510 likes | 517 Vues
Learn about authentication, authorization, and security mechanisms in grid computing, including obtaining and using certificates, joining virtual organizations, and understanding the roots of trust.
E N D
LCG-2 Tutorial, June 3,4 2004 www.eu-egee.org Security MechanismsDavid Groep (after original by Ákos Frohner)EDG tutorial team, JRA3 EGEE is a project funded by the European Union under contract IST-2003-508833
Contents Overview authentication and authorisation User side getting a certificate joining a Virtual Organisation Server side host and service certificates the roots of trust authorisation mechanisms
Virtual Organizations • A VO is a temporary alliance of stakeholders • Users • Service providers A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. Viewgraph: Foster, Kesselman, Tuecke, the Globus Alliance next: common and open protocols
Autonomous Resources • owners of resources and data stay in control • sharing conditions are explicit, … • … and can vary for every resource or service • each VO, and each user, thus has its own view of the Grid • his “own” grid is transparent, thus no per-resource registration • single sign-on
What is what? Authentication proving who you are Authorisation deciding what you are allowed to do Auditing Who did what when? Accounting How much “resources” did X use? Billing and payment oops!
Some cryptography Need to communicate securely without prior arrangements Can you talk to someone in privacy using only public data? • Yes: using “asymmetric cryptography” • You generate a key pair (two halves) • One half you publish on the ’Net • Others can encrypt a message using the public key • only you have the private key to decrypt this assumes that the private key cannot be derived easily!
Binding a public key to you • Put you public key and a unique name together • have that combination digitally signed by someone trusted • This “trusted third party” certifies the binding:a Certification Authority or CA Certificate: Data: Version: 3 (0x2) Serial Number: 332 (0x14c) Signature Algorithm: md5WithRSAEncryption Subject: O=dutchgrid, O=users, O=nikhef, CN=David Groep Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e6:a2:8b:5c:a3:ed:fe:d5:03:55:b6:7c:cb:44: .... Issuer: C=NL, O=NIKHEF, CN=NIKHEF medium-security certification auth Validity Not Before: Mar 1 08:52:49 2004 GMT Not After : Mar 1 08:52:49 2005 GMT Netscape Comment: Certificate issued under DutchGrid and NIKHEF medium-security policy version 2.1;limited liabilities apply Signature Algorithm: md5WithRSAEncryption 9d:d8:19:32:3e:39:f1:55:58:d6:dd:21:7a:40:31:36:f6:07: 96:91:cf:2c
Certification Authorities Common trust domain for all of Europe: the EUGridPMA • 23 national certification authorities • catch-all CAs for EGEE, LCG and SEE-GRID • all comply to the same minimum standards • in-person checking with a photo-ID • secure signing machine • certificates valid for 1 year • … • your Grid certificate works across all of Europe • other CAs exist: for students, demonstrations, tutorials
Authorisation • Based on Virtual Organisations (VO) • you join both a VO and (implicitly) an Infrastructure: • agree to the Acceptable Use Policy • request VO membership • wait for the VO administrator to approve • resource providers will then automatically give you access! • Many different VOs, including “catch-alls” Atlas LHCb Alice CMS DTEAM* EarthOb BioMed ASCI … NL-Grid NCF*
CA service user VO A walk-through
CA grid-cert-request service user cert-request VO Certificate request once every year
Contacting the Certificate Authority • Each CA has different policies and practices • Generate a cryptographic key pair • using a script like grid-cert-request • with your web browser • using a Java Applet • Appear in-person to the Registration Authority (RA) • RA approves your request • CA signs the approved request and sends you the cert • via mail: copy to your home directory • via the web: download into your browser and export to disk • All use a network of RAs close to you
DutchGrid CA http://www.dutchgrid.nl/ca
Making the request (DutchGrid CA) run request script triode:davidg:1004$ sh makerequest.sh Generating user request and private key in /tmp Do NOT delete the private key in this directory NOTICE: you are about to create the cryptographic key pair you need in your certificate. The private key is highly confidential information! Do not share it with anyone and do not send it by mail to the Certification Authority Your private key is stored in a file named ‘userkey.pem' Using configuration from /tmp/certreq15061.cnf Generating a 1024 bit RSA private key .....++++++ ..................++++++ writing new private key to '/tmp/userkey.pem' ----- Mailing [CA:medium] certificate request to the DutchGrid CA … In the authentication process by the CA, you may be asked to provide a proof-of-possession of the keypair you submitted. This may involve you providing part of your public keydata displayed below: BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EFA3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065 *** Fill in the registration form now, and go to your RA. Proof of Possession Challenge
Your request • openssl req –in ~/.globus/user_request.pem –text Data: Version: 0 (0x0) Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos FrohnerUser information Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):Public key 00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58:[...] Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryptionSignature on the public 29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e:[...]key and user information -----BEGIN CERTIFICATE REQUEST-----PEM encoded request MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC[...] -----END CERTIFICATE REQUEST-----
Private Key Details • openssl rsa -in ~/.globus/userkey.pem –text Enter PEM pass phrase: Private-Key: (1024 bit) modulus: [...] publicExponent: ..... (0x......) privateExponent: [...] prime1: [...]private parameters prime2: [...] exponent1: [...] exponent2: [...] coefficient: [...] writing RSA key -----BEGIN RSA PRIVATE KEY-----PEM encoded private key -----END RSA PRIVATE KEY-----
CA grid-cert-request cert signing service user cert-request certificate VO Certificate signing
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 VO Importing your certificate in the browser
Browser certificates • Your our certificate must be in PKCS#12 format openssl pkcs12 –export \ –in ~/.globus/usercert.pem \ –inkey~/.globus/userkey.pem \ –out user.p12 \ –name ’Joe Smith’ • Use the “certificate store” of your browser • Windows: double-click on the “.p12” file • Explorer: Internet Options – tab: Content • Netscape 6: Preferences – Privacy&Sec – Certificates, then use “Restore” • And SET THE MASTER PASSWORD
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO Usage Guidelines Account Registration once for the lifetime of the VO (only the DN not the keys, so they may change) Usage guidelines
Registering with LCG http://lcg-registrar.cern.ch/
David Groep /O=dutchgrid/O=users/O=nikhef/CN=David Groep Registration with the NCF VO
Registering with a VO User registration in an EDG Virtual Organisation • sign the usage guidelines. For LCG go to http://lcg-registrar.cern.ch/For NCF go to http://register.matrix.sara.nl/ • ask an account from your VO administrator there • -> You are registered in the VO-Directory server and have an account on all systems (~24 hrs).
CA grid-cert-request cert signing service user cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Starting a session every 12/24 hours
Usage of your cert: single sign-on You must have a valid certificate from a trusted CA! • „login”: grid-proxy-init short lifetime certificate: 24 hours Enter PEM pass phrase: ...........................+++++ ....................................+++++ • checking the proxy: grid-proxy-info -subject /O=Grid/O=CERN/OU=cern.ch/CN=Akos Frohner/CN=proxy • „logout”: grid-proxy-destroy -> use the grid services
CA grid-cert-request grid-cert-request cert signing service user host-request cert-request certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Certificate Request for a Host once in every year
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request host-cert certificate convert cert.pkcs12 registration VO proxy-cert grid-proxy-init Signing the Certificate
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP proxy-cert grid-proxy-init Configuration on the Server automatically updated every night/week
Service info You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured. • registering the trusted CAs (also on UI) • /etc/grid-security/certificates: hashed cert, crl and url • generating a gridmap file: mkgridmap • /etc/grid-security/gridmap: DN -> userid/gid mapping • generating host/service certificate • similar to user certificates for the whole process
Service: CA Certificates example • ls /etc/grid-security/certificates 0ed6468a.0 c35c1972.0 d64ccb53.0 0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url 0ed6468a.r0 c35c1972.r0 d64ccb53.r0 0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy 16da7552.0 cf4ba8c8.0 df312a4e.0 16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url 16da7552.r0 cf4ba8c8.r0 df312a4e.r0 16da7552.signing_policy cf4ba8c8.signing_policydf312a4e.signing_policy • cat c35c1972.crl_url http://globus.home.cern.ch/globus/ca/cern.crl.pem
Service: Revocation List example • openssl crl -in c35c1972.r0 –text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=CH/O=CERN/CN=CERN CAthe issuer is the CA itself Last Update: Jul 1 17:53:17 2002 GMT Next Update: Aug 5 17:53:17 2002 GMTnext update: shall be checked Revoked Certificates: Serial Number: 5Athe revoced certificate’s number Revocation Date: May 24 16:45:52 2002 GMT Signature Algorithm: md5WithRSAEncryptionSignature – as usual
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init Authorization Information automatically updated every night/week
Gridmap file: configuration example • cat /etc/grid-security/mkgridmap.conf auth ldap://marianne.in2p3.fr/ou=People,o=testbed,dc=eu-datagrid,dc=org # EDG Standard Virtual Organizations group ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org .alice group ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org .atlas group ldap://grid-vo.nikhef.nl/ou=tb1users,o=cms,dc=eu-datagrid,dc=org .cms group ldap://grid-vo.nikhef.nl/ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org .lhcb group ldap://grid-vo.nikhef.nl/ou=tb1users,o=biomedical,dc=eu-datagrid,dc=org .biome group ldap://grid-vo.nikhef.nl/ou=tb1users,o=earthob,dc=eu-datagrid,dc=org .eo group ldap://marianne.in2p3.fr/ou=ITeam,o=testbed,dc=eu-datagrid,dc=org .iteam group ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org .wpsix default_lcluser AUTO
Generated Gridmap file example • cat /etc/grid-security/gridmap "/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" .atlas "/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" .dteam "/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/Email=Franco.Semeria@bo.infn.it" .alice "/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/Email=Marisa.Luvisetto@bo.infn.it" .alice "/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" .dteam "/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" .dteam "/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" .lhcb "/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/Email=legre@clermont.in2p3.fr" .biome
CA grid-cert-request grid-cert-request cert signing cert signing service user host-request cert-request cert/crl update host-cert certificate convert ca-certificate cert.pkcs12 registration crl VO-LDAP gridmap mkgridmap proxy-cert grid-proxy-init host/proxy certs exchanged Using a Service
Summary CA: authentication; VO: AUP, authorisation and access • new certificate: follow the web page instructions • send to the appropriate CA (e.g. ca@dutchgrid.nl) • save the answer • ~/.globus/usercert.pem • import in web browser (.p12) and register with VO • new proxy certificate: grid-proxy-init • /tmp/x509up_u<uid> • use the Grid only once ~daily
high frequency low frequency CA CA CA The Original Globus Toolkit host cert(long life) service user crl update user cert(long life) grid-proxy-init proxy cert(short life) grid-mapfile authentication info
high frequency low frequency CA CA CA The VO-Directory (EDG/LCG-2) host cert(long life) service user crl update user cert(long life) VO-LDAP registration VO-LDAP grid-proxy-init VO-LDAP mkgridmap proxy cert(short life) grid-mapfile VO-LDAP authentication info
high frequency low frequency CA CA CA registration service cert(short life) authz cert(short life) The VOMS Model host cert(long life) service user crl update user cert(long life) VO-VOMS registration VO-VOMS voms-proxy-init VO-VOMS proxy cert(short life) VO-VOMS authz cert(short life) authentication & authorization info LCASLCMAPS edg-java-security
Authentication Request OK C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS user Getting VOMS Attributes [davidg@tbn01 davidg]$ edg-voms-proxy-info -all … Type : proxy Bits : 512 Valid From : Jun 2 06:22:02 2004 GMT Validity left : Jun 2 18:27:02 2004 GMT VO : wpsix Holder Subject: /O=dutchgrid…/O=nikhef/CN=David Groep … Issuer Subject:/C=FR/O=CNRS/OU=UREC/ CN=vo-iteam.datagrid.cnrs.fr … Valid from : Jun 2 06:26:09 2004 GMT Valid to : Jun 2 18:26:09 2004 GMT Attribute : /wpsix/Role=NULL/Capability=NULL [davidg@tbn01 davidg]$ edg-voms-proxy-init -voms=wpsix Your identity: /O=dutchgrid/O=users/O=nikhef/CN=David Groep Enter GRID pass phrase for this identity: Creating temporary proxy ............................... Done /C=FR/O=CNRS/OU=UREC/CN=vo-iteam.datagrid.cnrs.fr/Email=edg-site-admin@datagrid.cnrs.fr /C=FR/O=CNRS/CN=Datagrid-fr Creating proxy .............................. Done
The VOMS Attribute Certificates • The pseudo-cert is inserted in a non-critical extension of the user’s proxy • 1.3.6.1.4.1.8005.100.100.1 • Format:X.509 Attribute Cert • FQAN • One for each VOMS Server contacted /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it/C= IT/O=INFN/CN=INFN CA user’s identity /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it /C=IT/O=INFN/CN=INFN CA VO: CMS URI: http://vomscms.cern.ch server identity TIME1: 020710134823Z TIME2: 020711134822Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” user’s info SIGNATURE: .........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A...
Interpretation at the Resources • Local Centre Authorization Service (LCAS) • Handles authorization requests to local fabric • Authorization decisions based on proxy user certificate and job specification • Supports grid-mapfile mechanism • Plug-in framework (hooks for external authorization plug-ins) • Local Credential Mapping Service (LCMAPS) • Provides local credentials needed for jobs in fabric (identifier in Java JVM in EJS) • Plug-in framework, driven by comprehensive policy language • Mapping based on user identity, VO affiliation, site-local policy • Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 … "/O=dutchgrid/O=users/O=sara/CN=Walter de Jong" .wpsix "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Robert Belleman" .pvier "/VO=iteam/GROUP=/iteam" .iteam "/VO=wpsix/GROUP=/wpsix" .wpsix
Secure Communications Using Public Key Cryptography • conventional (symmetric) secure communication:both parties need a pre-existing trusted channel • Asymmetric encryption (‘public key crypto’)allows secured communication without need for channel to share a secret • You can reliably establish communications between two key pairs • Relies on a (supposedly) difficulty problem,e.g., factoring large numbers
How does it work? • Example 1: public space (d,e,p,q) (e,n) (d,n) (e,n) n = pq Alice c m Dd,n(c) →m c=Ee,n(m) Ee,n(m) = me mod(n) Dd,n(c) = cd mod(n) m = D(E(m)) = E(D(m)) (reversibility) if a.o. if de = 1 mod((p,q)) where (p,q) = (p-1)(q-1) and (p-1) prime relative to e Bob
6-bit RSA key generation • Take a (small) value e = 3 • Generate a set of primes (p,q), each with a length of k/2 bits, with (p-1) prime relative to e.(p,q) = (11,5) • (p,q) = (11-1)(5-1) = 40; n=pq=55 • find d, in this case 27 [3*27 = 81 = 1 mod(40)] • Public Key: (3,55) • Private Key: (27,55) Ee,n(m) = me mod(n) Dd,n(c) = cd mod(n) m = D(E(m)) = E(D(m)) (reversibility) if a.o. if de = 1 mod((p,q)) where (p,q) = (p-1)(q-1)
Message Exchange (3,55) Encryption: • Bob thinks of a plaintext m(<n) = 18 • Encrypt with Alice’s public key (3,55) • c=E3;55(18)=183 mod(55) = 5832 mod(55) = 2 • send message “2” Decryption: • Alice gets “2” • she knows private key (27,55) • E27;55(2) = 227 mod(55) = 18 ! • If you just have (3,55), it’s hard to get the 27… Ee,n(m) = me mod(n) Dd,n(c) = cd mod(n) m = D(E(m)) = E(D(m)) if a.o. if de = 1 mod((p,q)) where (p,q) = (p-1)(q-1)