Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Getting Started Guy Warner NeSC Training Team

advertisement 
http://www.grid-support.ac.uk
http://www.ngs.ac.uk
Getting Started
Guy Warner
NeSC Training Team
http://www.nesc.ac.uk/
http://www.pparc.ac.uk/
http://www.eu-egee.org/
Acknowledgements
Some of the slides in this presentation are based on / motivated by:
• The presentation given by Carl Kesselman at the GGF Summer
School 2004. This presentation may be found at
– http://www.dma.unina.it/~murli/GridSummerSchool2004/
curriculum.htm
• Lectures given by Richard Sinott and John Watt at the University of
Glasgow. These lectures may be found at
– http://csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN at First
Latinamerican Grid Workshop, Merida, Venezuela. This presentation
may be found at
– http://agenda.cern.ch/fullAgenda.php?ida=a044965
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
2
The Problem
User
Resource
• Question:
How does a user securely access the Resource without
having an account on the machines in between or even
on the Resource?
• Question:
How does the Resource know who a user is and that
3
Induction
to Grid Computing
and the National Grid Service, NeSC,
they are
allowed
access?
13 – 14 June 2005
th
th
Overview
Security
Authentication
Grid Security
Infrastructure
Encryption &
Authorization
Data Integrity
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
4
Approaches to Security: 1
The Poor Security House
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
5
Approaches to Security: 2
The Paranoid Security House
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
6
Approaches to Security: 3
The Realistic Security House
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
7
Approaches to Grid
Security
• The Poor Security Approach:
– Use unencrypted communications.
– No or poor (easily guessed) identification means.
– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:
– Don’t use any communications (no network at all).
– Don’t leave computer unattended.
• The Realistic Security Approach:
– Encrypt all sensitive communications
– Use difficult to break identification means.
– Keep identification secure at all times (e.g. encrypted on a
memory stick).
– Only allow access to trusted users.
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
8
The Risks of Poor User
Security
• Launch attacks to other sites
– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and
access sensitive information
– Massive distributed storage capacity ideal for example, for
swapping movies.
• Damage caused by viruses, worms etc.
– Highly connected infrastructure means worms spread faster than
on the internet in general.
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
9
Authentication and
Authorization
0598234
John
Jane Doe
755 E. Woodlawn
Urbana IL 61801
• Authentication
– Are you who you claim to be?
• Authorisation
– Do you have access to the resource you are connecting to?
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
10
The Trust Model
No Cross-
Domain Trust
Certification
Authority
Certification
Authority
Policy
Authority
Policy
Authority
Sub-Domain B1
Sub-Domain A1
Domain A
Domain B
Task
Federation
Service
GSI
Server X
Virtual
Organization
Domain
Server Y
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
11
Public Private Key
Bob
Alice
SECURE
SECURE
INSECURE
Life Savings
Life Savings
Life Savings
Private Key
Message
Public Key
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
12
Certificates
• Similar to passport or driver’s license:
Identity signed by a trusted party
Name
Issuer
Public Key
Signature
John Doe
755 E. Woodlawn
Urbana IL 61801
State of
Illinois
Seal
BD 08-06-35
Male 6’0” 200lbs
GRN Eyes
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
14
Certificate Authorities
• A small set of trusted
entities known as Certificate
Authorities (CAs) are
established to sign
certificates
• A Certificate Authority is an
entity that exists only to sign
user certificates
• Users authenticate
themselves to CA, for
example by use of their
Passport or Identity Card.
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
• The CA signs it’s own
Induction to Grid Computing and the National Grid Service, NeSC,
certificate
which
is
13 – 14 June
2005
th
th
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
15
Delegation and Certificates
Delegation : The act of giving an organization, person or service the right
to act on your behalf.
• For example: A user delegates their authentication to a service to allow
programs to run on remote sites.
User
CA
Proxy
Service
Signs
own
Certificate
signs
Certificate
signs
Certificate
Stage1:
Stage2:
Stage3:
Low
Frequency
Medium
Frequency
High
Frequency
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
16
User Authorisation to
Access Resource
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
17
User Responsibilities
• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your
certificate has been compromised.
• Do not launch a delegation service for longer than
your current task needs.
If your certificate or delegated service is
used by someone other than you, it
cannot be proven that it was not you.
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
18
Summary
User
via Certificates and
Delegated Services
delegated to VO.
Authentication
Authorisation
Resource
Induction to Grid Computing and the National Grid Service, NeSC,
13th – 14th June 2005
19
The Practical
• In your information pack is a sheet containing
the details for logging on to your workstation and
the passwords needed for logging on to your
account on pub-234 – the server to be used in
this tutorial.
• Login to your workstation
• Use the putty program (on your desktop) to
connect to pub-234
• Open a browser window to
20
Induction to Grid Computing and the National Grid Service, NeSC,
http://homepages.nesc.ac.uk/~gcw/NGS/GSI.ht
13 – 14 June 2005
th
th
Related documents
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
The Four Functions of the Computer
The Four Functions of the Computer
Download
advertisement