Grid Security EMBRACE Grid Tutorial, Helsinki, 16 June 2006 Heinz Stockinger Swiss Institute of Bioinformatics Lausanne, Switzerland I guess you all know that … Qui ckTime™ and a TIFF (U ncompr essed) decompressor are needed to see thi s pi cture. [email protected] Quic kT i me™ and a T IFF (Unc ompres s ed) dec ompres s or are needed t o s ee thi s pi c ture. Grid Security - n° 2 How about that one? Quick Time™a nd a TIFF ( Unco mpre ssed ) dec ompr esso r ar e nee ded to see this pictur e. [email protected] Grid Security - n° 3 What does this have to do with computing? Well, it’s all about codes and access to information In Grid computing: Limit access to resources Use standard computer security [email protected] Grid Security - n° 4 Motivation: Security in the Grid In industry, several security standards exist: Public Key Infrastructure (PKI) PKI keys SPKI keys (focus on authorisation rather than certificates) RSA Secure Socket Layer (SSL) SSH keys Kerberos Need Above standards do not meet all Grid requirements (e.g. delegation, single sign-on etc.) Grid for a common security standard for Grid services community mainly uses X.509 PKI for the Internet Well established and widely used (also for www, e-mail, etc.) [email protected] Grid Security - n° 5 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 6 Introduction Distribution of resources: secure access is a basic requirement secure communication, secure data, resources etc. security across organisational boundaries single sign-on for users of the Grid Three Secure communication: Data Encryption QuickTime™ and a TIFF (Uncomp resse d) de com press or are nee ded to s ee this picture. Authentication: Who am I? basic concepts: “Equivalent” to a pass port, ID card etc. Authorisation: What can I do? Certain permissions, duties etc. [email protected] Grid Security - n° 7 Data Encryption Symmetric encryption: same key (“secret”) used for encryption and decryption Kerberos, DES / 3DES, IDEA Asymmetric encryption: different keys used for encryption and decryption RSA, DSA Clear text message Clear text message Encryption Encryption Key A Encrypted text Encrypted text Shared key Decryption Decryption Key B Clear text message [email protected] Clear text message Grid Security - n° 8 Authentication Do we want authorised users or anonymous access to our service? How In private life: people have passports, identity cards can I prove how I am? Issued by a certain authority In office life: we use ids and passwords to access computers [email protected] Grid Security - n° 9 Certificate = “Grid Passport” Public QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Key Infrastructure: Use a public and private key Grid Certificate: Name Issuer (Certificate Authority) Valitidy A passport has several important items [email protected] Grid Security - n° 10 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 11 Public Key Infrastructure (PKI) Asymmetric encryption Clear text message Private Key Public Key Digital signatures Clear text message Encrypted text A hash derived from the message and encrypted with the signer’s private key Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust model Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal Certificate Public key + information about the principal + CA signature X.509 format most used PKI used by SSL, PGP, GSI, WS security, S/MIME, etc. [email protected] Grid Security - n° 12 PKI – Example Entity B (Bob) Entity A (Alice) public key public key e private key d private key wishing to send a message m to A: ciphertext c = Ee(m) applies the decryption transformation m = Dd(c). encryption transformation Ee decryption transformation Dd [email protected] Grid Security - n° 13 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 14 X.509 certificates and authentication B A A’s certificate Structure of a X.509 certificate Verify CA signature Random phrase Public key Encrypt with A’ s private key Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Encrypted phrase Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) Decrypt with A’ s public key CA Digital signature Compare with original phrase Performace ! [email protected] Grid Security - n° 15 X.509 X.509 alias ISO/IEC/ITU 9594-9 is ITU Standard: ITU-T Recommendation X.509 (1997 E). Information technology Open Systems Interconnection - The Directory: Authentication Framework Defines a certificate format (originally based on X.500 Directory Access Protocol) X.509 Latest standard: X.509 version 3 certificate format certificate includes: User identification (someone’s subject name) Public key A “signature” from a Certificate Authority (CA) that: Proves that the certificate came from the CA. Vouches for the subject name Vouches for the binding of the public key to the subject [email protected] Grid Security - n° 16 Involved entities Certificate Authority CA User Public key Private key certificate [email protected] Resource (site offering services) Grid Security - n° 17 Certification Authorities Issue certificates for users, programs and machines Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation Manage CA In Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire certificates are self-signed Grid projects on certain CAs are mutually recognised [email protected] Grid Security - n° 18 Certificate classification User certificate issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc. Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch [email protected] Grid Security - n° 19 Grid Certificate A certificate needs to be requested from a Certificate Authority When using the Grid Security Infrastructure (GSI), the certificate consists of two parts: usercert.pem userkey.pem [email protected] Grid Security - n° 20 X.509 Certificate Example (1) openssl x509 –in ~/.globus/usercert.pem –text Certificate: Data: Version: 3 (0x2) X509.3 – with extensions Serial Number: 199 (0xc7) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Issuer CA Validity Not Before: Sep 25 10:33:05 2005 GMT long term certificate Not After :Sep 24 10:33:05 2006 GMT Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe User user identification Subject Public Key Info: Public Key Algorithm: rsaEncryption public key RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38: […] [email protected] Grid Security - n° 21 X.509 Certificate Example (2) X509v3 extensions: X509v3 Basic Constraints: critical Certificate extensions CA:FALSE X509v3 Subject Key Identifier: 71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53 X509v3 CRL Distribution Points: Certificate Revocation URI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL List X509v3 Issuer Alternative Name: email:[email protected] X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.96.10.1.2.1 Netscape Cert Type: SSL Client, S/MIME, Object Signing client/user Certificate Netscape Base Url: http://service-grid-ca.web.cern.ch/service-grid-ca/ Signature Algorithm: md5WithRSAEncryption 54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13: [email protected] [...] Signature on the information Grid Security - n° 22 Private Key Example openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: Private-Key: (1024 bit) modulus: [...] publicExponent: ..... (0x......) privateExponent: [...] prime1: [...] private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY----- PEM encoded private key -----END RSA PRIVATE KEY----- [email protected] Grid Security - n° 23 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 24 Globus Grid Security Infrastructure (GSI) de facto standard for Grid middleware Based on PKI Implements some important features Single sign-on: no need to give one’s password every time Delegation: a service can act on behalf of a person Mutual authentication: both sides must authenticate to the other Introduces proxy certificates Short-lived certificates including their private key and signed with the user’s certificate [email protected] Grid Security - n° 25 GSI General Overview Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation PKI for credentials PKI (CAs and Certificates) SSL/ TLS SSL for Authentication and message protection Based on Slide from Globus Tutorial [email protected] Grid Security - n° 26 Virtual Organizations and authorization Grid users must belong to a Virtual Organization Sets of users belonging to a collaboration Each VO user has the same access privileges to Grid resources VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts: only mapped users are authorized in LCG ... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice ... Sites decide which VOs to accept [email protected] grid-mapfile Grid Security - n° 27 Globus command line interface: certificate and proxy management Get information on a user certificate whole certificate -subject | -s subject string -issuer | -I Issuer -startdate | -sd Start of validity -enddate | -ed End of validity grid-proxy-init Destroy a proxy certificate -all Create a proxy certificate grid-cert-info[-help] [-file certfile] [OPTION]... grid-proxy-destroy Get information on a proxy certificate grid-proxy-info [email protected] Grid Security - n° 28 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 29 Secure your services - but how? client program Security library user certificate Security library Server host certificate Authorisation [email protected] Grid Security - n° 30 Different kinds of services “Simple” services with standard socket communication Any service written in C/C++, Java, Python, Perl, etc. Use GSI libraries e.g. provided by Globus Toolkit 2 http://www.globus.org/security/ The libraries handle certificate based authentication Often considered a 1st generation “Grid services” Web services Based on SOAP 2nd generation “Grid services” Web sites [email protected] Grid Security - n° 31 API: GSS-API and GSS Assist GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC2743, 2744) Traditionally, it interfaces to Kerberos The Globus project interfaced it to GSI Communication is kept separate: it just creates data buffers, does not move them Rather complicated to use… Documentation at http://docs.sun.com/app/docs/doc/816-1331 http://www.gnu.org/software/gss/manual/html_node/index.ht ml GSS-API as user interface to GSI: C API Java API (http://www-unix.globus.org/cog/java/) The Globus GSS Assist routines are designed to simplify the use of the GSSAPI: they are a thin layer over them [email protected] Grid Security - n° 32 Globus extensions Credential import and export To pass credentials from a process to another or storing them in a file Export to 1) an opaque buffer, or 2) a file in GSI native format gss_import_cred(), gss_export_cred() Delegation an any time A lot more flexible than standard GSS-API delegation Delegation at times other than context establishment Possible to delegate credentials different than those used for context establishment: even for different mechanisms! Ex.: delegate a Kerberos credential over a context established with GSI gss_init_delegation(), gss_accept_delegation() Credentials extension handling support for credential information other than just the identity Set context options at the server side Documentation http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h [email protected] Grid Security - n° 33 Web Service Security Transport level security SOAP messages are transmitted encrypted used by some gSOAP GSI plugins Based on SSL/TSL Message WS-Security level security set of SOAP extensions to implement integrity and confidentiality in Web Services <Security> header contains the security-related information http://www-128.ibm.com/developerworks/library/ws-secure/ WS-SecureConversation defines how to establish secure contexts and exchange keys Performance issue Used in Globus Toolkit 4 [email protected] Grid Security - n° 34 Performance - Mutual Authentication Having Let’s Bob - Alice Alice uses private key to sign the request - sends signed cert. back (in addition, CAs have to match) have a look at the detailed steps Bob uses proxy to create a request (incl. public key, about 2000 bytes) secure connections creates a performance overhead Alices generates a random message and sends it to Bob, asking Bob to encrypt it. Bob encrypts the message using his private key, and sends it back to Alice. Alice decrypts the message using Bobs's public key. If this results in the original random message, then Alice knows that Bob is who he says he is. Now that Alice trusts Bob's identity, the same operation must happen in reverse. By default, all further message exchange is not encrypted ! [email protected] Grid Security - n° 35 Some performance numbers QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Cryptography is CPU intensive WS Secure Conversation symmetrical cryptography only Source: http://webservices.sys-con.com/read/204424.htm [email protected] Grid Security - n° 36 Securing Web sites (Portals) HTML web is is not a web service Web service provides a programmable interface via SOAP A Web page is purely HTML (potentially generated by tools such as JSP, etc.) One can still use Grid security for that purpose Need to load certificate into the web browser Server side (Web server) needs to use Grid security technologies Example: http://wwww.gridsite.org provide modules for Apache server [email protected] Grid Security - n° 37 Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice [email protected] Grid Security - n° 38 GSI Authentication using Globus CA service user VO [email protected] Grid Security - n° 39 Certificate Request / Obtaining a certificate CA grid-cert-request service user cert-request once in every year VO [email protected] Grid Security - n° 40 Certificate Signing CA grid-cert-request user cert signing service cert-request certificate VO [email protected] Grid Security - n° 41 Preparation for Registration in VO CA grid-cert-request cert signing user service cert-request certificate cert.pkcs12 convert VO Goal: user needs to register with a certain VO [email protected] Grid Security - n° 42 Registration CA grid-cert-request cert signing user service cert-request certificate cert.pkcs12 Account Registration convert registration VO once for the lifetime of the VO (only the DN not the keys, so they may change) [email protected] Usage guidelines Grid Security - n° 43 Starting a Session with Globus CA grid-cert-request cert signing user service cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init every 12/24 hours [email protected] Grid Security - n° 44 Usage You must have a valid certificate from a trusted CA! „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy -> use the Grid services „logout”: grid-proxy-destroy [email protected] Grid Security - n° 45 Certificate Request for a Host CA grid-cert-request grid-cert-request cert signing user service host-request cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init once in every year [email protected] Grid Security - n° 46 Signing the Certificate CA cert signing grid-cert-request grid-cert-request cert signing user service host-request cert-request certificate host-cert convert cert.pkcs12 registration VO proxy-cert grid-proxy-init [email protected] Grid Security - n° 47 Configuration on the Server CA cert signing grid-cert-request grid-cert-request cert signing user cert-request service cert/crl update certificate convert cert.pkcs12 host-request host-cert ca-certificate registration crl VO proxy-cert grid-proxy-init In EDG: automatically updated every night/week [email protected] Grid Security - n° 48 Service You must have the trusted CA certificates in files and the VOLDAP server(s) URL configured. Registering a trusted CA /etc/grid-security/certificates: hashed cert, crl and url Generating a gridmap file: mkgridmap /etc/grid-security/gridmap: DN -> userid/gid mapping See Authorisation Generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) [email protected] Grid Security - n° 49 Service: CA Certificates ls /etc/grid-security/certificates 0ed6468a.0 c35c1972.0 d64ccb53.0 0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url 0ed6468a.r0 c35c1972.r0 d64ccb53.r0 0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy 16da7552.0 cf4ba8c8.0 df312a4e.0 16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url 16da7552.r0 cf4ba8c8.r0 df312a4e.r0 16da7552.signing_policy cf4ba8c8.signing_policy df312a4e.signing_policy In General: *.0 … CA certificate *.r0 … Certificate Revocation List (CRL) [email protected] Grid Security - n° 50 Service: a certificate cat c35c1972.signing_policy # EACL CERN CA access_id_CA X509 pos_rights globus '/C=CH/O=CERN/CN=CERN CA' CA:sign cond_subjects globus '"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"' openssl x509 -in c35c1972.0 –text Issuer: C=CH, O=CERN, CN=CERN CA [...] the issuer and the subject are the same Subject: C=CH, O=CERN, CN=CERN CA [...] self signed certificate X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE [...] it may be used to sign other certificates Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA [email protected] it is a CA certificate Grid Security - n° 51 Certificate Revocation List (CRL) openssl crl -in c35c1972.r0 –text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=CH/O=CERN/CN=CERN CA the issuer is the CA itself Last Update: Jul 1 17:53:17 2002 GMT Next Update: Aug 5 17:53:17 2002 GMT next update: shall be checked Revoked Certificates: Serial Number: 5A the revoced certificate’s number Revocation Date: May 24 16:45:52 2002 GMT Signature Algorithm: md5WithRSAEncryption [email protected] Signature – as usual Grid Security - n° 52 Grid-mapfile cat /etc/grid-security/gridmap "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro "/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/[email protected]" aliprod "/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/[email protected]" aliprod "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon "/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/[email protected]" yannick [email protected] Grid Security - n° 53 Abbreviations CA – Certificate Authority CP – Certificate Policy CPS – Certificate Practice Statement CRL – Certificate Revocation List GSI – Grid Security Infrastructure GSS – Generic Security Service PKI – Public Key Infrastructure SSL – Secure Socket Layer TLS – Transport Layer Security VO – Virtual Organization VOMS - Virtual Organization Membership Service [email protected] Grid Security - n° 54 Conclusion Security is important for Grid middleware: In particular in commercial use Security solutions need to be integrated from the very beginning “We had a security concept from the very beginning but decided to deal with security later” Grid security relies on PKI Requires: authentication & authorisation Basic entities: Users – CA (Certificate Authorities) – Resource Providers Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-512092. [email protected] Grid Security - n° 55
© Copyright 2026 Paperzz