Upload
brie
View
63
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Grid Security: PKI Based Authentication Infrastructure. Source: The Globus Project Argonne National Laboratory USC Information Sciences Institute http://www.globus.org/ Updated/Localised: Rajkumar Buyya. Security. - PowerPoint PPT Presentation
Citation preview
Source: The Globus ProjectArgonne National Laboratory
USC Information Sciences Institutehttp://www.globus.org/
Updated/Localised: Rajkumar Buyya
Grid Security: PKI Based Authentication Infrastructure
2
Security
As Grid Resources and Users are Distributed and Owned by different organizations, only authorized users should be allowed to access them.
A simple authentication infrastructure is needed. Also, both users and owners should be protected
from each other. The Users need be assured about security of their:
Data Code Message
3
ExampleSecure Remote Startup
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file3. Lookup service4. Run service program
(e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
GSPGSC
4
Grid Security Infrastructure (GSI) based on PKI – as realized in Globus
GSI is:
PKI(CAs and
Certificates)
SSL/TLS
Proxies and Delegation
PKI forcredentials
SSL forAuthenticationAnd message protection
Proxies and delegation (GSIExtensions) for secure singleSign-on
PKI: Public Key Infrastructure, SSL: Secure Socket LayerTLS: Transport Level Security
5
Public Key Infrastructure (PKI) PKI allows you to know that
a given public key belongs to a given user
PKI builds on asymmetric encryption:
Each entity has two keys: public and private
Data encrypted with one key can only be decrypted with other.
The private key is known only to the entity
The public key is given to the world encapsulated in a X.509 certificate
Owner
6
Public Key Infrastructure (PKI) Overview
X.509 Certificates Certificate Authorities (CAs) Certificate Policies
Namespaces Requesting a certificate
Certificate Request Registration Authority
Owner
7
X.509
A widely used standard for defining digital certificates. X.509 is actually an ITU (International Telecommunication Union) Recommendation, which means that it has not yet been officially defined or approved for standardized usage. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa.
8
Certificates
A X.509 certificate binds a public key to a name
It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer)
NameIssuerPublic KeySignature
9
Rajkumar Buyya111, Barry St.Carlton, 3053
BD 01-06-1970Male 165cms, 65KgB&W Eyes
State ofVictoria
Seal
Certificates
Similar to passport or driver’s license
NameIssuerPublic KeySignature
10
Certificates
By checking the signature, one can determine that a public key belongs to a given user.
NameIssuerPublic KeySignature
Hash
=?Decrypt
Public Key fromIssuerIss
uer
11
Certificate Authorities (CAs)
A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates
A Certificate Authority is an entity that exists only to sign user certificates
The CA signs it’s own certificate which is distributed in a trusted manner
Name: CAIssuer: CACA’s Public KeyCA’s Signature
12
Certificate Authorities (CAs)
The public key from the CA certificate can then be used to verify other certificates
NameIssuerPublic KeySignature
Hash
=?Decrypt
Name: CAIssuer: CACA’s Public KeyCA’s Signature
13
Requesting a Certificate
To request a certificate a user starts by generating a key pair
The private key is stored encrypted with a pass phrase the user gives
The public key is put into a certificate request
CertificateRequest
Public Key
EncryptedOn local
disk
14
Certificate Issuance
The user then takes the certificate to the CA
The CA usually includes a Registration Authority (RA) which verifies the request:
The name is unique with respect to the CA
It is the real name of the user
Etc.
CertificateRequest
Public KeyID
15
Certificate Issuance
The CA then signs the certificate request and issues a certificate for the user
CertificateRequest
Public Key
NameIssuerPublic KeySignature
Sign
16
Secure Socket Layer (SSL)
Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide
a secured connection Authentication of one or both parties using the
certificates Message protection
Confidentiality (encryption) Integrity
Certificates TCP Sockets
SSL/TLS
17
Mutual Authentication
A and B are two parties: Both need to trust each others’ CA.
A B (A establishes connection to B and gives his certificate (name,pub. Key) to B).
B makes sure that it can trust CA of A. B generates random message A and asks it
encrypt it. A encrypts it and send to B B decrypts using A’s public key. If the msg. is
same as what B has sent, then A is who it is claiming to be.
18
Globus Security: Review
GSI extends existing standard protocols & APIs
Based on standards: SSL/TLS, X.509, GSS-API Extensions for single sign-on and delegation
The Globus Toolkit provides: Generic Security Services API (GSS-API) on GSI
protocols The GSS-API is the IETF standard for adding
authentication, delegation, message integrity, and message confidentiality to applications.
Various tools for credential management, login/logout, etc.
19
Obtaining a Certificate
The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/:
usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file
Must be readable only by the owner
Mail usercert_request.pem to [email protected] Receive a Globus-signed certificate
Place in ~/.globus/usercert.pem Other organizations use different approaches
NCSA, NPACI, NASA, etc. have their own CA
20
My Certificate (certified by CA)
Certificate: Data: Version: 3 (0x2) Serial Number: 26 (0x1a) Signature Algorithm: md5WithRSAEncryption Issuer: O=Australian Grid Forum, OU=AusGrid Testbed, CN=ausgrid.org Validity Not Before: Feb 8 03:40:20 2004 GMT Not After : Feb 7 03:40:20 2005 GMT Subject: O=Australian Grid Forum, OU=AusGrid Testbed, OU=cs.mu.oz.au, CN=RajkumarBuyya Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:c7:92:a8:14:75:81:2c:38:b6:45:e9:db:12: a3:6b:e2:66:41:62:44:ef:1a:56:5c:42:71:ec:8b: 04:1e:01:53:43:84:1a:cb:8e:a9:d1:99:67:1f:ef:.. 07:5f:92:04:6e:ca:29:77:ec:9d:f3:36:c2:49:40: 8f:51:8e:63:4e:82:2b:c7:c9:0c:bc:55:ce:01:d1: 8a:f4:dc:19:c4:01:37:f9:9f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing Signature Algorithm: md5WithRSAEncryption b2:f0:a2:79:bc:2d:0f:02:15:f2:4d:8a:e8:5f:7c:79:1e:43: 09:d9:6e:59:7b:7c:71:87:8c:4a:10:9c:0e:74:ea:26:48:8c: .. 4e:fb:d7:f9:81:eb:d8:74:59:17:fa:c9:64:8d:88:0e:98:1e:
Validity Start/End
21
-----BEGIN CERTIFICATE-----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY
<snip>u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4-----END CERTIFICATE-----
Sample usercert.pem: (public key)
-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl
<snip>et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=-----END RSA PRIVATE KEY-----
Sample userkey.pem (private key):
Certificate and Key Data
22
Certificate Information
To get cert information run grid-cert-info% grid-cert-info –subject/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya
Options for printing cert information-all -startdate-subject -enddate-issuer -help
[raj@belle .globus]$ grid-proxy-info subject : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya/CN=proxy issuer : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya identity : /O=Australian Grid Forum/OU=AusGrid
Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 0:59:25
23
“Logging on” to the Grid
To run programs, authenticate to Globus:% grid-proxy-initEnter PEM pass phrase: ******
Creates a temporary, local, short-lived proxy credential for use by our computations
Options for grid-proxy-init:-hours <lifetime of credential>-bits <length of key>-help
24
grid-proxy-init Details
grid-proxy-init creates the local proxy file. User enters pass phrase, which is used to
decrypt private key. Private key is used to sign a proxy certificate
with its own, new public/private key pair. User’s private key not exposed after proxy has
been signed Proxy placed in /tmp, read-only by user NOTE: No network traffic! grid-proxy-info displays proxy details
25
Grid Sign-On With grid-proxy-init
User certificate file
Private Key(Encrypted)
PassPhrase
User Proxycertificate file
26
Destroying Your Proxy (logout)
To destroy your local proxy that was created by grid-proxy-init:% grid-proxy-destroy
This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes
27
Proxy Information
To get proxy information run grid-proxy-info% grid-proxy-info -subject/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya
Options for printing proxy information-subject -issuer-type -timeleft-strength -help
Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key>
Returns 0 status for true, 1 for false:
28
Important Files
/etc/grid-security hostcert.pem: certificate used by the server in mutual
authentication hostkey.pem: private key corresponding to the
server’s certificate (read-only by root) grid-mapfile: maps grid subject names to local user
accounts (really part of gatekeeper) /etc/grid-security/certificates
CA certificates: certs that are trusted when validating certs, and thus needn’t be verified
ca-signing-policy.conf: defines the subject names that can be signed by each CA
29
Important Files
$HOME/.globus usercert.pem: User’s certificate (subject name,
public key, CA signature) userkey.pem: User’s private key (encrypted
using the user’s pass phrase) /tmp
Proxy file(s): Temporary file(s) containing unencrypted proxy private key and certificate (readable only by user’s account)
Same approach Kerberos uses for protecting tickets
30
Secure Services
On most Unix machines, inetd listens for incoming service connections and passes connections to daemons for processing.
On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files
in /etc/grid-security It maps to local users via the gridmap file
31
Sample Gridmap File
# Distinguished name Local# username"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya" bellegrid
"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Srikumar Venugopal" bellegrid"/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Jia Yu" jiayu"/C=JP/O=AIST GTRC/CN=Peerapon Vateekul/[email protected]" mikegrid
Gridmap file maintained by Globus administrator
Entry maps Grid-id into local user name(s)
32
ExampleSecure Remote Startup
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file3. Lookup service4. Run service program
(e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
33
Simple job submission
globus-job-run provides a simple RSH compatible interface % grid-proxy-init Enter PEM pass phrase: *****
% globus-job-run host program [args] Authentication Test
% globusrun –a –r hostname
34
Delegation
Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Proxy cert and public key sent to client Clients signs proxy cert and returns it Server (usually) puts proxy in /tmp
Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user
35
Limited Proxy
During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy GRAM (job submission) client does this
Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited
proxy to be used
36
Restricted Proxies
A generalization of the simple limited proxies Desirable to have fine-grained restrictions Reduces exposure from compromised proxies
Embed restriction policy in proxy cert Policy is evaluated by resource upon proxy use Reduces rights available to the proxy to a subset of
those held by the user A proxy no longer grants full impersonation rights
Extensible to support any policy language
37
ExerciseSign-On & Remote Process
Creation Use grid-cert-info to examine your cert:
% grid-cert-info -all
Use grid-proxy-init to create a proxy certificate:% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++
Use grid-proxy-info to query proxy:% grid-proxy-info -subject
Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
38
Generic Security Service API
The GSS-API is the IETF draft standard for adding authentication, delegation, message integrity, and message confidentiality to apps For secure communication between two parties over a
reliable channel (e.g. TCP) GSS-API separates security from communication,
which allows security to be easily added to existing communication code. Filters on each end of the communications link
GSS-API Extensions defined in GGF draft Globus Toolkit components all use GSS-API
39
gss_inquire_cred()
Extract information (e.g. the subject name) from a credential
gss_inquire_cred_by_oid()
Extract information associated with a OID (owner ID) from a credential (e.g. information in certificate extensions)Will be in future version > GT 2.0
40
Authorization
GSI handles authentication, but authorization is a separate issue
Authorization issues: Management of authorization on a multi-organization grid
is still an interesting problem. The grid-mapfile doesn’t scale well, and works only at the
resource level, not the collective level. Large communities that share resources exacerbates
authorization issues, which has led us to CAS (Community Authorization Service)…
Why not use Grid Bank Services ? All those GSPs providing services through the Grid
Marketplace can allow any consumer to access their services as long as GridBank guarantees the payment,
41
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”
…………
Clients
ResourcesResource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” alex
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya” rajkumar
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald” chris
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”
…………
X509v3 Digital Certificate
…………
Subject:
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”
…………
Access Scalability Problem
42
Resource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank
GridBank
Template (local) accounts
gbaccount1
gbaccount2
gbaccount3
Resource access authorization file (grid-mapfile)
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” gbaccount1
Template (local) accounts
gbaccount2
gbaccount3
Request to access resource
Passing client’s Certificate Subject
Execute job
GridBank Accounts“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”
“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”
“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”
GridBank’s Solution to Access Scalability Problem: Modified gatekeeper
43
Security Summary
Programs for credential management grid-cert-info, grid-proxy-init, grid-proxy-
destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid
Security Infrastructure (GSI) uses this API, which allows programs to easily add security
globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use