Grid security
- 3. What do we want from security? Identity Authentication Privacy Integrity Authorization Single sign-on Delegation
- 4. Identity & Authentication Each entity should have an identity Who are you? Example: Unix login name Authentication: Prove your identity Stops masquerading imposters Examples: Passport Username and password
- 7. Message Protection Sending message securely Integrity Detect whether message has been tampered Privacy No one other than sender and receiver should be able to read message
- 8. Authorization establishes rights to do actions What can a particular identity do? Examples: Are you allowed to read this file? Are you allowed to run a job on this machine? Unix read/write/execute permissions Must authenticate first Authentication != authorization
- 9. Single sign on Log on once Type password once Use any grid resource without typing password again
- 10. Delegation
- 11. Delegation Resources on the grid can act as you Example: Execution jobs can transfer files Delegation can be restricted For example: Delegation only valid for a short period of time
- 13. Cryptographic Keys, the building block of cryptography, are collections of bits The more bits that you have, the stronger is the key Public key cryptography has two keys: Public key Private key 0 1 0 1 0 0 1 1 1 0 1 0 1 1 1 1 0 1 1 1
- 14. Encryption takes data and a key, feeds it into a function and gets encrypted data out Encrypted data is, in principal, unreadable unless decrypted Encryption Function <data>
- 15. Decryption feeds encrypted data & a key into a function and gets the original data Encryption and decryption functions are linked Decryption Function <data>
- 16. Digital Signatures let you verify aspects of the data Who created the data That the data has not been tampered with Does not stop other people reading the data Combine encryption+signature
- 17. Public Key Infrastructure (PKI) provides Identity X.509 certificate Associates an identity with a public key Signed by a Certificate Authority Owner
- 18. John Doe 755 E. Woodlawn Urbana IL 61801 BD 08-06-65 Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates are similar to passports or identity cards Name Issuer Public Key Validity Signature Valid Till: 01-02-2008
- 19. Certification Authorities (CAs) sign certificates CAs are small set of trusted entities CA certificates must be distributed securely Issuer? Name Validity Public Key
- 20. Each CA has a Certificate Policy (CP) The Certificate Policy states: To whom the CA will issue certificates How the CA identifies people to whom it will issue certificates Lenient CAs don’t pose security threat because resources determine the CAs they trust.
- 21. Grid Security Infrastructure (GSI) allows users & apps to securely access resources Based on PKI A set of tools, libraries and protocols used in Globus Uses SSL for authentication and message protection Adds features needed for Single-Sign on Proxy Credentials Delegation
- 22. In GSI, each user has a set of credentials they use to prove their identity on the grid Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase Good for security, inconvenient for repeated usage
- 23. GSI Proxy credentials are short-lived credentials created by user Short term binding of user’s identity to alternate private key Same identity as certificate Stored unencrypted for easy repeated access Short lifetime in case of theft
- 24. GSI: Single Sign-on Single sign-on Uses proxies Type in password once, make a proxy with no password Features: Allow easy repeated access to credentials Limit risk of misuse on theft Allow process to perform jobs for user
- 25. GSI delegation allows another entity to run using your credentials Other entity gets a proxy with your identity Other entity can run as you only for limited time for specific purpose For example, a compute job might want to transfer files on your behalf.
- 26. Authorization Types Server side authorization Client side authorization Examples Self authorization Identity authorization
- 27. Gridmap is a list of mappings from allowed DNs to user name "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde Commonly used in Globus for server side ACL + some attribute Controlled by administrator Open read access
- 28. MyProxy Developed at NCSA Credential Repository with different access mechanism (e.g username/pass phrase) Can act as a credential translator from username/pass phrase to GSI Online CA Supports various authentication schemes Passphrase, Certificate, Kerberos
- 29. MyProxy: Use Cases Credential need not be stored in every machine Used by services that can only handle username and pass phrases to authenticate to Grid. E.g. web portals Handles credential renewal for long-running tasks Can delegate to other services
Editor's Notes
- #3: Large resources Shared across various domain User pool Restrict access to the resource, yet allow for collaboration
- #6: - Real life: sensitive data : caBig cancer research; proprietary data.
- #11: Long running jobs Jobs require access to different things
- #14: Keys are building blocks 256 bits key is stronger than 128 bits Computing things using larger key also takes more time. Most algorithms are well established and tools have been already developed for performing the computations
- #15: Data is treated as bit streams.
- #16: Decryption again is a mathematical function of taking the encrypted data and key and getting original data If you encrypt with a particular algorithm, you want to decrypt with the same one
- #17: Generated and sent with the message
- #18: Provides a owner tag Any entity that possess the private key, assumes that entity. So if you have my private key, you are me as far as PKI fabric is concerned.
- #24: Motivation: - Encrypted private key requires some warm body, - long term credential – prevent theft. Same identity as the certificate proxy is created off New key pair signed by your certificate Clock synchronization issues