Grid Security
Mike Jones
An overview of methods used to create a secure grid.
RAL 10 June 2003
TOC
CRLs
PKI Overview
Authorisation
VO Management
Signing and Encryption
PGP and all that
Trust
Firewalls
Grid Security
x509 certificates
Security in services
GSI
Host Configuration
Globus Security
User Setup
Best Practices
Authentication, Authorisation and Accounting (AAA)
Public Key Infrastructure (PKI)
x509 Certificates and pkcs12 etc.
Kerberos – Shared Secrets (Needham-Schroder)
Generic Security Services (GSS)
TSL, SSLeay, OpenSSL
Grid Security Infrastructure (GSI)
Delegation, Third Party, Single Sign On
Grid Security
Proxy Certificates
Trustable Software
Trustable users
Not Spyware
Making sure there are no back doors
Grid Security
Not Broken (or at least someone creates updates)
Cryptography...
Symmetric (eg DES) vs Assymetric (eg RSA)
Shared Key
where N=pq product of two large primes
(p-1)(q-1) is almost prime
and e (almost prime too)
To encrypt/decrypt with Public Key:
c
vs Pubic and Private Key
Public Key: [e and N]
PKI Overview
me
mod N
Symmetric (eg DES) vs Assymetric (eg RSA)
1 mod
p
me
mod N
cd
mod N
1 q
(p-1)(q-1) is almost prime
c
To decrypt/encrypt with Private Key:
m
To encrypt/decrypt with Public Key:
and e (almost prime too)
1
d
e
where
where N=pq product of two large primes
Private Key: [d and N]
Public Key: [e and N]
vs Pubic and Private Key
Shared Key
PKI Overview
PGP/GPG
Encrypt data using a symmetric key
Lookup RSA Public Key of recipient
Zimmermann: security in data transfer for public
Encrypt the symmetric key with RSA
Pretty Good Privicy / Gnu Privicy Guard
Send the encrypted key & encrypted message
Included: Key gen. with “entropy gathering device”,
Data encryption, Data signing, and easy UI
Signing and Encrypting
We've discussed encryption/decryption
To Sign - encryption message with private key.
Everyone should be able to read it so create a Hash
and encrypt that instead.
Hash is a one way digest of the message by a specific
algorythm (eg SHA1 or MD5)
Encrypt the hash and enclude it in the message.
Verify by making the hash and decrypting the signature
We rely on ourselves to get true public keys
A public key may be digitally signed by many people
Chain of trust rules
some of whom you may trust.
CA method (Certificate Authority)
CA has a “root certificate” and a document called CP/CPS
Policy and Practice
You choose to trust on the basis of CP/CPS.
http://www.grid-support.ac.uk/ca/cps
CA signs your certificate (your public key).
Trust
Large scale CAs are difficult and costly (~£220 per cert)
Serial Number
Issuer
Times of Validity
Subject
Public Key
Constraints
Extensions
Type and Use
Version
Thumbprint
Signature Algorithm: md5WithRSAEncryption
3a:1f:81:a8:1a:83:ff:2c:0f:7b:b6:1e:2a:87:31:13:d9:ca:
9e:c1:9e:e4:42:b5:22:56:7b:01:98:11:13:29:a3:d8:d2:37:
80:58:ac:7f:44:f7:1e:ba:00:f4:8b:c8:34:00:ff:44:27:c2:
2a:54:8b:95:e9:a0:00:f8:3d:60:92:c4:99:2b:72:d4:b7:dd:
78:bd:c9:4a:01:d7:14:1d:3c:d9:6f:60:7b:23:90:8e:d6:3a:
2d:45:39:5e:bc:fd:6d:77:7b:1e:cf:43:8c:e4:05:4c:1b:91:
e5:bb:da:3d:cd:9d:05:6b:be:21:b0:e8:43:b2:4b:4e:c4:4f:
6b:4e:23:9e:03:d2:03:86:1b:44:68:60:41:5d:64:ae:2d:52:
e2:7d:9b:99:60:71:7f:4a:00:1e:5d:9d:14:59:4f:4b:d7:9a:
ee:e0:01:3d:87:36:16:bf:24:b3:84:fd:62:d1:d6:21:ae:3b:
f7:e1:e5:52:ec:ef:68:f4:73:4f:1b:62:a6:f4:47:0b:6c:1e:
28:23:6b:25:d3:a1:f7:37:f6:55:d6:82:7c:49:a9:1d:71:57:
e6:bc:74:71:94:0d:df:fc:21:63:16:54:c9:0f:51:1c:7a:bf:
5c:ef:7d:28:23:73:64:84:eb:f2:b6:52:89:ca:48:78:31:e8:
dd:b9:91:3f
-----BEGIN CERTIFICATE----MIIFBDCCA+ygAwIBAgIBfzANBgkqhkiG9w0BAQQFADBwMQswCQYDVQQGEwJVSzER
MA8GA1UEChMIZVNjaWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMC
Q0ExLTArBgkqhkiG9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51
azAeFw0wMjEwMzExNTUwNTlaFw0wMzEwMzExNTUwNTlaMFoxCzAJBgNVBAYTAlVL
MREwDwYDVQQKEwhlU2NpZW5jZTETMBEGA1UECxMKTWFuY2hlc3RlcjELMAkGA1UE
BxMCTUMxFjAUBgNVBAMTDW1pY2hhZWwgam9uZXMwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMaW/Xrg+vHmQ53By3I44U5Ehtqniu2K/PNk2J69r858VTnNYXSo
HW1gbmWR3CzCZID2+Ro8/tTSHFL6xkfqpk6Stckdk91IYVRAtReEP1xHSCkrg4LH
1q3TYF1tXfcIJRfSFOKOrzc75Dtj9zEktGZ4jgaTxo22/lB5Okr4WVg9AgMBAAGj
ggJBMIICPTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMC
A+gwLAYJYIZIAYb4QgENBB8WHVVLIGUtU2NpZW5jZSBVc2VyIENlcnRpZmljYXRl
MB0GA1UdDgQWBBS/AAJLOkWmuOtm5PLuymCduNGyDTCBmgYDVR0jBIGSMIGPgBQC
OKsRo5aAiw3TFSsIpY4w2rLaqKF0pHIwcDELMAkGA1UEBhMCVUsxETAPBgNVBAoT
CGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMTAkNBMS0wKwYJ
KoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWuCAQAwKQYD
VR0SBCIwIIEeY2Etb3BlcmF0b3JAZ3JpZC1zdXBwb3J0LmFjLnVrMD0GCWCGSAGG
+EIBBAQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vaW1w
b3J0Q1JMMD0GCWCGSAGG+EIBAwQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFj
X509v3 Issuer Alternative Name:
email:ca-operator@grid-support.ac.uk
Netscape CA Revocation Url:
http://ca.grid-support.ac.uk/cgi-bin/importCRL
Netscape Revocation Url:
http://ca.grid-support.ac.uk/cgi-bin/importCRL
Netscape Renewal Url:
http://ca.grid-support.ac.uk/cgi-bin/renewURL
X509v3 CRL Distribution Points:
URI:http://ca.grid-support.ac.uk/cgi-bin/importCRL
x509 Certificates
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 127 (0x7f)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=UK, O=eScience, OU=Authority, CN=CA/Email=ca-operator@grid-support.ac.uk
Validity
Not Before: Oct 31 15:50:59 2002 GMT
Not After : Oct 31 15:50:59 2003 GMT
Subject: C=UK, O=eScience, OU=Manchester, L=MC, CN=michael jones
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c6:96:fd:7a:e0:fa:f1:e6:43:9d:c1:cb:72:38:
e1:4e:44:86:da:a7:8a:ed:8a:fc:f3:64:d8:9e:bd:
af:ce:7c:55:39:cd:61:74:a8:1d:6d:60:6e:65:91:
dc:2c:c2:64:80:f6:f9:1a:3c:fe:d4:d2:1c:52:fa:
c6:47:ea:a6:4e:92:b5:c9:1d:93:dd:48:61:54:40:
b5:17:84:3f:5c:47:48:29:2b:83:82:c7:d6:ad:d3:
60:5d:6d:5d:f7:08:25:17:d2:14:e2:8e:af:37:3b:
e4:3b:63:f7:31:24:b4:66:78:8e:06:93:c6:8d:b6:
fe:50:79:3a:4a:f8:59:58:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
Netscape Comment:
UK e-Science User Certificate
X509v3 Subject Key Identifier:
BF:00:02:4B:3A:45:A6:B8:EB:66:E4:F2:EE:CA:60:9D:B8:D1:B2:0D
X509v3 Authority Key Identifier:
keyid:02:38:AB:11:A3:96:80:8B:0D:D3:15:2B:08:A5:8E:30:DA:B2:DA:A8
DirName:/C=UK/O=eScience/OU=Authority/CN=CA/Email=ca-operator@grid-support.ac.uk
serial:00
CRL
Proxy Certificate
Issuer (Me! pretending to be a CA)
Short Lived
Contains Unencrypted RSA Key
Features:
Special Subject
GSI modifications
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 127 (0x7f)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=UK, O=eScience, OU=Manchester, L=MC, CN=michael jones
Validity
Not Before: Jan 5 16:43:48 2003 GMT
Not After : Jan 6 04:48:48 2003 GMT
Subject: C=UK, O=eScience, OU=Manchester, L=MC, CN=michael jones, CN=proxy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:99:16:b5:ff:4b:f4:90:48:7b:8e:95:8c:e0:8a:
b8:ad:51:c3:74:9f:e2:e7:ba:61:ee:1c:d8:f7:bc:
96:66:57:3a:01:36:1a:e1:e1:55:7e:f8:64:2e:c7:
f5:d4:23:b1:42:3e:0b:61:1c:fb:fd:5f:06:f6:2f:
57:b7:81:1c:ff
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
a9:9a:e0:33:70:29:0a:9c:57:02:1a:80:c1:f1:c2:6e:6c:34:
3d:f3:3e:32:49:83:c8:b1:c6:21:d9:3c:84:d3:5d:17:ca:d6:
fa:96:b0:37:e2:4d:95:08:b7:3e:1f:6c:4a:79:7d:83:5e:21:
43:5d:42:60:2f:2c:5d:61:f9:e8:82:97:82:9b:89:cb:a4:ae:
97:0c:26:df:39:76:15:a6:38:53:8f:7a:f5:6f:ed:d6:76:ae:
a9:28:db:52:69:1c:e8:25:cf:7b:31:10:a1:49:2d:bb:91:eb:
af:d3:e7:d0:6d:28:21:3c:d8:16:3b:7c:4e:c9:94:d2:ff:23:
4e:2a
-----BEGIN CERTIFICATE----MIIB9DCCAV2gAwIBAgIBfzANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVSzER
MA8GA1UEChMIZVNjaWVuY2UxEzARBgNVBAsTCk1hbmNoZXN0ZXIxCzAJBgNVBAcT
Ak1DMRYwFAYDVQQDEw1taWNoYWVsIGpvbmVzMB4XDTAzMDEwNTE2NDM0OFoXDTAz
MDEwNjA0NDg0OFowajELMAkGA1UEBhMCVUsxETAPBgNVBAoTCGVTY2llbmNlMRMw
EQYDVQQLEwpNYW5jaGVzdGVyMQswCQYDVQQHEwJNQzEWMBQGA1UEAxMNbWljaGFl
bCBqb25lczEOMAwGA1UEAxMFcHJveHkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
mRa1/0v0kEh7jpWM4Iq4rVHDdJ/i57ph7hzY97yWZlc6ATYa4eFVfvhkLsf11COx
Qj4LYRz7/V8G9i9Xt4Ec/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAKma4DNwKQqc
VwIagMHxwm5sND3zPjJJg8ixxiHZPITTXRfK1vqWsDfiTZUItz4fbEp5fYNeIUNd
QmAvLF1h+eiCl4KbicukrpcMJt85dhWmOFOPevVv7dZ2rqko21JpHOglz3sxEKFJ
LbuR66/T59BtKCE82BY7fE7JlNL/I04q
-----END CERTIFICATE---------BEGIN RSA PRIVATE KEY----MIIBOQIBAAJBAJkWtf9L9JBIe46VjOCKuK1Rw3Sf4ue6Ye4c2Pe8lmZXOgE2GuHh
VX74ZC7H9dQjsUI+C2Ec+/1fBvYvV7eBHP8CAwEAAQJALQNWhDiLMpl9axFiGOvx
HVU7SWFx0H0nKmJlEYLsHi73PAypPdQ1pdzHUC84YK2kMl2yZqkAnFig+FaZQcuC
gQIhAMhBtmaTIjlZ2HkG7IQqogU2PzpprUjVrVc3uFI0agQfAiEAw7PPPLXfBvfK
eya1JkImVwzLO+6LGlxdk1rH4PkuyyECICE6FgOrAhC2AZ8DMRc047EtsQwGIMRm
/93q1uB85eJNAiBnXv3zKnnw20gXvr1mxQAtcPOU546QUQOYhxYXDmgaIQIgPmKJ
5LH+a0culVI0PnUvlEWawENIXZzHMuInQ0K0mMc=
-----END RSA PRIVATE KEY---------BEGIN CERTIFICATE----MIIFBDCCA+ygAwIBAgIBfzANBgkqhkiG9w0BAQQFADBwMQswCQYDVQQGEwJVSzER
MA8GA1UEChMIZVNjaWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMC
Q0ExLTArBgkqhkiG9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51
azAeFw0wMjEwMzExNTUwNTlaFw0wMzEwMzExNTUwNTlaMFoxCzAJBgNVBAYTAlVL
MREwDwYDVQQKEwhlU2NpZW5jZTETMBEGA1UECxMKTWFuY2hlc3RlcjELMAkGA1UE
BxMCTUMxFjAUBgNVBAMTDW1pY2hhZWwgam9uZXMwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMaW/Xrg+vHmQ53By3I44U5Ehtqniu2K/PNk2J69r858VTnNYXSo
HW1gbmWR3CzCZID2+Ro8/tTSHFL6xkfqpk6Stckdk91IYVRAtReEP1xHSCkrg4LH
1q3TYF1tXfcIJRfSFOKOrzc75Dtj9zEktGZ4jgaTxo22/lB5Okr4WVg9AgMBAAGj
ggJBMIICPTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMC
A+gwLAYJYIZIAYb4QgENBB8WHVVLIGUtU2NpZW5jZSBVc2VyIENlcnRpZmljYXRl
MB0GA1UdDgQWBBS/AAJLOkWmuOtm5PLuymCduNGyDTCBmgYDVR0jBIGSMIGPgBQC
OksRo5aAiw3TFSsIpY4w2rLaqKF0pHIwcDELMAkGA1UEBhMCVUsxETAPBgNVBAoT
CGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMTAkNBMS0wKwYJ
KoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWuCAQAwKQYD
VR0SBCIwIIEeY2Etb3BlcmF0b3JAZ3JpZC1zdXBwb3J0LmFjLnVrMD0GCWCGSAGG
+EIBBAQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vaW1w
b3J0Q1JMMD0GCWCGSAGG+EIBAwQwFi5odHRwOi8vY2EuZ3JpZC1zdXBwb3J0LmFj
LnVrL2NnaS1iaW4vaW1wb3J0Q1JMMDwGCWCGSAGG+EIBBwQvFi1odHRwOi8vY2Eu
Z3JpZC1zdXBwb3J0LmFjLnVrL2NnaS1iaW4vcmVuZXdVUkwwPwYDVR0fBDgwNjA0
oDKgMIYuaHR0cDovL2NhLmdyaWQtc3VwcG9ydC5hYy51ay9jZ2ktYmluL2ltcG9y
dENSTDANBgkqhkiG9w0BAQQFAAOCAQEAOh+BqBqD/ywPe7YeKocxE9nKnsGe5EK1
IlZ7AZgREymj2NI3gFisf0T3HroA9IvINAD/RCfCKlSLlemgAPg9YJLEmSty1Lfd
eL3JSgHXFB082W9geyOQjtY6LUU5Xrz9bXd7Hs9DjOQFTBuR5bvaPc2dBWu+IbDo
Q7JLTsRPa04jngPSA4YbRGhgQV1kri1S4n2bmWBxf0oAHl2dFFlPS9ea7uABPYc2
Fr8ks4T9YtHWIa479+HlUuzvaPRzTxtipvRHC2weKCNrJdOh9zf2VdaCfEmpHXFX
5rx0cZQN3/whYxZUyQ9RHHq/XO99KCNzZITr8rZSicpIeDHo3bmRPw==
-----END CERTIFICATE-----
Includes my certificate (the Issuer)
Breaks x509 Standard
Requires Subject-Issuer
constraint
grid-proxy-init [-cert cert.pem -key key.pem]
Contains certificate chain from but excluding CA
Contains unencrypted key
$X509_USER_PROXY = /tmp/x509up_u`id -u`
Has a short lifetime
Proxy Certificates
is read only to owner
Limited Proxies on remote resources ~/.globus/.gass_cache
grid-proxy-destroy
Third Party data transfer
Single Sign-on
Authentication using GSI extension to GSS
Delegation
Authorisation using grid-mapfile
Access to user level unix on remote machines
you get: terminal, a home directory, a group, a quota, access to basic IP (firewall allowing),
access to queues (depending on jobmanager and advertising), access to CPU-sets, etc.
systems are notoriously heterogeneous (outside HEP they are very hetrogeneous)
For stability could use Distributed Computing tools already available: http(s), afs?
Acounting still at Research Group Level
Currently records: Who, When and Which Job-manager
Globus Security
Need much more: for Cost and Legal (80-90% mallaous attacks come from within!)
AA steps on a grid
Host must identify itself to the grid (client or service)
Users must recognise the host
Users must identify themselves to the host
The host must recognise the user's identity
The host must allow the grid-user to become a local
user
/etc/grid-security/hostcert.pem
To Identify the host
openssl pkcs12 -in hostcert.p12 -nokey -clcerts -out hostcert.pem
/etc/grid-security/hostkey.pem
openssl pkcs12 -in hostcert.p12 -nodes -nocerts -out hostkey.pem
Host Security Setup
hostkey.pem must be readable to root only
To identify the incoming grid-user
/etc/grid-security/certificates/<hash>.0
/etc/grid-security/certificates/<hash>.r0
NB – We're actually not identifying the grid user. We're identifying that the
incoming request has access to the grid-user's private-key/proxy-private-key
/etc/grid-security/certificates/<hash>.signing_policy
Host Setup Cont.
/etc/grid-security/certificates/<hash>.crl_url (borrowed from EDG)
Example of how to manage CRLS
Download http://www.man.ac.uk/~zzcgumj/crls/crls.tgz
Unpack in /etc/grid-security/certificates
read *.crl_url
Download CRLs
crl.sh does this:
Check type (convert to pem) and Verify CRL
Makefile_crl does this:
CRL Practical
create symbolic link to <hash>.r0
Authorisation
Globus uses grid-mapfile
Akenti engine - Attribute certificate (+ ...) -> Capability Certificate
CAS – Assersion in proxy from CAS Server + Community Authz
VOM – Web portal for management + .....
VOMS – cf CAS, signed VOMS assersions added to proxy by client
PERMIS – Role Based Access Control via X509 Attribute certificates
Firewalls prevent attacks by blocking access:
on specified ports/port-ranges
Firewalls
from/to certain servers
$GLOBUS_TCP_PORT_RANGE
On port 2222 or 22
GSIssh Security
Can be configured with/without password authz on any port
Host certificate (uses /etc/host[cert|key].pem)
Server authenticates itself to client
Client can (must in L2G) authenticate itself with a Grid
certificate
Same configuration files as openssh except GSS is
Globus not Kerberos
Safer that ssh in that there is trust – proxy trade-off
(x)inetd listens port 2811
Data transfered not encrypted
Accepts Limited proxies
Based on wuftpd
GSI authentication to both servers
Notes on Third Party Transfer
One server told to listen on certain port for connection from other
GridFTP Security
Other server told to connect on that port
Can be setup with chroot
Globus Gatekeeper Security
(x)inetd listens on port 2119
GSI authentication
grid-map authorisation
Allows access to command shell
GASS
GASS server via gatekeeper
GSI Authentication using limited proxies
uses https for authentication and encryption however,
is not compatible with normal https clients.
Is run on demand under non-privileged account on
random port.
MyProxy
port 7512
Allows full proxies to be created on a trusted server
Proxies can be created by authentication with limited
proxies to MyProxy server.
Security of other services
GSIklog/GSSklog client and daemon
GSI to AFS server; AFS grid-mapfile; token via SSL; Accepts Limited Proxies
!
Kx509
Kerberos Security wrapper to CA service
!
GridCVS
Globus GSS gserver
!
Gridsite
x509 certificates in web browsers with GACL
!
Slashgrid (/grid)
DN based file system using coda
Best Practices
Use firewall but allow ports for traffic
"
Do not store them on network file systems (ACLs are often forgotten)
"
Do not send them over the net (sniffed traffic can be cracked)
"
Keep private keys private
Do not leave user certs in No DES format (buys time if private key is
stolen)
Always keep on top of advisories
Keep map-files, CRLS and accounts up-to-date
Useful GSI and Openssl Commands
grid-cert-info -file cert.pem
grid-proxy-info
!
openssl x509 -in cert.pem -noout XXXX
where XXXX = -text | -subject | -hash | -modulus | ...
!
openssl pkcs12 -in certkey.p12
P12 contains cert key and chain to CA
openssl crl -CApath /etc/grid-security/certificates
-inform PEM -verify -in crl.pem
openssl rsa -in key.pem -modulus
#
*%
$%
()& '
+
~oO FIN Oo~
Ž
„‰
†„
‚
‘
‰‚ ƒ
Š
‚
ƒ
†
3„ Š
Ž
‰
†‚
<‹Š
Œ ‚ Š
†„‰
ˆ
‡…†
<€
‚
P„ƒ
ª
š–¨
–
š›
™˜
<–—•
“ «
¬
»
´¼
³µ
º
¹º
±
¯´
°
Ä
À
¹Ã
¼
´¼
»
®
³µ
°
º
³
¹´µ
¶
µ
³¹ Ã
²
»´
¹À
Â3°¯ µ
¶
µ »¯ ¾ ½
¹´µ ±
³® ´
³¶º
¯
±° ´
®
°
¯
± µ·
¹Ç
º
3¹º¸
»
®
Á¯
°
¯
¼
¶
± µ·
¹
PÆ·
¹± Å
´
® µÀ
®¿
´
©ª˜
š
¦
3¨§
¤8£
¢
¥ Ÿ –
–—
ž 
o
™
š–œ
–
š›
™Ÿ “”’

–¡ <–—•
›  ¢ ™˜
|
x
|
x~
x
|}
{z
xy w
b
`a _
¼
³®
°± ´ µ
¹´µ
®
°
¯
± µ·
¹Ç
´¼
®
¯
³¶º
±
´
¾½
³µ
»¯
»
º
3¹º¸
?
.-,
3241
0/
QW
R
[UX
^
U SN
Q
\Q
O
TR
[
Q]
\S
Z
YWZ
XQ
;@ : ?
D7= 9)875 6
24
<;=:
E8? 8>6
2C5
4:
B
2A= B
24
N
QR
U
PWXV
QU N
<TS
M
OPN
³´
<¶µ
¯
°
¯
°±
<®¯­
·
²
q
kij
LIK
H
JIKH
GF
fe
3hig
m
l
8vu nom
ms
q
ip
rm
<ts
im
kp
.dc
CAS
CAS-maintained
community policy
database
Slide From globus
Ticket Granting Ticket
Ê
É
È
Kerberos (1)
[Session key, Time Stamp,
Lifetime & ID] encrypted
with password
Work Station
TGT
Session key for comms.
kinit
I am m
ike
Key Cache
TGT
Session Key
TGT
Kerberos Server
Password
S
AS essio
n k Database
ey
Key Cache
TGS
Service
Data
Service
Ticket Granting Ticket
Work Station
TGT
Î
Authenticator: encrypted
[ID, IP, Time Stamp and
(short) Time to Live]
Service Ticket: [Service
Key, ID, IP, Time Stamp
& Lifetime] encrypted with
service password
kinit
I am m
ike
Key Cache
TGT
Session Key
Service Ticket + Service Key
Service Request
Authenticator
TGT
ID, IP & Service
Au
the Re
nti que
ca st
tor
[Session key, Time
Stamp, Lifetime & ID]
encrypted with password
Service Request
Ï
Í
Ì
Ë
Kerberos (2)
Kerberos Server
Password
S
AS essio
n k Database
ey
Key Cache
TGS
ID, IP & Time
Service
Service Ticket
Service Key
Authenticator
ID, IP & Time
Service Ticket
Data
Service Ticket
Authenticator
Service
Key Cache
Kerberos steps 1 & 2 (AFS server is Kerberos Server)
Directory Structures everything in /afs/realm/...
Ó
Based on AFS ACL
Ô
Groups or users can be given rlidwka
Õ
These apply to DIRECTORIES
Ö
New directories inherit parent directories' ACLs
×
Access Control
File rights take unix owner's rights ie -rwxr-xr-x
Ø
Ò
Ñ
Ð
AFS
Watch out: $HOME/mail, $HOME/.globus, etc.
PKI and Kerberos
Ù
Ú
needs GSI Proxy certificate
except no password is required
lifetime dictated by minimum of proxy
lifetime, server default and client request
Ý
(client may have to supply)
User gets afs ticket
æ
å
ä
ã
â
Ü
á
gsiklog executable
used in same way as klog
dæmon on AFS server
as afs system:administrator
Server listens port 750
SSL connection using GSI
afsgrid-mapfile
Þ
needs AFS client software
Û
à
ß
gsiklog and/or gssklog
Client (user or user's grid job)
Server (AFS eg afs1.hep.man.ac.uk)
If sucess service key and
service ticket are sent through
socket
Reverse the process?
kx509
Need kerberos TGT
Work Station
TGT
Follow kinit route.
Remember this?
Service -> KCA
kinit
I am m
ike
Key Cache
TGT
Session Key
Service Ticket + Service Key
Service Request
Authenticator
TGT
ID, IP & Service
Au
the Re
nti que
ca st
tor
ì
ë
ê
é
è
ç
Kerberos and PKI
Kerberos Server
Password
S
AS essio
n k Database
ey
Key Cache
TGS
ID, IP & Time
Service
Service Ticket
Service Key
Authenticator
ID, IP & Time
Service Ticket
Data
Service Ticket
Authenticator
Service
Key Cache
Kerberos Server absorbes another service: KCA
Client uses TGT
Work Station
gets server Ticket
kinit
get it signed
like Proxy but not GSI
I am m
ike
TGT
Key Cache
TGT
Session Key
Service Ticket + Service Key
Cert Request
Authenticator
ID, IP & Service
Au
the Re
nti que
ca st
tor
ò
send public key
Recieve x509 Cert.
ô
ó
TGT
Use Server Ticket
ñ
ð
ï
î
í
Kerberos and PKI
Kerberos Server
Password
S
AS essio
n k Database
ey
Key Cache
TGS
ID, IP & Time
KCA
Service Ticket
Service Key
Authenticator
ID, IP & Time
Service Ticket
Service Ticket
Authenticator
x509 request
x509 key
Cert Store
t
r
e
c
9
0
5
x
CA
Key Cache