VN-GRID Security

Nguyen Cao Dat

Outline Grid Security on EDAGrid

EDAGrid topology

Authentication

Authorization

Message protection

Security Issues

Grid Security on VN-GRID VN-GRID topology

Authentication

Authorization

To do list

Outline Grid Security on EDAGrid

EDAGrid topology

Authentication

Authorization

Message protection

Security Issues

EDAGrid topology

Certification

Authority

VO Server

GridNodes

1

2

Site = Virtual Organization

How a user is authenticated by a GridNode

Obtaining a Certificate

user

SubjectPublic KeyIssuer (CA)Signature of CA

Private Key(encrypted) • Create a public/private key pair and unsigned

certificate (grid-cert-request command)

• Mail unsigned certificate to CA admin by E-mail

• Receive a signed certificate

How a user is authenticated by a GridNode(2)

By checking the signature, one can

determine that a public key belongs to a

given user.

SubjectPublic KeyIssuerSignature

Hash

=?Decrypt

Public Key fromIssuerIss

uer

How a user is authenticated by a GridNode(3)

User Cert.SubjectPublic KeyIssuer (CA)Digital Signature

serveruser

User Cert.SubjectPublic KeyIssuer (CA)Digital Signature

Send Cert.

challenge string

encryptedchallenge string

QAZWSXEDC…

Check Public Key

QAZWSXEDC…

QAZWSXEDC…Public Key

private key(encrypted)

PL<OKNIJBN…

How a user is authenticated by GridNodes

user

Communication*

Remote fileaccess requests*

remote processcreation

requests*

Grid Node A GridNode B

* with mutual authentication

SingleSign on

Delegation

How a user is authenticated by GridNodes (2) Create Proxy Certificate

User CertificateSubjectPublic KeyIssuer (CA)Digital Signature

grid-proxy-init

Proxy CertificateSubject/Proxy(new) public key(new) private key (not encrypted)Issuer (user)Digital Signature (user)

sign

User CertificateSubjectPublic KeyIssuer (CA)Digital Signature

Identity of the user

private key(encrypted)

How a user is authenticated by GridNodes (3)

Proxy Certificate Minimize exposure of user’s private key.

A “proxy certificate” is a special type of certificate that

is signed by the normal end entity cert, or by another

proxy.

Used in short term,

Proxy’s private key is not encrypted. Rely on file system security, proxy certificate file must be

readable only by the owner

How a user is authenticated by GridNodes (4)

DelegationDelegation Remote creation of a user proxy Results in a new private key and proxy certificate,

signed by the original key Allows remote process to act on behalf of the user Avoids sending private keys across the network

GridNode1 GridNode2

Proxy-2private

Proxy-2public

Proxy-1Private

key

Proxy-1PublicKeyUser

Private Proxy-2 Public

Proxy-2CertUser

Private key

UserPublicKey

grid-proxy-init

How a user is authenticated by GridNodes (5)

Traverse Certificate Chain to verify identity

User Identity

UserCertificateCA

User Identity

ProxyCertificate

User CertificateCA

User Identity

ProxyCertificate

User CertificateCA Proxy

Certificate

How a user is authenticated by GridNodes (5)

Example Create Proxy certificate

$ grid-proxy-init

Enter PEM pass phrase: *****

Remote Authentication Test

$ globusrun –a –r hostname

Running a Job on Remote node

$ globus-job-run hostname <executable>

$ globusrun-ws …

Authorization

LocalPolicy

LocalPolicy

Map tolocal name

Map tolocal name

GridIdentity

•Identity Mapping

User is mapped to local identities to determine local policy.

.

Authorization (2) Gridmap File

Gridmap file maintained by Globus administrator

Entry maps Grid-id into local user name(s)

# Distinguished name Local# username"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Grid Test 1" griduser1"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Tuan Anh" tanguyen"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Thoai Nam" griduser3"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Tran Van Hoai" hoai"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Cao Dat" dat"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Ly Hoang Hai" griduser1

Message protection

Uses certificates and TCP sockets to provide a secured connection Authentication of one or both parties using the

certificates Message protection

Confidentiality (encryption) Integrity

Certificates TCP Sockets

SSL/TLS

EDAGrid Security Infrastructure

GSI is:

PKI(CAs and

Certificates)

SSL/TLS

Proxies and Delegation

PKI forcredentials

SSL forAuthenticationAnd message protection

Proxies and delegation (GSIExtensions) for secure singleSign-on

PKI: Public Key Infrastructure

Security issues Authentication issues

User Interface

Single CA vs. Multiple CAs

Credential Management

Authorization issues What happens if there are thousands to millions of users?

The grid-mapfile doesn’t scale well, and works only at the

resource level, not the collective level (site level).

Accounting issues Logs from VOInformation are not enough.

Billing system.

Outline Grid Security on VN-GRID

VN-GRID topology

Authentication

Authorization

To do list

VN-GRID topology

Certification

Authority

VO Server

GridNodes

1

2

Certification

Authority

VO Server

GridNodes

1

2

Site 1 Site 2

Authentication

• Goals– Support multi CAs.– User

• Transparent authentication (Proxys/delegation).

– Site/Individual Node• Easy to adhere.

VN-GRID

Authentication (2)

• Multiple CAs– Manual update -> simple.– Automatic update solution

Site N

CA CA 2. certificate

1. request

3. Adhere

4. Agree/ Not Agree

CAs data

Portal

Update CAs List

Authorization• Goals

– Support thousands to millions users from sites.– Compatible with site/local security policies.

– Easy to understand and verify.– Easy to administer.

AccessGranted by localTo community

AccessGranted by community

To user

AccessGranted by site

To user

Authorization (2)

• Approachs– “Classic” Authorization Method

• Identity mapping

– Attribute-Based Authorization Methods• CAS(Community Authorization Service)• VOMS(Virtual Organization Membership Service)• PERMIS• GridShib• CaBig tools

Authorization (3)

• Identity mapping– Gridmap file format

Subject DNs [user0, user1, …, usern-1]

– Dual function identity-based gridmap file• Authorization Policy• Username Mapping Policy

– A single gridmap file serves both functions

Authorization (4)

• Attribute-Based Authorization– User create Proxy Certificate with Attributes

user

SAML: Security Assertion Markup Language

Authorization (5)

• Attribute-Based Authorization– Authz on GridNodes

PDP/PEPPDP/PEP

GridNode

policies

PDP: Policy Decision PointPEP: Policy Enforcement Point

Authorization (6)

• GridShib– GridShib SAML Tools

• A SAML producer• Binds a SAML assertion to an X.509 proxy certificate• The same X.509-bound SAML token can be

transmitted at the transport level or the message level (using WS-Security X.509 Token Profile).

– GridShib for Globus Toolkit• A SAML consumer• GridShib for GT (GS4GT) is a plug-in for GT 4.x

Authorization (7)

• GridShib for GT (GS4GT)

Authorization (8)

• GridShib for GT (GS4GT)– Two separate attribute-based policy files

• Authorization Policy

[A0, A1, …, Am-1]

• Username Mapping Policy

[A0, A1, …, Am1-1] [user0, user1, …, usern1-1]

[A0, A1, …, Am2-1] [user0, user1, …, usern2-1]

– A single XML-based policy file may encapsulate both types of policies

To do list Building testbed system

Resources: 03 GridNodes (03 sites)

Install & configure GT4.x, GridShib

Programming CLI to create Proxy Certificate with Attributes

Site Registration Service

Update CAs list programs for VO Server/GridNode

Documentation Technical report

Admin Guide

Appendix

Symmetric Encryption

• Encryption and decryption functions that use the same key are called symmetric– In this case everyone wanting to read encrypted data must share the same key

• DES is an example of symmetric encryption

Encrypt

Decrypt

Asymmetric Encryption• Encryption and decryption functions that use a key pair are called asymmetric– Keys are mathematically linked

• RSA is an example of asymmetric encryption

Asymmetric Encryption• When data is encrypted with one key, the other key must be used to decrypt the data

• And vice versa

Encrypt

Decrypt

Decrypt

Encrypt

Public and Private Keys

• With asymmetric encryption each user can be assigned a key pair: a private and public key

Private key is known only to owner

Public key is given away to the world

Public and Private keys• Anything encrypted with the private key can only be decrypted with the public key

• And vice versa• Since the private key is known only to the owner, this is very powerful…

Encrypt

Decrypt

Digital Signatures• Digital signatures allow the world to verify I created a hunk of data– e.g. email, code

Digital Signatures• Digital signatures are created by encrypting a hash of the data with my private key

• The resulting encrypted data is the signature

• This hash can then only be decrypted by my public key

Hash

Encrypt

Digital Signature

• Given some data with my signature, if you decrypt a signature with my public key and get the hash of the data, you know it was encrypted with my private key

Hash

=?Decrypt

Digital Signature• Since I’m the only one

with access to my private key, you know I signed the hash and the data associated with it

• But, how do you know that you have my correct public key?

• Answer: A Public Key Infrastructure… ?