vn-grid security
DESCRIPTION
VN-GRID Security. Nguyen Cao Dat. Outline. Grid Security on EDAGrid EDAGrid topology Authentication Authorization Message protection Security Issues Grid Security on VN-GRID VN-GRID topology Authentication Authorization To do list. Outline. Grid Security on EDAGrid EDAGrid topology - PowerPoint PPT PresentationTRANSCRIPT
VN-GRID Security
Nguyen Cao Dat
Outline Grid Security on EDAGrid
EDAGrid topology
Authentication
Authorization
Message protection
Security Issues
Grid Security on VN-GRID VN-GRID topology
Authentication
Authorization
To do list
Outline Grid Security on EDAGrid
EDAGrid topology
Authentication
Authorization
Message protection
Security Issues
EDAGrid topology
Certification
Authority
VO Server
GridNodes
1
2
Site = Virtual Organization
How a user is authenticated by a GridNode
Obtaining a Certificate
user
SubjectPublic KeyIssuer (CA)Signature of CA
Private Key(encrypted) • Create a public/private key pair and unsigned
certificate (grid-cert-request command)
• Mail unsigned certificate to CA admin by E-mail
• Receive a signed certificate
How a user is authenticated by a GridNode(2)
By checking the signature, one can
determine that a public key belongs to a
given user.
SubjectPublic KeyIssuerSignature
Hash
=?Decrypt
Public Key fromIssuerIss
uer
How a user is authenticated by a GridNode(3)
User Cert.SubjectPublic KeyIssuer (CA)Digital Signature
serveruser
User Cert.SubjectPublic KeyIssuer (CA)Digital Signature
Send Cert.
challenge string
encryptedchallenge string
QAZWSXEDC…
Check Public Key
QAZWSXEDC…
QAZWSXEDC…Public Key
private key(encrypted)
PL<OKNIJBN…
How a user is authenticated by GridNodes
user
Communication*
Remote fileaccess requests*
remote processcreation
requests*
Grid Node A GridNode B
* with mutual authentication
SingleSign on
Delegation
How a user is authenticated by GridNodes (2) Create Proxy Certificate
User CertificateSubjectPublic KeyIssuer (CA)Digital Signature
grid-proxy-init
Proxy CertificateSubject/Proxy(new) public key(new) private key (not encrypted)Issuer (user)Digital Signature (user)
sign
User CertificateSubjectPublic KeyIssuer (CA)Digital Signature
Identity of the user
private key(encrypted)
How a user is authenticated by GridNodes (3)
Proxy Certificate Minimize exposure of user’s private key.
A “proxy certificate” is a special type of certificate that
is signed by the normal end entity cert, or by another
proxy.
Used in short term,
Proxy’s private key is not encrypted. Rely on file system security, proxy certificate file must be
readable only by the owner
How a user is authenticated by GridNodes (4)
DelegationDelegation Remote creation of a user proxy Results in a new private key and proxy certificate,
signed by the original key Allows remote process to act on behalf of the user Avoids sending private keys across the network
GridNode1 GridNode2
Proxy-2private
Proxy-2public
Proxy-1Private
key
Proxy-1PublicKeyUser
Private Proxy-2 Public
Proxy-2CertUser
Private key
UserPublicKey
grid-proxy-init
How a user is authenticated by GridNodes (5)
Traverse Certificate Chain to verify identity
User Identity
UserCertificateCA
User Identity
ProxyCertificate
User CertificateCA
User Identity
ProxyCertificate
User CertificateCA Proxy
Certificate
How a user is authenticated by GridNodes (5)
Example Create Proxy certificate
$ grid-proxy-init
Enter PEM pass phrase: *****
Remote Authentication Test
$ globusrun –a –r hostname
Running a Job on Remote node
$ globus-job-run hostname <executable>
$ globusrun-ws …
Authorization
LocalPolicy
LocalPolicy
Map tolocal name
Map tolocal name
GridIdentity
•Identity Mapping
User is mapped to local identities to determine local policy.
.
Authorization (2) Gridmap File
Gridmap file maintained by Globus administrator
Entry maps Grid-id into local user name(s)
# Distinguished name Local# username"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Grid Test 1" griduser1"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Tuan Anh" tanguyen"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Thoai Nam" griduser3"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Tran Van Hoai" hoai"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Cao Dat" dat"/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Ly Hoang Hai" griduser1
Message protection
Uses certificates and TCP sockets to provide a secured connection Authentication of one or both parties using the
certificates Message protection
Confidentiality (encryption) Integrity
Certificates TCP Sockets
SSL/TLS
EDAGrid Security Infrastructure
GSI is:
PKI(CAs and
Certificates)
SSL/TLS
Proxies and Delegation
PKI forcredentials
SSL forAuthenticationAnd message protection
Proxies and delegation (GSIExtensions) for secure singleSign-on
PKI: Public Key Infrastructure
Security issues Authentication issues
User Interface
Single CA vs. Multiple CAs
Credential Management
Authorization issues What happens if there are thousands to millions of users?
The grid-mapfile doesn’t scale well, and works only at the
resource level, not the collective level (site level).
Accounting issues Logs from VOInformation are not enough.
Billing system.
Outline Grid Security on VN-GRID
VN-GRID topology
Authentication
Authorization
To do list
VN-GRID topology
Certification
Authority
VO Server
GridNodes
1
2
Certification
Authority
VO Server
GridNodes
1
2
Site 1 Site 2
Authentication
• Goals– Support multi CAs.– User
• Transparent authentication (Proxys/delegation).
– Site/Individual Node• Easy to adhere.
VN-GRID
Authentication (2)
• Multiple CAs– Manual update -> simple.– Automatic update solution
Site N
CA CA 2. certificate
1. request
3. Adhere
4. Agree/ Not Agree
CAs data
Portal
Update CAs List
Authorization• Goals
– Support thousands to millions users from sites.– Compatible with site/local security policies.
– Easy to understand and verify.– Easy to administer.
AccessGranted by localTo community
AccessGranted by community
To user
AccessGranted by site
To user
Authorization (2)
• Approachs– “Classic” Authorization Method
• Identity mapping
– Attribute-Based Authorization Methods• CAS(Community Authorization Service)• VOMS(Virtual Organization Membership Service)• PERMIS• GridShib• CaBig tools
Authorization (3)
• Identity mapping– Gridmap file format
Subject DNs [user0, user1, …, usern-1]
– Dual function identity-based gridmap file• Authorization Policy• Username Mapping Policy
– A single gridmap file serves both functions
Authorization (4)
• Attribute-Based Authorization– User create Proxy Certificate with Attributes
user
SAML: Security Assertion Markup Language
Authorization (5)
• Attribute-Based Authorization– Authz on GridNodes
PDP/PEPPDP/PEP
GridNode
policies
PDP: Policy Decision PointPEP: Policy Enforcement Point
Authorization (6)
• GridShib– GridShib SAML Tools
• A SAML producer• Binds a SAML assertion to an X.509 proxy certificate• The same X.509-bound SAML token can be
transmitted at the transport level or the message level (using WS-Security X.509 Token Profile).
– GridShib for Globus Toolkit• A SAML consumer• GridShib for GT (GS4GT) is a plug-in for GT 4.x
Authorization (7)
• GridShib for GT (GS4GT)
Authorization (8)
• GridShib for GT (GS4GT)– Two separate attribute-based policy files
• Authorization Policy
[A0, A1, …, Am-1]
• Username Mapping Policy
[A0, A1, …, Am1-1] [user0, user1, …, usern1-1]
[A0, A1, …, Am2-1] [user0, user1, …, usern2-1]
– A single XML-based policy file may encapsulate both types of policies
To do list Building testbed system
Resources: 03 GridNodes (03 sites)
Install & configure GT4.x, GridShib
Programming CLI to create Proxy Certificate with Attributes
Site Registration Service
Update CAs list programs for VO Server/GridNode
Documentation Technical report
Admin Guide
Appendix
Symmetric Encryption
• Encryption and decryption functions that use the same key are called symmetric– In this case everyone wanting to read encrypted data must share the same key
• DES is an example of symmetric encryption
Encrypt
Decrypt
Asymmetric Encryption• Encryption and decryption functions that use a key pair are called asymmetric– Keys are mathematically linked
• RSA is an example of asymmetric encryption
Asymmetric Encryption• When data is encrypted with one key, the other key must be used to decrypt the data
• And vice versa
Encrypt
Decrypt
Decrypt
Encrypt
Public and Private Keys
• With asymmetric encryption each user can be assigned a key pair: a private and public key
Private key is known only to owner
Public key is given away to the world
Public and Private keys• Anything encrypted with the private key can only be decrypted with the public key
• And vice versa• Since the private key is known only to the owner, this is very powerful…
Encrypt
Decrypt
Digital Signatures• Digital signatures allow the world to verify I created a hunk of data– e.g. email, code
Digital Signatures• Digital signatures are created by encrypting a hash of the data with my private key
• The resulting encrypted data is the signature
• This hash can then only be decrypted by my public key
Hash
Encrypt
Digital Signature
• Given some data with my signature, if you decrypt a signature with my public key and get the hash of the data, you know it was encrypted with my private key
Hash
=?Decrypt
Digital Signature• Since I’m the only one
with access to my private key, you know I signed the hash and the data associated with it
• But, how do you know that you have my correct public key?
• Answer: A Public Key Infrastructure… ?