An Authorization System for Grid Applications
Thesis Presentation
Author:
Supervisor:
Instructor:
5th Dec 2006
Wang Xiao
Professor Heikki Hämmäinen
MSc. Mikko Pitkänen
Place: 3 months in CERN, Geneva and other time in HIP, Espoo
Agenda







Background
Objectives and Methodology
Grid Introduction
Grid Security
VOMS
Conclusion
Future Study
Background

CERN- European Laboratory for Particle Physics







Built in 1954, research area is widely ranged
World Wide Web is developed from CERN
Large Hardron Collider (LHC) Project: Powerful particle accelerator
brings protons and ions into head-on collisions. LHC will need a lot
of computing power as it can produce 40 million collisions per
second, and will be 10 petabytes per year.
Requirement for computing power equivalent to 100,000 of today’s
fastest PC processors.
LHC Computing Grid Project in CERN- LCG
HIP- Helsinki Institute of Physics
EGEE project

Largest European Grid project is coordinated at CERN
Objective and Methodology

Objective


The objective is to study the Grid security systems, expecially
focusing on Grid Authorization System VOMS- Vitual Organziation
Membership Service
Methodology



Literature survey over alternative solutions and architectures
Studying current design architecture
Studying current implementation by looking into source code
repositories
Grid Introduction


Grid is emerged as a new field
of distributed computing,
which focuses on the resource
sharing securely among
dynamic number of people and
organizations.
Grid can be a resource sharing
infrastructure,a computing
infrastructure or the next
generation Internet.
Grid Security

Grid Security is a critical aspect of Grid service.

Security: Authentication and Authorization
 Authentication: ID of the person
 Authorization: User’s ability to perform operations

Grid Security Techniques
 Grid Security Infrastructures (GSI)
 EDG Java Security
Security Basics(1)

Cryptography and Public Key Infrastructure (PKI)


Symmetric-key encryption
Asymmetric-key encryption
Security Basics(2)--Certificates

X509v3 Certificate –driving license




Most commonly used PKI standard.
Certificate Authority (CA)
Certificate contains public key information that is
signed by the CA.
Attribute Certificate, like Visa, binds a set of attributes
of the user or other authorization information for the
user.
Grid Security Infrastructure (GSI)

Provides fundamentals services for Grid Security.

Authentication: Makes use of Certificates



User Certificate
Server Certificate
Mutual communications, the client and server
exchange its certificate to make the authentication.
An Example of User Certificate





























Certificate:
Data:
Version: 1 (0x0)
Serial Number: 150 (0x96)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CH, O=HIP, OU=TECH, CN=112 Test CA
Validity
Not Before: Jul 16 08:51:21 2004 GMT
Not After: Jul 23 08:51:21 2004 GMT
Subject: C=CH, O=HIP, OU=TECH, CN=Xiao
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c1:da:2e:5c:01:00:67:86:7c:b6:d0:69:43:f9:
0c:06:7b:83:85:35:19:6c:ea:ad:0c:ff:c5:4e:f3:
09:83:e4:39:08:63:df:4c:ab:43:4b:50:35:26:a4:
1b:42:f8:db:97:0c:4e:f1:55:93:10:d4:28:d7:eb:
86:58:3f:7c:6b
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
59:86:1c:fc:ab:38:3c:bb:6c:06:02:e9:50:7a:00:35:c7:0f:
25:3b:f8:b1:f9:fa:5b:4a:95:99:03:a5:56:19:c0:5e:b7:a0:
fb:5f:df:e7:26:50:d2:b1:b1:c5:1a:c4:d9:be:05:68:71:24:
0e:42:12:59:b6:c4:90:a0:ef:8d:8e:bc:46:31:8c:c1:f7:65:
1b:d7:dc:cb:51:07:3d:bb:a2:39:5b:5f:82:7c:06:64:82:e1:
14:2d:d9:75:bd:bf:ee:2d:38:3a:ac:11:fb:91:12:79:f5:d4:
a8:dd:0a:15:7f:e2:04:45:9b:5f:c4:dc:dd:ef:2c:a9:ae:6b:
23:8c
Authorization in GSI


Makes use of
Grid-mapfile
Maps the user
to a local
unix account
VOMS




Short for Virtual Organization Member Service
A centralized service that is used to manage the
authorization in Virtual Organization(VO) scope.
Developed by EGEE
Problem with Current grid-mapfile, not scalable as the
number of users increase. Thus strong requirement for
VOMS.
Overview on Glite VOMS Environment
VOMS architecture




User Server
User Client
Administration
Client
Administration
Server
Use Case
1.
2.
3.
4.
5.
6.
The client (user) and the VOMS server authenticate each other by
using the normal Grid certificates.
The client sends the request to the VOMS server.
The Server checks the user certificate and the request.
The Server signs the information that is retrieved from VOMS
database based on the user request and sends the signed
information back to the client. Here the VOMS server signature is
used to verify that a trusted VOMS service has provided the
authorization information that will be attached to the user’s proxy.
The client then checks the information received from the server.
The client application creates a proxy certificate on behalf of the
user containing the information received from the VOMS server
added as an extension to the user’s X509 certificate.
Conclusions
1.
2.
Java solution for VOMS
Shibboleth based AAI combined with VOMS
and Grid
Future Studies
1.
2.
Secure Resource Sharing techniques, scalablility and
reliability for the system
Usability of Grid
Thank You!