VN-GRID Security

VN-GRID Security Nguyen Cao Dat

Outline • Grid Security on EDAGrid • EDAGrid topology • Authentication • Authorization • Message protection • Security Issues • Grid Security on VN-GRID • VN-GRID topology • Authentication • Authorization • To do list

Outline • Grid Security on EDAGrid • EDAGrid topology • Authentication • Authorization • Message protection • Security Issues

Certification Authority VO Server EDAGrid topology 1 2 GridNodes Site = Virtual Organization

Subject Public Key Issuer (CA) Signature of CA How a user is authenticated by a GridNode • Obtaining a Certificate user Private Key (encrypted) • Create a public/private key pair and unsigned • certificate (grid-cert-request command) • Mail unsigned certificate to CA admin by E-mail • Receive a signed certificate

Subject Public Key Issuer Signature Issuer How a user is authenticated by a GridNode(2) • By checking the signature, one can determine that a public key belongs to a given user. Hash Hash =? Decrypt Hash Public Key from Issuer

Send Cert. encrypted challenge string challenge string PL<OKNIJBN… How a user is authenticated by a GridNode(3) server user User Cert. Subject Public Key Issuer (CA) Digital Signature User Cert. Subject Public Key Issuer (CA) Digital Signature Check Public Key private key (encrypted) QAZWSXEDC… QAZWSXEDC… PublicKey QAZWSXEDC…

How a user is authenticated by GridNodes Single Sign on user Grid Node A GridNode B remote process creation requests* Communication* Delegation Remote file access requests* * with mutual authentication

How a user is authenticated by GridNodes (2) • Create Proxy Certificate Identity of the user Proxy Certificate Subject/Proxy (new) public key (new) private key (not encrypted) Issuer (user) Digital Signature (user) User Certificate Subject Public Key Issuer (CA) Digital Signature grid-proxy-init User Certificate Subject Public Key Issuer (CA) Digital Signature private key (encrypted) sign

How a user is authenticated by GridNodes (3) • Proxy Certificate • Minimize exposure of user’s private key. • A “proxy certificate” is a special type of certificate that is signed by the normal end entity cert, or by another proxy. • Used in short term, • Proxy’s private key is not encrypted. • Rely on file system security, proxy certificate file must be readable only by the owner

Proxy-2 Public Proxy-2 Cert How a user is authenticated by GridNodes (4) • Delegation • Remote creation of a user proxy • Results in a new private key and proxy certificate, signed by the original key • Allows remote process to act on behalf of the user • Avoids sending private keys across the network Proxy-1 Public Key Proxy-1 Private key Proxy-2 public Proxy-2 private User Private grid-proxy-init GridNode1 GridNode2 User Public Key User Private key

User Identity CA User Certificate User Identity User Identity CA User Certificate Proxy Certificate How a user is authenticated by GridNodes (5) • Traverse Certificate Chain to verify identity CA Proxy Certificate User Certificate Proxy Certificate

How a user is authenticated by GridNodes (5) • Example • Create Proxy certificate $ grid-proxy-init Enter PEM pass phrase: ***** • Remote Authentication Test $ globusrun –a –r hostname • Running a Job on Remote node $ globus-job-run hostname <executable> $ globusrun-ws …

Authorization • Identity Mapping • User is mapped to local identities to determine local policy. • . Map tolocal name Grid Identity LocalPolicy Map tolocal name LocalPolicy

Authorization (2) • Gridmap File • Gridmap file maintained by Globus administrator • Entry maps Grid-id into local user name(s) # Distinguished name Local # username "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Grid Test 1" griduser1 "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Tuan Anh" tanguyen "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Thoai Nam" griduser3 "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Tran Van Hoai" hoai "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Nguyen Cao Dat" dat "/O=Grid/OU=VNU-HCM/OU=HCMUT/OU=CSE/CN=Ly Hoang Hai" griduser1

SSL/TLS Certificates TCP Sockets Message protection • Uses certificates and TCP sockets to provide a secured connection • Authentication of one or both parties using the certificates • Message protection • Confidentiality (encryption) • Integrity

EDAGrid Security Infrastructure • GSI is: Proxies and delegation (GSI Extensions) for secure single Sign-on Proxies and Delegation SSL/ TLS PKI (CAs and Certificates) SSL for Authentication And message protection PKI for credentials PKI: Public Key Infrastructure

Security issues • Authentication issues • User Interface • Single CA vs. Multiple CAs • Credential Management • Authorization issues • What happens if there are thousands to millions of users? • The grid-mapfile doesn’t scale well, and works only at the resource level, not the collective level (site level). • Accounting issues • Logs from VOInformation are not enough. • Billing system.

Outline • Grid Security on VN-GRID • VN-GRID topology • Authentication • Authorization • To do list

Certification Certification Authority Authority VO Server VO Server VN-GRID topology 1 1 2 2 GridNodes GridNodes Site 1 Site 2

Authentication • Goals • Support multi CAs. • User • Transparent authentication (Proxys/delegation). • Site/Individual Node • Easy to adhere.

Authentication (2) • Multiple CAs • Manual update -> simple. • Automatic update solution VN-GRID 1. request Site N CA CA 2. certificate 3. Adhere CAs data Portal 4. Agree/ Not Agree Update CAs List

Authorization • Goals • Support thousands to millions users from sites. • Compatible with site/local security policies. • Easy to understand and verify. • Easy to administer. Access Granted by community To user Access Granted by local To community Access Granted by site To user

Authorization (2) • Approachs • “Classic” Authorization Method • Identity mapping • Attribute-Based Authorization Methods • CAS(Community Authorization Service) • VOMS(Virtual Organization Membership Service) • PERMIS • GridShib • CaBig tools

Authorization (3) • Identity mapping • Gridmap file format Subject DNs  [user0, user1, …, usern-1] • Dual function identity-based gridmap file • Authorization Policy • Username Mapping Policy • A single gridmap file serves both functions

Authorization (4) • Attribute-Based Authorization • User create Proxy Certificate with Attributes user SAML:Security Assertion Markup Language

Authorization (5) • Attribute-Based Authorization • Authz on GridNodes GridNode PDP/PEP PDP: Policy Decision Point PEP: Policy Enforcement Point policies

Authorization (6) • GridShib • GridShib SAML Tools • A SAML producer • Binds a SAML assertion to an X.509 proxy certificate • The same X.509-bound SAML token can be transmitted at the transport level or the message level (using WS-Security X.509 Token Profile). • GridShib for Globus Toolkit • A SAML consumer • GridShib for GT (GS4GT) is a plug-in for GT 4.x

Authorization (7) • GridShib for GT (GS4GT)

Authorization (8) • GridShib for GT (GS4GT) • Two separate attribute-based policy files • Authorization Policy [A0, A1, …, Am-1] • Username Mapping Policy [A0, A1, …, Am1-1]  [user0, user1, …, usern1-1] [A0, A1, …, Am2-1]  [user0, user1, …, usern2-1] • A single XML-based policy file may encapsulate both types of policies

To do list • Building testbed system • Resources: 03 GridNodes (03 sites) • Install & configure GT4.x, GridShib • Programming • CLI to create Proxy Certificate with Attributes • Site Registration Service • Update CAs list programs for VO Server/GridNode • Documentation • Technical report • Admin Guide

Appendix

Symmetric Encryption • Encryption and decryption functions that use the same key are called symmetric • In this case everyone wanting to read encrypted data must share the same key • DES is an example of symmetric encryption Data Encrypt Decrypt Data

Asymmetric Encryption • Encryption and decryption functions that use a key pair are called asymmetric • Keys are mathematically linked • RSA is an example of asymmetric encryption

Asymmetric Encryption • When data is encrypted with one key, the other key must be used to decrypt the data • And vice versa Data Data Decrypt Encrypt Encrypt Decrypt Data Data

Public and Private Keys • With asymmetric encryption each user can be assigned a key pair: a private and public key Public key is given away to the world Private key is known only to owner

Public and Private keys • Anything encrypted with the private key can only be decrypted with the public key • And vice versa • Since the private key is known only to the owner, this is very powerful… Data Encrypt Decrypt Data

Digital Signatures • Digital signatures allow the world to verify I created a hunk of data • e.g. email, code

Digital Signatures • Digital signatures are created by encrypting a hash of the data with my private key • The resulting encrypted data is the signature • This hash can then only be decrypted by my public key Data Hash Encrypt Signature

Digital Signature • Given some data with my signature, if you decrypt a signature with my public key and get the hash of the data, you know it was encrypted with my private key Hash Hash Data =? Decrypt Signature Hash

Digital Signature • Since I’m the only one with access to my private key, you know I signed the hash and the data associated with it • But, how do you know that you have my correct public key? • Answer: A Public Key Infrastructure… ?

VN-GRID Security

VN-GRID Security

Presentation Transcript

Grid Security Services

Security in Grid and Grid Security Services

Grid Security Research

VN 101

Grid Security Policy

VN E

Grid Security

Grid Security Infrastructure

Grid Security Issues

Grid Security Policy

Grid Portal for VN-Grid

Grid Security

GRID Security Update

Grid Security

Grid Security Overview

Grid Security

Grid Security Policy

Grid Security Overview

GRID Security Update

Grid Security Risks