Security II – Grid Computing Security and Globus Security

1. SecurityII – Grid Computing SecurityandGlobus Security

2. Aspects Grid computing involves setting up a virtual organization for the project: • Setting up the resources that will be used. • Identifying the users • Creating a security policy across sites

3. Virtual Organization SecurityIssues Need to establish and enforce terms of sharing. • VO-wide identification of users and services • Authentication across administrative domains • Authorization policy across administrative domains • Trust across administrative domains

4. Dynamics • Changing community roles, members • Scaling • Support for large numbers of resources and users • Policy • VO and stakeholder control of priorities Modified form a slide by Ian Foster

5. Grid security must define mechanisms for identity, policy, and trust across autonomous domains with minimal arrangements. Modified form a slide by Ian Foster

6. Dynamic Policy Overlay Slide by Ian Foster

7. Globus Grid Security Infrastructure (GSI) • A set of tools, libraries, and protocols to allow users and applications to access resources securely in a grid computing environment.

8. Globus Grid Security Infrastructure (GSI) • Based upon public key infrastructure with certificate authorities and X509 certificates. • GT 2 components use SSL for authentication and message protection. • GT 4 can use WS-Security protocols – extensions to SOAP messaging for security

9. Security G T 4 Delegation Service Community Scheduler Framework [contribution] Python WS Core [contribution] C WS Core G T 3 CommunityAuthorization Service OGSA-DAI [Tech Preview] Web ServicesComponents WS Authentication Authorization Reliable File Transfer Java WS Core Grid Resource Allocation Mgmt (WS GRAM) Monitoring & Discovery System (MDS4) G T 2 Pre-WS Authentication Authorization GridFTP Grid Resource Allocation Mgmt (Pre-WS GRAM) Monitoring & Discovery System (MDS2) C Common Libraries Non-WS Components G T 3 Replica Location Service XIO G T 4 Credential Management Security Data Management Execution Management Information Services CommonRuntime

10. Three important factors in grid computing are: • Authorization • Process of deciding whether a particular identity can access a particular resource • Authentication • Process of deciding whether a particular identity is who he says he is (applies to humans and systems) • Delegation(somewhat specific to grid computing) • Process of giving authority to another identity (usually a computer/process) to act on your behalf.

11. GT4’s Use of Security Standards I Foster

12. Authentication Process of deciding whether a particular identity is who he says he is (applies to humans and systems)

13. GSI Authentication Each user has set of credentials they use to prove their identity on the grid. Consists of: • X509 certificate and • private key • Long-term private key kept encrypted with a pass phrase • Good for security, inconvenient for repeated usage

14. Certificate Authorities • Grid computing group (virtual organization) requires one or more CAs to control access to their grid. • Generally set up CA’s specifically for grid computing virtual organization.

15. Certificate Authorityfor Grid Computing • Usually a certificate authority is created for the specific grid computing environment. • Globus has “simple” implementation called simpleCA.

16. Grid Users • After Certificate Authority established for grid, users have to register with grid CA. • Users joining a grid from geographically dispersed locations must communicate with the CA system administrator to verify their identity and to get a certificate. • Communication often done by email!

17. Setting up a CA • Globus SimpleCA • For use with small projects with simple requirements. • Globus Certificate Service • For testing only (example use in sticky note assignment exercise 10). • Design your own CA or use existing one.

18. Single CA • Some grids have established a single CA for the virtual organization. Example • UK e-Science grid has a centralized CA.

19. Trans-European Research and Education Networking Association Provides a list of CAs with access to their certificates: http://www.terena.nl/tech/task-forces/ tf-aace/tacar/certs.html

20. NCSU UNC-A CA’s in Course grid structure UNC-C ASU CA CA WCU CA CA MCNC CA CA

21. UNC-C CA Users certified by a local CA

22. Configuring GT4 to Trust a Particular Certificate Authority GT 4 can be configured to accept certificates from multiple CAs. • Needs to know the CA’s to accept. • Consists of loading two files describing each CA: • cert_hash.0 The trusted CA certificate • cert_hash.signing_policy • A configuration file defining the distinguished names of certificates signed by the CA

23. UNC-C NCSU CA CA CA’s with Mutual Trust GT4

24. Bridge CA’s Bridge providing trust CA CA CA CA

25. Multiple CA’s With multiple CA’s, users in virtual organization need: • Account on each computer system and • Access control policy set • An entry in each grid-map file of each system if grid-maps used, see later.

26. Need to specify polices and how to establish subject’s identity.

27. Subject’s identity • X509 certificates use LDAP (Lightweight Directory Access Protocol) Distinguished Name conventions • Entries organized in a tree hierarchy, which could reflect the organizational structure: • Organization: O=Grid • Organization: O=UNC-C • Organizational unit: OU= Dept of Computer Science • Common name: CN=Barry Wilkinson • Must to constructed for uniqueness – could be two Barry Wilkinson’s (There are.)

28. Sample Distinguishing Name used at NCSU /O=NCSU/OU=HPC/OU=unity.ncsu.edu/CN=Barry Wilkinson

29. Getting a certificate 2. Apply to CA Request 1. Create Public key User CA Private Key X509 3. Generate and sign Signed X509

30. Globus Interaction with Certificate Authority This step done by email or a more a secure way. Grid Security Infrastructure From: “Introduction to Grid Computing with Globus,” IBM Redbooks, SG24-6895-012003, Fig. 3-3.

31. grid-cert-request • Globus command to run to get certificate. • Requests a pass phrase. • Can be used to get user certificates, host certificates and CA’s own certificate (chosen with grid-cert-request flags).

32. Files held by user after using grid-cert-request • Users usercert_request.pem • The certificate request, which you should send to your CA. • Certificate: usercert.pem • An empty file. When you receive your actual certificate from your CA, you should place it in this file. • User’s private key: userkey.pem • Previously held (not transmitted), encrypted with pass phrase used for grid-cert-request.

33. Getting certificate from SimpleCA Run: $GLOBUS_LOCATION/bin/grid-cert-request Certificate request stored in: $HOME/.globus/usercert_request.pem Email this request to certificate authority given in request. Save signed certificate that is returned. SimpleCA uses the command grid-ca-sign to sign certificate.

34. Grid Computers • Computers added to a grid (donors) preferably need their identity verified in a similar fashion. • Computers registered with certificate authority - only those machines will be allowed to participate in the grid activities. • Computers might be used under a certain access rights.

35. GSI Authentication Originally based on SSL protocol where one passes an encrypted random number between parties

36. B authenticating host A’s certificate • Host A send its certificate to Host B. • Host B gets Host A’s public key and name using CA’s public key. • Host B creates a random number and sends it to Host A. • Host A encrypts random number with its private key and sends it to host B. • Host B decrypts number and checks number. If correct, Host B authenticates host A’s certificate.

37. From: “Introduction to Grid Computing with Globus,” IBM Redbooks, SG24-6895-012003, Fig. 3-4.

38. Mutual Authentication Two parties proving to each other that they are who they say they are. Mutual authentication involves the previous process done both ways. Both parties need to trust CAs that signed each other's certificates.

39. GSI Mutual Authentication • Before mutual authentication can occur, parties involved must first trust CAs that signed each other's certificates. • In practice, this means that they must have copies of the CAs' certificate, which contain the CAs' public keys, and that they trust that these certificates really belong to the CAs.

40. Mutual Authentication cont. To start the authentication process,: • A gives B his certificate. • B will first make sure that certificate valid by checking CA's digital signature to make sure that the CA actually signed the certificate and that the certificate hasn't been tampered with. (This is where B must trust the CA that signed A's certificate.) Once B has checked out A's certificate, B must make sure that A really is the person identified in the certificate.

41. Mutual Authentication cont. • B generates a random message and sends it to A, asking A to encrypt it. • A encrypts the message using his private key, and sends it back to B. • B decrypts the message using A's public key. • If this results in the original random message, then B knows that A is who he says he is.

42. Mutual Authentication cont. • Now that B trusts A's identity, the same operation must happen in reverse. • B sends A her certificate, A validates the certificate and sends a challenge message to be encrypted. • B encrypts the message and sends it back to A, and A decrypts it and compares it with the original. • If it matches, then A knows that B is who she says she is. At this point, A and B have established a connection to each other and are certain that they know each others' identities.

43. Confidential Communication after Mutual Authentication By default, GSI does not establish confidential (encrypted) communication between parties. Communication can occur without the overhead of constant encryption and decryption. GSI can easily be used to establish a shared key for encryption if confidential communication is desired.

44. Communication integrity Means that an eavesdropper may be able to read communication between two parties but is not able to modify the communication in any way. GSI provides communication integrity by default. (It can be turned off if desired). Communication integrity introduces some overhead in communication, but not as large as encryption.

45. Authorization Process of deciding whether a particular identity can access a particular resource and what fashion.

46. GSI Authorization Classical way of doing authorization is an access control list, listing the identities of those allowed and the type of access allowed. • A grid could use a similar approach, using a grid-map file

47. grid-map file Globus installations can maintain a so-called grid-map file that contains a list of user DNs authorized for access, and their local username mappings. Example "/O=Grid/OU=GlobusTest/OU=simpleCA-myuniversity.edu/OU=myuniversity.edu/ CN=student0" student0

48. Other ways of doing authorization Grid-map file a very primitive way which does not scale well. Other ways • SAML – Security Assertions Markup Language, a OASIS standard • Allows to communicate user authentication, authorization and attribute information • Communication Authorization Service (CAS)

49. Community Authorization Service CAS To handle the situation of many users and many resources. If each resource were to maintain access policies for each user, will not scale. Delegate authorization to CAS to handle authorization for resources.