www.geogrid.org 1 introduction of grid security yoshio tanaka aist, japan
TRANSCRIPT
www.geogrid.org
1
Introduction of Grid SecurityIntroduction of Grid Security
Yoshio TanakaAIST, Japan
www.geogrid.org
2
Again, what is Grid?Again, what is Grid?
Resource sharing & coordinated problem solving in dynamic, multi-institutional virtual organizations
Communities committed to common goalsAssemble team with heterogeneous members & capabilitiesDistribute across geography and organization
This slide is by courtesy of Ian Foster @ ANL
www.geogrid.org
3
Key Technologies: GSI and VOMSKey Technologies: GSI and VOMS
Grid Security Infrastructure (GSI) is standard security technology used in the current Grid communities.
Based on Public Key Infrastructure (PKI) and X.509 Certificates.
Virtual Organization Membership Services (VOMS) is a software for creating/managing VOs.
Developed by European CommunitiesBased on GSI
www.geogrid.org
4
GSI: Grid Security InfrastructureGSI: Grid Security Infrastructure
Authentication and authorization using standard protocols and their extensions.
Authentication: Identify the entityAuthorization: Establishing rights
StandardsPKI, X.509, SSL,…
Extensions: Single sign on and delegationEntering pass phrase is required only onceImplemented by proxy certificates
www.geogrid.org
5
PKI and X.509 certificatePKI and X.509 certificatePublic Key Infrastructure ( a pair of asymmetric keys )
Private key is used for data encryptionPublic key is used for data decryption
Every entity (users, computers, etc.) is required to obtain his/its certificate issued by a trusted Certificate Authority (CA)X.509 certificates contain
Name of SubjectPublic key of SubjectName of Certificate Authority (CA) which has signed it, to match key and identityDigital Signature of the signing CA
CertificateSubject DNPublic KeyIssuer (CA)Digital Signature
www.geogrid.org
6
How a user is authenticated by a serverHow a user is authenticated by a server
User Cert.Subject DNPublic KeyIssuer (CA)Digital Signature
serveruser
User Cert.Subject DNPublic KeyIssuer (CA)Digital Signature
Send Cert.
challenge string
encryptedchallenge string
QAZWSXEDC…
Public Keyof the CA
QAZWSXEDC…
QAZWSXEDC…Public Key
private key(encrypted)
PL<OKNIJBN…
www.geogrid.org
7
user
Communication*
Remote fileaccess requests*
remote processcreation requests*
Requirements for Grid securityRequirements for Grid security
server A server B
* with mutual authentication
SingleSign on
Delegation
www.geogrid.org
8
PKI and X.509 certificate (cont’d)PKI and X.509 certificate (cont’d)X.509 certificates
Similar to a driving license. Photo on the license corresponds to a public key.issued by a CAValidity of the certificate depends on the opposite entity’s policy
User CertificateSubject DNPublic KeyIssuer (CA)Digital Signature
Valid until Dec. 31, 2003
NAME: Taro Sanso
Address: 1-1-1, Umezono, Tsukuba
Identify the entity
Issued by a state/prefectureIssued by a CA
private key(encrypted)
www.geogrid.org
9
X.509 Proxy CertificateX.509 Proxy Certificate
Defines how a short term, restricted credential can be created from a normal, long-term X.509 credential
A “proxy certificate” is a special type of X.509 certificate that is signed by the normal end entity cert, or by another proxySupports single sign-on & delegation through “impersonation”
www.geogrid.org
10
User ProxiesUser Proxies
Minimize exposure of user’s private keyA temporary, X.509 proxy credential for use by our computations
We call this a user proxy certificateAllows process to act on behalf of userUser-signed user proxy cert stored in local fileCreated via “grid-proxy-init” command
Proxy’s private key is not encryptedRely on file system security, proxy certificate file must be readable only by the owner
www.geogrid.org
11
User Proxies (cont’d)User Proxies (cont’d)
User CertificateSubject DNPublic KeyIssuer (CA)Digital Signature
grid-proxy-init
Proxy CertificateSubject DN/Proxy(new) public key(new) private key (not encrypted)Issuer (user)Digital Signature (user)
sign
User CertificateSubject DNPublic KeyIssuer (CA)Digital Signature
Identity of the user
private key(encrypted)
www.geogrid.org
12
DelegationDelegation
Remote creation of a user proxyResults in a new private key and X.509 proxy certificate, signed by the original keyAllows remote process to act on behalf of the userAvoids sending passwords or private keys across the network
Client Server
Proxy-2private
Proxy-2public
Proxy-1Private
key
Proxy-1PublicKeyUser
Private Proxy-2public
Proxy-2Public
Proxy-1private
Proxy-1Private
UserPrivate
key
UserPublicKeyCA
Private
grid-proxy-init
www.geogrid.org
13
Traverse Certificate Chain to verify identityTraverse Certificate Chain to verify identityUser Identity
UserCertificateCA
User Identity
ProxyCertificate
User CertificateCA
User Identity
ProxyCertificate
User CertificateCA Proxy
Certificate
www.geogrid.org
14
Requirements for usersRequirements for users
Obtain a certificate issued by a trusted CAYou can launch your CA for testsThe certificate and the signing policy file of the CA should be put on an appropriate directory (/etc/grid-security/certificates).International Grid Trust Federation (IGTF) is a community for building trust.
Create a Proxy Certificate in advanceNeed to enter pass phrase for the decryption of a private key.
Only once!
A proxy certificate will be used for further authentication.
www.geogrid.org
15
Summary of GSISummary of GSI
Every entity has to obtain a certificate.Treat your private key carefully!!
Private key is stored only in well-guarded places, and only in encrypted form
Create a user proxy in advanceRun grid-proxy-init commandvirtual login to Grid environmentA proxy certificate will be generated on user’s machine.
Single sign on and delegation enable easy and secure access to remote resources.
www.geogrid.org
16
GSI provides basic technology for authentication (who is the user).
The other framework is necessary for authorization (what the user can do).
The most naive approach is to map each user to each local account on each server.
What happens if there are thousands to millions of users?
WhatWhat’’s the role of VOMS?s the role of VOMS?
“/C=JP/O=AIST/O=GRID/CN=Yoshio Tanaka” yoshio“/C=JP/O=AIST/O=GRID/CN=Ryosuke Nakamura” ryosuke…..
www.geogrid.org
17
WhatWhat’’s the role of VOMS? (conts the role of VOMS? (cont’’d)d)
VOMS provides a mechanism for VO-based authorization.
Users are registered to VO(s)Users can belong to Group(s) in the VOUsers can be assigned role(s)Service providers can configure the system to control access based on
VO-baseAll users in a VO can access to the service
Group-baseUsers in a specific group can access to the services
Group&Role-baseUsers in a specific group with specific role can access to the services
It is implemented by embedding “VOMS attributes” in user’s proxy certificate.
www.geogrid.org
18
Introduction of Grid and its technologyIntroduction of Grid and its technology
Yoshio TanakaNational Institute of Advanced Industrial Science and Technology
(AIST), Japan
www.geogrid.org
19
What is the GEO Grid ?What is the GEO Grid ?The GEO (Global Earth Observation) Grid is aiming at providing an E-Science Infrastructure for worldwide Earth Sciences communities to accelerate GEO sciences based on the concept that relevant data and computation are virtually integrated with a certain access control and ease-of-use interface those are enabled by a set of Grid and Web service technologies.
Geo* Contents Applications
Satellite DataSatellite Data
MapMapGeologyGeology
GIS dataGIS data
Field dataField data
EnvironmentEnvironment
ResourcesResources
GridTechnologies
GridTechnologies
Disastermitigation
Disastermitigation
AIST: OGF Gold sponsor (a founding member)
AIST: OGC Associate member (since 2007)
www.geogrid.org
20
Overview and usage model of the GEO Grid Overview and usage model of the GEO Grid systemsystem
User-level Authentication and VO-level AuthorizationUser’s right is managed (assigned) by an administrator of
his belonging VO.Access control to a service is configured by the service
provider according to the publication policy. There are some options of the access control
VO-level, Group/Role-based, User-level, etc.Scalable architecture for the number of users.
www.geogrid.org
21
TDRS
Terra/ASTER
ERSDIS/NASA
APAN/TransPAC
GEO Grid Cluster
L0 L0 L0 L0L0 L0 L0 L0
L0 L0 L0 L0Data
GISserver
WFS WCS
Maps
mapserver
WMS
Meta data
catalogue/metadata
server
CSWOGSA
DAI GRAM GridFTP
gatewayserver
Storage(DEM)
portal server
GSI + VOMS GSI + VOMS
GSI + VOMS
AccountDB
account (GAMA)server
VO DB
VO (VOMS)server
user
login
credential
GET
queryexec