Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Getting Started Guy Warner NeSC Training Team

advertisement 
http://www.grid-support.ac.uk
http://www.ngs.ac.uk
Getting Started
Guy Warner
NeSC Training Team
http://www.nesc.ac.uk/
http://www.pparc.ac.uk/
http://www.eu-egee.org/
Acknowledgements
Some of the slides in this presentation are based on / motivated by:
• The presentation given by Carl Kesselman at the GGF Summer
School 2004. This presentation may be found at
– http://www.dma.unina.it/~murli/GridSummerSchool2004/
curriculum.htm
• Lectures given by Richard Sinott and John Watt at the University of
Glasgow. These lectures may be found at
– http://csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN at First
Latinamerican Grid Workshop, Merida, Venezuela. This presentation
may be found at
– http://agenda.cern.ch/fullAgenda.php?ida=a044965
Induction to Grid Computing and the National Grid Service
3
The Problem
User
Resource
• Question:
How does a user securely access the Resource without having an
account on the machines in between or even on the Resource?
• Question:
How does the Resource know who a user is and that they are
allowed access?
Induction to Grid Computing and the National Grid Service
4
Overview
Security
Authentication
Grid Security
Infrastructure
Encryption &
Authorization
Data Integrity
Induction to Grid Computing and the National Grid Service
5
Approaches to Security: 1
The Poor Security House
Induction to Grid Computing and the National Grid Service
6
Approaches to Security: 2
The Paranoid Security House
Induction to Grid Computing and the National Grid Service
7
Approaches to Security: 3
The Realistic Security House
Induction to Grid Computing and the National Grid Service
8
Approaches to Grid
Security
• The Poor Security Approach:
– Use unencrypted communications.
– No or poor (easily guessed) identification means.
– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:
– Don’t use any communications (no network at all).
– Don’t leave computer unattended.
• The Realistic Security Approach:
– Encrypt all sensitive communications
– Use difficult to break identification means.
– Keep identification secure at all times (e.g. encrypted on a
memory stick).
– Only allow access to trusted users.
Induction to Grid Computing and the National Grid Service
9
The Risks of Poor User
Security
• Launch attacks to other sites
– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and
access sensitive information
– Massive distributed storage capacity ideal for example, for
swapping movies.
• Damage caused by viruses, worms etc.
– Highly connected infrastructure means worms spread faster than
on the internet in general.
Induction to Grid Computing and the National Grid Service
10
Authentication and
Authorization
0598234
John
Jane Doe
755 E. Woodlawn
Urbana IL 61801
• Authentication
– Are you who you claim to be?
• Authorisation
– Do you have access to the resource you are connecting to?
Induction to Grid Computing and the National Grid Service
11
The Trust Model
No Cross-
Domain Trust
Certification
Authority
Certification
Authority
Policy
Authority
Policy
Authority
Sub-Domain B1
Sub-Domain A1
Domain A
Domain B
Task
Federation
Service
GSI
Server X
Virtual
Organization
Domain
Server Y
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service
12
Public Private Key
Bob
Alice
SECURE
SECURE
INSECURE
Life Savings
Life Savings
Life Savings
Private Key
Message
Public Key
Induction to Grid Computing and the National Grid Service
13
Certificates
• Similar to passport or driver’s license:
Identity signed by a trusted party
Name
Issuer
Public Key
Signature
John Doe
755 E. Woodlawn
Urbana IL 61801
State of
Illinois
Seal
BD 08-06-35
Male 6’0” 200lbs
GRN Eyes
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service
15
Certificate Authorities
• A small set of trusted entities
known as Certificate Authorities
(CAs) are established to sign
certificates
• A Certificate Authority is an entity
that exists only to sign user
certificates
• Users authenticate themselves to
CA, for example by use of their
Passport or Identity Card.
• The CA signs it’s own certificate
which is distributed in a secure
manner.
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service
16
Delegation and Certificates
Delegation : The act of giving an organization, person or service the right
to act on your behalf.
• For example: A user delegates their authentication to a service to allow
programs to run on remote sites.
User
CA
Proxy
Service
Signs
own
Certificate
signs
Certificate
signs
Certificate
Stage1:
Stage2:
Stage3:
Low
Frequency
Medium
Frequency
High
Frequency
Induction to Grid Computing and the National Grid Service
17
User Authorisation to
Access Resource
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service
18
User Responsibilities
• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your
certificate has been compromised.
• Do not launch a delegation service for longer than
your current task needs.
If your certificate or delegated service is
used by someone other than you, it
cannot be proven that it was not you.
Induction to Grid Computing and the National Grid Service
19
Summary
User
via Certificates and
Delegated Services
delegated to VO.
Authentication
Authorisation
Resource
Induction to Grid Computing and the National Grid Service
20
The Practical
• You should have been given an information sheet
containing your username and password needed for
logging on to your account on
pub-234.nesc.ed.ac.uk – the server to be used in this
tutorial.
• Login to your workstation
• Use the putty program to connect to
pub-234.nesc.ed.ac.uk
• Open a browser window and follow the link from
http://homepages.nesc.ac.uk/~gcw/NGS
• Follow the instructions from there.
Induction to Grid Computing and the National Grid Service
21
Related documents
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
The Four Functions of the Computer
The Four Functions of the Computer
Color # Shaded Decimal Fraction Percent
Color # Shaded Decimal Fraction Percent
Download
advertisement