Enabling Grids for E-sciencE
EGEE Security Basics for
the User
Guy Warner
NeSC Training Team
An Induction to EGEE for GOSC and the NGS
NeSC, 8th December 2004
www.eu-egee.org
INFSO-RI-508833
Acknowledgements
Enabling Grids for E-sciencE
Some of the slides in this presentation are based on /
motivated by:
• The presentation given by Carl Kesselman at the GGF
Summer School 2004. This presentation may be found at
– http://www.dma.unina.it/~murli/GridSummerSchool2004/
curriculum.htm
• Lectures given by Richard Sinott and John Watt at the
University of Glasgow. These lectures may be found at
– http://csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN at
First Latinamerican Grid Workshop, Merida, Venezuela.
This presentation may be found at
– http://agenda.cern.ch/fullAgenda.php?ida=a044965
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
2
Approaches to Security: 1
Enabling Grids for E-sciencE
The Poor Security House
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
3
Approaches to Security: 2
Enabling Grids for E-sciencE
The Paranoid Security House
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
4
Approaches to Security: 3
Enabling Grids for E-sciencE
The Realistic Security House
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
5
Approaches to Grid Security
Enabling Grids for E-sciencE
• The Poor Security Approach:
– Use unencrypted communications.
– No or poor (easily guessed) identification means.
– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:
– Don’t use any communications (no network at all).
– Don’t leave computer unattended.
• The Realistic Security Approach:
– Encrypt all sensitive communications
– Use difficult to break identification means.
– Keep identification secure at all times (e.g. encrypted on a
memory stick).
– Only allow access to trusted users.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
6
The Risks of Poor User Security
Enabling Grids for E-sciencE
• Launch attacks to other sites
– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and access
sensitive information
– Massive distributed storage capacity ideal for example, for
swapping movies.
• Damage caused by viruses, worms etc.
– Highly connected infrastructure means worms spread faster than
on the internet in general.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
7
Authentication and Authorization
Enabling Grids for E-sciencE
0598234
John
Jane Doe
755 E. Woodlawn
Urbana IL 61801
• Authentication
– Are you who you claim to be?
• Authorisation
– Do you have access to the resource you are connecting to?
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
8
Aspects of Grid Security
Enabling Grids for E-sciencE
• Resources being used may be valuable & the problems
being solved sensitive
• Dynamic formation and management of virtual
organizations (VOs)
– Large, dynamic, unpredictable…
• VO Resources and users are often located in distinct
administrative domains
– Can’t assume cross-organizational trust agreements
– Different mechanisms & credentials
• Interactions are not just client/server, but service-toservice on behalf of the user
– Requires delegation of rights by user to service
– Services may be dynamically instantiated
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
9
Grid Security Infrastructure (GSI)
Enabling Grids for E-sciencE
• Developed by Globus. All elements of the Globus
Toolkit are built on top of this basic infrastructure.
• A toolkit for the purposes of
– Secure communication
– Security across organizational boundaries, thus prohibiting a
centrally-managed security system.
– Supporting "single sign-on" for Grid users, including delegation
of credentials.
• Introduces X.509 Proxy Certificates (an extended X.509
certificate)
– every user/host/service has a certificate.
– certificates are signed by trusted (by the local sites) certificate
authorities.
– every Grid transaction is mutually authenticated.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
10
The Trust Model
Enabling Grids for E-sciencE
No CrossDomain Trust
Certification
Authority
Certification
Authority
Policy
Authority
Policy
Authority
Sub-Domain B1
Sub-Domain A1
Domain A
Domain B
Task
Federation
Service
GSI
Server X
Virtual
Organization
Domain
Server Y
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
11
Delegation
Enabling Grids for E-sciencE
Delegation : The act of giving an organisation, person or
service the right to act on your behalf.
• A Site delegates responsibility for the users that may
access its resources to the managers/management system
of a VO.
• A VO delegates its rights to a user.
• A user delegates their authentication to a service to allow
programs to run on remote sites.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
12
Use Delegation to
Establish Dynamic Distributed System
Enabling Grids for E-sciencE
Compute
Center
Service
VO
Compute
Center
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
13
Enabling Grids for E-sciencE
Compute
Center
Goal is to do this
with arbitrary mechanisms
X.509/SSL
Service
Kerberos/
WS-Security
Rights
VO
SAML
Attribute
Compute
Center
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
14
Public Private Key
Enabling Grids for E-sciencE
Bob
Alice
SECURE
SECURE
INSECURE
Life Savings
Life Savings
Life Savings
Private Key
INFSO-RI-508833
Message
Public Key
EGEE Security Basics for the User, NeSC, 8th December 04
15
Public Key Infrastructure (PKI)
Enabling Grids for E-sciencE
• PKI allows you to know that a given key belongs
to a given user.
• PKI builds off of asymmetric encryption:
– Each entity has two keys: public and private.
– Data encrypted with one key can only be decrypted with
other.
– The public key is public.
– The private key is known only to the entity.
• The public key is given to the world
encapsulated in a X.509 certificate.
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
16
An illustration of how PKI works
Enabling Grids for E-sciencE
• Assume our message can be converted to a number in
the range 1-9 (a 0 value represents an empty message):
– For this example use the value 4
• Encrypt the message by multiplying by 3 and working
in modulo 10
– 4 x 3 = 12 = 2 mod 10
• To decrypt we can’t divide by 3 because working
modulo 10 only supports the integers 0-9.
• Instead to decrypt the message multiply by 7 while
working modulo 10
– 2 x 7 = 14 = 4 mod 10
• Why Does this work?
– 3 x 7 = 21 = 1 mod 10 , hence , 1/3 ≡ 7 mod 10
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
17
Certificates
Enabling Grids for E-sciencE
• Similar to passport or driver’s license: Identity
signed by a trusted party
Name
Issuer
Public Key
Signature
John Doe
755 E. Woodlawn
Urbana IL 61801
State of
Illinois
Seal
BD 08-06-35
Male 6’0” 200lbs
GRN Eyes
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
18
Certificate Authorities
Enabling Grids for E-sciencE
• A small set of trusted entities known
as Certificate Authorities (CAs) are
established to sign certificates
• A Certificate Authority is an entity that
exists only to sign user certificates
• Users authenticate themselves to CA,
for example by use of their Passport or
Identity Card.
• The CA signs it’s own certificate which
is distributed in a secure manner.
• EGEE recognizes a given set of CA’s:
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
https://lcg-registrar.cern.ch/pki_certificates.html
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
19
Certificate Request
Enabling Grids for E-sciencE
User send public
key to CA along
with proof of
identity.
User generates
public/private
key pair.
Certificate
Request
Public Key
CA confirms identity,
signs certificate and
sends back to user.
Cert
ID
Private Key
encrypted on
local disk
INFSO-RI-508833
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
EGEE Security Basics for the User, NeSC, 8th December 04
20
Inside the Certificate
Enabling Grids for E-sciencE
• Standard (X.509) defined format.
• User identification (e.g. full name).
• Users Public key.
• A “signature” from a CA created by encoding a unique
string (a hash) generated from the users identification,
users public key and the name of the CA. The signature
is encoded using the CA’s private key. This has the
effect of:
– Proving that the certificate came from the CA.
– Vouching for the users identification.
– Vouching for the binding of the users public key to their
identification.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
21
Certificate Validity
Enabling Grids for E-sciencE
• The public key from the CA certificate can then be
used to verify the certificate.
Name
Issuer: CA
Public Key
Signature
Decrypt
=?
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
22
Certificates and Delegation
Enabling Grids for E-sciencE
User
CA
Proxy
Service
Signs
own
Certificate
signs
Certificate
signs
Certificate
Stage1:
Stage2:
Stage3:
Low
Frequency
Medium
Frequency
High
Frequency
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
23
Mutual Authentication Pt1
Enabling Grids for E-sciencE
• Two parties, lets call them A and B, have certificates
and they both trust the CA’s that signed them.
• Mutual Authentication is the process by which they
prove to each other that they are who they say they are.
• The process is
– B establishes A’s identity.
– A establishes B’s identity.
– A can trust B and B can trust A.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
24
Mutual Authentication Pt2
Enabling Grids for E-sciencE
1. A sends their certificate;
A’s certificate
2. B verifies signature in A’s
3.
4.
5.
6.
7.
8.
certificate;
B sends to A a challenge string;
A encrypts the challenge string
with his private key;
A sends encrypted challenge to B
B uses A’s public key to decrypt
the challenge.
B compares the decrypted string
with the original challenge
If they match, B verified A’s
identity and A can not repudiate
it.
INFSO-RI-508833
B
A
Verify CA signature
Random phrase
Encrypt with A’ s private key
Encrypted phrase
Decrypt with A’ s public key
Compare with original phrase
EGEE Security Basics for the User, NeSC, 8th December 04
25
Enabling Grids for E-sciencE
User Authorisation to Access
Resource
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
26
Authorisation Requirements
Enabling Grids for E-sciencE
• Detailed user rights centrally managed and assigned:
– User can have certain group membership and roles
• Involved parties:
– Resource providers.
 Keep full control on access rights.
– The users Virtual Organisation.
 Member of a certain group should have same access rights
independent of resource.
• Resource provider and VO must agree on
authorisation:
– Resource providers evaluate authorisation granted by VO to a
user and map into local credentials to access resources
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
27
User Responsibilities
Enabling Grids for E-sciencE
• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your certificate
has been compromised.
• Do not launch a delegation service for longer than your
current task needs.
If your certificate or delegated service is
used by someone other than you, it
cannot be proven that it was not you.
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
28
Summary
Enabling Grids for E-sciencE
User
via Certificates and
Delegated Services
delegated to VO.
Authentication
Authorisation
Resource
INFSO-RI-508833
EGEE Security Basics for the User, NeSC, 8th December 04
29