Enabling Grids for E-sciencE
Getting Started
Guy Warner
NeSC Training Team
Induction to Grid Computing and the National Grid Service
10th-11th March 2005
www.eu-egee.org
INFSO-RI-508833
Acknowledgements
Enabling Grids for E-sciencE
Some of the slides in this presentation are based on /
motivated by:
• The presentation given by Carl Kesselman at the GGF
Summer School 2004. This presentation may be found at
– http://www.dma.unina.it/~murli/GridSummerSchool2004/
curriculum.htm
• Lectures given by Richard Sinott and John Watt at the
University of Glasgow. These lectures may be found at
– http://csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN at
First Latinamerican Grid Workshop, Merida, Venezuela.
This presentation may be found at
– http://agenda.cern.ch/fullAgenda.php?ida=a044965
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
2
The Problem
Enabling Grids for E-sciencE
User
Resource
• Question:
How does a user securely access the Resource without
having an account on the machines in between or even
on the Resource?
• Question:
How does the Resource know who a user is and that
they are allowed access?
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
3
Overview
Enabling Grids for E-sciencE
Security
Authentication
Grid Security
Infrastructure
Encryption &
Authorization
Data Integrity
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
4
Approaches to Security: 1
Enabling Grids for E-sciencE
The Poor Security House
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
5
Approaches to Security: 2
Enabling Grids for E-sciencE
The Paranoid Security House
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
6
Approaches to Security: 3
Enabling Grids for E-sciencE
The Realistic Security House
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
7
Approaches to Grid Security
Enabling Grids for E-sciencE
• The Poor Security Approach:
– Use unencrypted communications.
– No or poor (easily guessed) identification means.
– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:
– Don’t use any communications (no network at all).
– Don’t leave computer unattended.
• The Realistic Security Approach:
– Encrypt all sensitive communications
– Use difficult to break identification means.
– Keep identification secure at all times (e.g. encrypted on a
memory stick).
– Only allow access to trusted users.
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
8
The Risks of Poor User Security
Enabling Grids for E-sciencE
• Launch attacks to other sites
– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and access
sensitive information
– Massive distributed storage capacity ideal for example, for
swapping movies.
• Damage caused by viruses, worms etc.
– Highly connected infrastructure means worms spread faster than
on the internet in general.
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
9
Authentication and Authorization
Enabling Grids for E-sciencE
0598234
John
Jane Doe
755 E. Woodlawn
Urbana IL 61801
• Authentication
– Are you who you claim to be?
• Authorisation
– Do you have access to the resource you are connecting to?
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
10
The Trust Model
Enabling Grids for E-sciencE
No CrossDomain Trust
Certification
Authority
Certification
Authority
Policy
Authority
Policy
Authority
Sub-Domain B1
Sub-Domain A1
Domain A
Domain B
Task
Federation
Service
GSI
Server X
Virtual
Organization
Domain
Server Y
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
11
Public Private Key
Enabling Grids for E-sciencE
Bob
Alice
SECURE
SECURE
INSECURE
Life Savings
Life Savings
Life Savings
Private Key
INFSO-RI-508833
Message
Public Key
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
12
Certificates
Enabling Grids for E-sciencE
• Similar to passport or driver’s license: Identity
signed by a trusted party
Name
Issuer
Public Key
Signature
John Doe
755 E. Woodlawn
Urbana IL 61801
State of
Illinois
Seal
BD 08-06-35
Male 6’0” 200lbs
GRN Eyes
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
14
Certificate Authorities
Enabling Grids for E-sciencE
• A small set of trusted entities
known as Certificate Authorities
(CAs) are established to sign
certificates
• A Certificate Authority is an
entity that exists only to sign
user certificates
• Users authenticate themselves
to CA, for example by use of
their Passport or Identity Card.
• The CA signs it’s own certificate
which is distributed in a secure
manner.
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
15
Delegation and Certificates
Enabling Grids for E-sciencE
Delegation : The act of giving an organization, person or service the
right to act on your behalf.
• For example: A user delegates their authentication to a service to allow
programs to run on remote sites.
User
CA
Proxy
Service
Signs
own
Certificate
INFSO-RI-508833
signs
Certificate
signs
Certificate
Stage1:
Stage2:
Stage3:
Low
Frequency
Medium
Frequency
High
Frequency
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
16
Enabling Grids for E-sciencE
User Authorisation to Access
Resource
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
17
User Responsibilities
Enabling Grids for E-sciencE
• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your certificate
has been compromised.
• Do not launch a delegation service for longer than your
current task needs.
If your certificate or delegated service is
used by someone other than you, it
cannot be proven that it was not you.
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
18
Summary
Enabling Grids for E-sciencE
User
via Certificates and
Delegated Services
delegated to VO.
Authentication
Authorisation
Resource
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
19
The Practical
Enabling Grids for E-sciencE
• In your information pack is a sheet containing the
details for logging on to your workstation and the
passwords needed for logging on to your account on
lab-07 – the server to be used in this tutorial.
• Login to your workstation
• Use the putty program (on your desktop) to connect to
lab-07
• Open a browser window to
http://homepages.nesc.ac.uk/~gcw/NGS/GSI.html
• Follow the instructions from there.
INFSO-RI-508833
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005
20