Lab Session




              74
                   Lab Session
   Focus on tools
    – Obtaining and using certificates
    – Creating and using proxies
    – Gridmap Authorization
    – Delegation
    – Using MyProxy




                                         75
                   Lab Session
   http://ice-www.pdc.kth.se/security
   Three machines
    – Local laptop (ice-ws01 in notes)
    – Neighbor’s laptop (ice-ws02 in notes)
    – Machine ice-st-a01 (machine that trusts only GILDA
      CA)
   Substitute with your username (rachana in notes)
   Remember to edit RSLs to have correct machine
    name




                                                           76
                         Notes
1.   If grid-proxy-init does not ask for passphrase, use
     Globus basic tutorial notes to recreate file (leave –
     nodes option out of second command)
2.   Obtaining new certificate: Ensure no spaces are
     added when you copy/paste certificate contents
3.   Machine ice-st-a01 trusts only GILDA CA and not
     the test CA. So you should see error on access.
4.   If you see file permissions error, see if the file
     name you are writing to us unique. Some else
     might have run that command and created a file
     with that name (e.g /tmp/destFile)
5.   MyProxy servers were down, fixed now



                                                             77

				
DOCUMENT INFO