Grid Security

Grid Security EMBRACE Grid Tutorial, Helsinki, 16 June 2006 Heinz Stockinger Swiss Institute of Bioinformatics Lausanne, Switzerland

I guess you all know that …

How about that one?

What does this have to do with computing? • Well, it’s all about codes and access to information • In Grid computing: • Limit access to resources • Use standard computer security

Motivation: Security in the Grid • In industry, several security standards exist: • Public Key Infrastructure (PKI) • PKI keys • SPKI keys (focus on authorisation rather than certificates) • RSA • Secure Socket Layer (SSL) • SSH keys • Kerberos • Need for a common security standard for Grid services • Above standards do not meet all Grid requirements (e.g. delegation, single sign-on etc.) • Grid community mainly uses X.509 PKI for the Internet • Well established and widely used (also for www, e-mail, etc.)

Security Overview Introduction Public Key Infrastructure Grid Certificates (X.509) Grid Security Infrastructure (GSI) Securing Services GSI in Practice

Introduction • Distribution of resources: secure access is a basic requirement • secure communication, secure data, resources etc. • security across organisational boundaries • single sign-on for users of the Grid • Three basic concepts: • Secure communication: • Data Encryption • Authentication: Who am I? • “Equivalent” to a pass port, ID card etc. • Authorisation: What can I do? • Certain permissions, duties etc.

Clear text message Clear text message Encryption Encryption Key B Encrypted text Encrypted text Decryption Decryption Shared key Key A Clear text message Clear text message Data Encryption • Symmetric encryption: same key (“secret”) used for encryption and decryption • Kerberos, DES / 3DES, IDEA • Asymmetric encryption: different keys used for encryption and decryption • RSA, DSA

Authentication • Do we want authorised users or anonymous access to our service? • How can I prove how I am? • In private life: people have passports, identity cards • Issued by a certain authority • In office life: we use ids and passwords to access computers

Certificate = “Grid Passport” • Public Key Infrastructure: • Use a public and private key • Grid Certificate: • Name • Issuer (Certificate Authority) • Valitidy A passport has several important items

Clear text message Clear text message Encrypted text Public Key Private Key Public Key Infrastructure (PKI) • Asymmetric encryption • Digital signatures • A hash derived from the message and encrypted with the signer’s private key • Signature checked decrypting with the signer’s public key • Allows key exchange in an insecure medium using a trust model • Keys trusted only if signed by a trusted third party (Certification Authority) • A CA certifies that a key belongs to a given principal • Certificate • Public key + information about the principal + CA signature • X.509 format most used • PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.

PKI – Example Entity B (Bob) Entity A (Alice) public key private key public keye private keyd wishing to send a message m to A: ciphertextc = Ee(m) applies the decryption transformation m = Dd(c). encryption transformation Ee decryption transformation Dd

Structure of a X.509 certificate Public key Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature X.509 certificates and authentication B A A A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Performace !

X.509 alias ISO/IEC/ITU 9594-9 • X.509 is ITU Standard: • ITU-T Recommendation X.509 (1997 E). Information technology - Open Systems Interconnection - The Directory: Authentication Framework • Defines a certificate format (originally based on X.500 Directory Access Protocol) • Latest standard: X.509 version 3 certificate format • X.509 certificate includes: • User identification (someone’s subject name) • Public key • A “signature” from a Certificate Authority (CA) that: • Proves that the certificate came from the CA. • Vouches for the subject name • Vouches for the binding of the public key to the subject

CA Involved entities Certificate Authority User Public key Private key certificate Resource (site offering services)

Certification Authorities • Issue certificates for users, programs and machines • Check the identity and the personal data of the requestor • Registration Authorities (RAs) do the actual validation • Manage Certificate Revocation Lists (CRLs) • They contain all the revoked certificates yet to expire • CA certificates are self-signed • In Grid projects on certain CAs are mutually recognised

Certificate classification • User certificate • issued to a physical person • DN= C=CH, O=CERN, OU=GRID, CN =John Smith • the only kind of certificate good for a client, i.e. to send Grid jobs etc. • Host certificate • issued to a machine (i.e. a secure web server, etc.) • request signed with a user certificate • DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch • Grid host certificate • issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) • request signed with a user certificate • DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch • Service certificate • issued to a program running on a machine • request signed with a user certificate • DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch

Grid Certificate • A certificate needs to be requested from a Certificate Authority • When using the Grid Security Infrastructure (GSI), the certificate consists of two parts: • usercert.pem • userkey.pem

X.509 Certificate Example (1) • openssl x509 –in ~/.globus/usercert.pem –text Certificate: Data: Version: 3 (0x2)X509.3 – with extensions Serial Number: 199 (0xc7) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAIssuer CA Validity Not Before: Sep 25 10:33:05 2005 GMT long term certificate Not After :Sep 24 10:33:05 2006 GMT Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe Useruser identification Subject Public Key Info: Public Key Algorithm: rsaEncryption public key RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38: […]

X.509 Certificate Example (2) X509v3 extensions: X509v3 Basic Constraints: critical Certificate extensions CA:FALSE X509v3 Subject Key Identifier: 71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53 X509v3 CRL Distribution Points: Certificate Revocation List URI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL X509v3 Issuer Alternative Name: email:service-grid-ca@cern.ch X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.96.10.1.2.1 Netscape Cert Type: SSL Client, S/MIME, Object Signingclient/user Certificate Netscape Base Url: http://service-grid-ca.web.cern.ch/service-grid-ca/ Signature Algorithm: md5WithRSAEncryption 54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13:[...]Signature on the information

Private Key Example • openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: Private-Key: (1024 bit) modulus: [...] publicExponent: ..... (0x......) privateExponent: [...] prime1: [...]private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY-----PEM encoded private key -----END RSA PRIVATE KEY-----

Globus Grid Security Infrastructure (GSI) • de facto standard for Grid middleware • Based on PKI • Implements some important features • Single sign-on: no need to give one’s password every time • Delegation: a service can act on behalf of a person • Mutual authentication: both sides must authenticate to the other • Introduces proxy certificates • Short-lived certificates including their private key and signed with the user’s certificate

GSI General Overview Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation SSL/ TLS PKI (CAs and Certificates) SSL for Authentication and message protection PKI for credentials Based on Slide from Globus Tutorial

Virtual Organizations and authorization • Grid users must belong to a Virtual Organization • Sets of users belonging to a collaboration • Each VO user has the same access privileges to Grid resources • VOs maintain a list of their members • The list is downloaded by Grid machines to map user certificate subjects to local “pool” accounts: only mapped users are authorized in LCG • Sites decide which VOs to accept ... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice ... grid-mapfile

Globus command line interface: certificate and proxy management • Get information on a user certificate • grid-cert-info[-help] [-file certfile] [OPTION]... -all whole certificate -subject | -s subject string -issuer | -I Issuer -startdate | -sd Start of validity -enddate | -ed End of validity • Create a proxy certificate • grid-proxy-init • Destroy a proxy certificate • grid-proxy-destroy • Get information on a proxy certificate • grid-proxy-info

Secure your services - but how? client program user certificate Security library Security library Server host certificate Authorisation

Different kinds of services • “Simple” services with standard socket communication • Any service written in C/C++, Java, Python, Perl, etc. • Use GSI libraries e.g. provided by Globus Toolkit 2 • http://www.globus.org/security/ • The libraries handle certificate based authentication • Often considered a 1st generation “Grid services” • Web services • Based on SOAP • 2nd generation “Grid services” • Web sites

API: GSS-API and GSS Assist • GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-2743, 2744) • Traditionally, it interfaces to Kerberos • The Globus project interfaced it to GSI • Communication is kept separate: it just creates data buffers, does not move them • Rather complicated to use… • Documentation at http://docs.sun.com/app/docs/doc/816-1331http://www.gnu.org/software/gss/manual/html_node/index.html • GSS-API as user interface to GSI: • C API • Java API (http://www-unix.globus.org/cog/java/) • The Globus GSS Assist routines are designed to simplify the use of the GSSAPI: they are a thin layer over them

Globus extensions • Credential import and export • To pass credentials from a process to another or storing them in a file • Export to 1) an opaque buffer, or 2) a file in GSI native format • gss_import_cred(), gss_export_cred() • Delegation an any time • A lot more flexible than standard GSS-API delegation • Delegation at times other than context establishment • Possible to delegate credentials different than those used for context establishment: even for different mechanisms! • Ex.: delegate a Kerberos credential over a context established with GSI • gss_init_delegation(), gss_accept_delegation() • Credentials extension handling • support for credential information other than just the identity • Set context options at the server side • Documentation • http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf • ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h

Web Service Security • Transport level security • SOAP messages are transmitted encrypted • used by some gSOAP GSI plugins • Based on SSL/TSL • Message level security • WS-Security • set of SOAP extensions to implement integrity and confidentiality in Web Services • <Security> header contains the security-related information • http://www-128.ibm.com/developerworks/library/ws-secure/ • WS-SecureConversation • defines how to establish secure contexts and exchange keys • Performance issue • Used in Globus Toolkit 4

Performance - Mutual Authentication • Having secure connections creates a performance overhead • Let’s have a look at the detailed steps Bob - Alice • Bob uses proxy to create a request (incl. public key, about 2000 bytes) • Alice uses private key to sign the request - sends signed cert. back (in addition, CAs have to match) • Alices generates a random message and sends it to Bob, asking Bob to encrypt it. • Bob encrypts the message using his private key, and sends it back to Alice. Alice decrypts the message using Bobs's public key. If this results in the original random message, then Alice knows that Bob is who he says he is. • Now that Alice trusts Bob's identity, the same operation must happen in reverse. • By default, all further message exchange is not encrypted !

Some performance numbers Cryptography is CPU intensive WS Secure Conversation symmetrical cryptography only Source: http://webservices.sys-con.com/read/204424.htm

Securing Web sites (Portals) • HTML web is is not a web service • Web service provides a programmable interface via SOAP • A Web page is purely HTML (potentially generated by tools such as JSP, etc.) • One can still use Grid security for that purpose • Need to load certificate into the web browser • Server side (Web server) needs to use Grid security technologies • Example: http://wwww.gridsite.org provide modules for Apache server

GSI Authentication using Globus CA service user VO

CA grid-cert-request service user cert-request VO Certificate Request / Obtaining a certificate once in every year

CA grid-cert-request cert signing service user cert-request certificate VO Certificate Signing

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO Preparation for Registration in VO Goal: user needs to register with a certain VO

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO Registration Account Registration once for the lifetime of the VO (only the DN not the keys, so they may change) Usage guidelines

CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Starting a Session with Globus every 12/24 hours

Usage You must have a valid certificate from a trusted CA! • „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ • checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy -> use the Grid services • „logout”: grid-proxy-destroy

CA grid-cert-request grid-cert-request cert signing service user host-request cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Certificate Request for a Host once in every year

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request host-cert certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Signing the Certificate

CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO proxy-cert grid-proxy-init Configuration on the Server In EDG: automatically updated every night/week

Service You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured. • Registering a trusted CA • /etc/grid-security/certificates: hashed cert, crl and url • Generating a gridmap file: mkgridmap • /etc/grid-security/gridmap: DN -> userid/gid mapping • See Authorisation • Generating host/service certificate: grid-cert-request –host (see user certificates for the whole process) info

Service: CA Certificates • ls /etc/grid-security/certificates 0ed6468a.0 c35c1972.0 d64ccb53.0 0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url 0ed6468a.r0 c35c1972.r0 d64ccb53.r0 0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy 16da7552.0 cf4ba8c8.0 df312a4e.0 16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url 16da7552.r0 cf4ba8c8.r0 df312a4e.r0 16da7552.signing_policy cf4ba8c8.signing_policydf312a4e.signing_policy In General: *.0 … CA certificate *.r0 … Certificate Revocation List (CRL) example

Grid Security

Grid Security

Presentation Transcript

Grid Security Services

Security in Grid and Grid Security Services

Grid Security Research

Security in Smart Grid

Grid Security Policy

Grid Security Infrastructure

Grid Security and Accounting

Grid Security Issues

EDINA Geo/Grid - Security

Grid Security Policy

VN-GRID Security

Grid Security

GRID Security Update

Grid Security

Grid Security Overview

Grid Security

Grid Security Policy

Grid Security Overview

GridSite and Grid Security

GRID Security Update

Grid Security Risks