Enabling Grids for E-sciencE
Authentication,
Authorisation and Security
www.eu-egee.org
EGEE-II INFSO-RI-031688
Security Services
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
2
Security Overview
Enabling Grids for E-sciencE
Security
Authentication
Grid Security
Infrastructure
Encryption &
Authorization
Data Integrity
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
3
Basis of security & authentication
Enabling Grids for E-sciencE
• Asymmetric encryption…
plain text
plain text
Encrypted
text
Private Key
Public Key
– Private key and public key are in pair.
 it is impossible to derive one key from another key.
– a message encrypted by one key can be decrypted
only by another one.
• Examples of public key algorithms:
– Diffie-Helmann (1977)
– RSA (1978)
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
4
An Example of Public Key Algorithms
Enabling Grids for E-sciencE
• Public keys are
exchanged
John’s keys
– Paul gets John’s public key..
• Paul ciphers using the
public key of John
• John decrypts using his
private key;
public
Paul
ciao
private
John
3$r
3$r
ciao
• Make sure of data
confidentiality
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
5
Data Integrity - Digital Signature
Enabling Grids for E-sciencE
• Paul calculates the hash of the
message
• Paul encrypts the hash using
his private key: the encrypted
hash is the digital signature.
• Paul sends the signed message
to John.
• John calculates the hash of the
message
• Decrypts signature, to get Hash
A, using Paul’s public key.
• If hashes equal:
1. message wasn’t
modified;
Paul’s keys
2. hash A is from
Paul’s
private key
(Paul encrypted it)
public
EGEE-II INFSO-RI-031688
private
Paul
message
Hash A
Digital Signature
message
Digital Signature
John
Hash B
=?
Hash A
message
Digital Signature
Authentication, Authorisation and Security
6
Digital Signature (cont.)
Enabling Grids for E-sciencE
• With Digital Signature, it is easy to know..
– I receive the message that you intended to send me
– You are really the one person who sent this message
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
7
Digital Certificate ( or Certificate)
Enabling Grids for E-sciencE
• Certificate
– It is based on Digital Signature
mechanism.
– Grid authenticates users or
resources by verifying their
certificate.
– Certificate is issued by one of
the national Certification
Authorities.
Public Key
User’s
Information
CA’s
Digital Signature
user’s certificate
Sign
CA
EGEE-II INFSO-RI-031688
user key
Authentication, Authorisation and Security
8
X.509 Certificates
Enabling Grids for E-sciencE
• An X.509 Certificate contains:
 owner’s public key;
Public key
 identity of the owner;
Subject:C=CH, O=CERN,
OU=GRID, CN=Andrea Sciaba
8968
 info on the CA;
Issuer: C=CH, O=CERN,
OU=GRID, CN=CERN CA
 time of validity;
Expiration date: Aug 26 08:08:14
2005 GMT
 Serial number;
 Optional extensions
Serial number: 625 (0x271)
Optional Extensions
CA Digital signature
– digital signature of the CA
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
9
Proxy certificate (my agent)
Enabling Grids for E-sciencE
information
information
CA’s
signature
user’s
signature
user cert
user key
EGEE-II INFSO-RI-031688
sign
proxy certificate
proxy key
Authentication, Authorisation and Security
10
Proxy delegation (my agent’s agent)
Enabling Grids for E-sciencE
information
information
user’s
signature
proxy1’s
signature
proxy1 cert
proxy1 key
EGEE-II INFSO-RI-031688
sign
proxy2 cert
proxy2 key
Authentication, Authorisation and Security
11
Proxy delegation chain
Enabling Grids for E-sciencE
information
information
information
information
user’s
signature
proxy1’s
signature
proxy2’s
signature
Proxy N-1r’s
signature
Sign
Sign
proxy1 cert
proxy2 cert
proxy3 cert
proxy1 key
proxy2 key
proxy3 key
…
proxyN cert
proxy N key
• Every proxy can represent the user
• Proxy certificates extend X.509 certificates
– Short-lived certificates signed by the user’s certificate or a proxy
– Reduces security risk, enables delegation
• “Single sign on” can be attained.
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
12
Evolution of VO management
Enabling Grids for E-sciencE
• VOMS
information
– VO Administration :
 check which VO the user belongs to
 Add VO information on user’s proxy certificate.
• voms-proxy-init
– a gLite command to
User’s Digital
Signature
VO: TWGrid
proxy certificate
 Contact the VOMS with user’s proxy certificate
 Retrieve the certificate that contains VO information on it.
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
13
Summary of AA - 1
Enabling Grids for E-sciencE
• Authentication based on X.509 PKI infrastructure
– Trust between Certificate Authorities (CA) and sites, CAs and
users is established (offline)
– CAs issue (long lived) certificates identifying sites and individuals
(much like a passport)
 Commonly used in web browsers to authenticate to sites
– In order to reduce vulnerability, on the Grid user identification is
done by using (short lived) proxies of their certificates
• Proxies can
– Be delegated to a service such that it can act on the user’s
behalf
– Include additional attributes (like VO information via the VO
Membership Service VOMS)
– Be stored in an external proxy store (MyProxy)
– Be renewed (in case they are about to expire)
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
14
Summary of AA - 2
Enabling Grids for E-sciencE
• Authentication
– User obtains certificate from
Certificate Authority
– Connects to UI by ssh
(UI is the user’s interface to Grid)
– Uploads certificate to UI
– Single logon – to UI - create proxy
– Grid Security Infrastructure
Annually
CA
VO
mgr
UI
VO service
• Authorisation
– User joins Virtual Organisation
– VO negotiates access to Grid nodes
and resources
– Authorisation tested by resource:
Credentials in proxy determine
user’s rights
EGEE-II INFSO-RI-031688
GSI
VO
database
Daily update
Mapping to access
rights
Authentication, Authorisation and Security
15
User Responsibilities
Enabling Grids for E-sciencE
• Keep your private key secure – on USB drive only
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your certificate
has been compromised.
• Do not launch a delegation service for longer than your
current task needs.
If your certificate or delegated service is
used by someone other than you, it
cannot be proven that it was not you.
EGEE-II INFSO-RI-031688
Authentication, Authorisation and Security
16