Source: The Globus ProjectArgonne National Laboratory

USC Information Sciences Institutehttp://www.globus.org/

Updated/Localised: Rajkumar Buyya

Grid Security: PKI Based Authentication Infrastructure

2

Security

As Grid Resources and Users are Distributed and Owned by different organizations, only authorized users should be allowed to access them.

A simple authentication infrastructure is needed. Also, both users and owners should be protected

from each other. The Users need be assured about security of their:

Data Code Message

3

ExampleSecure Remote Startup

key

cert

gatekeeperclient

1. Exchange certificates, authenticate, delegate

2. Check gridmap file3. Lookup service4. Run service program

(e.g. jobmanager)

jobmanager

key

cert

1.

2.

map

4.

services3.

GSPGSC

4

Grid Security Infrastructure (GSI) based on PKI – as realized in Globus

GSI is:

PKI(CAs and

Certificates)

SSL/TLS

Proxies and Delegation

PKI forcredentials

SSL forAuthenticationAnd message protection

Proxies and delegation (GSIExtensions) for secure singleSign-on

PKI: Public Key Infrastructure, SSL: Secure Socket LayerTLS: Transport Level Security

5

Public Key Infrastructure (PKI) PKI allows you to know that

a given public key belongs to a given user

PKI builds on asymmetric encryption:

Each entity has two keys: public and private

Data encrypted with one key can only be decrypted with other.

The private key is known only to the entity

The public key is given to the world encapsulated in a X.509 certificate

Owner

6

Public Key Infrastructure (PKI) Overview

X.509 Certificates Certificate Authorities (CAs) Certificate Policies

Namespaces Requesting a certificate

Certificate Request Registration Authority

Owner

7

X.509

A widely used standard for defining digital certificates. X.509 is actually an ITU (International Telecommunication Union) Recommendation, which means that it has not yet been officially defined or approved for standardized usage. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa.

8

Certificates

A X.509 certificate binds a public key to a name

It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer)

NameIssuerPublic KeySignature

9

Rajkumar Buyya111, Barry St.Carlton, 3053

BD 01-06-1970Male 165cms, 65KgB&W Eyes

State ofVictoria

Seal

Certificates

Similar to passport or driver’s license

NameIssuerPublic KeySignature

10

Certificates

By checking the signature, one can determine that a public key belongs to a given user.

NameIssuerPublic KeySignature

Hash

=?Decrypt

Public Key fromIssuerIss

uer

11

Certificate Authorities (CAs)

A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates

A Certificate Authority is an entity that exists only to sign user certificates

The CA signs it’s own certificate which is distributed in a trusted manner

Name: CAIssuer: CACA’s Public KeyCA’s Signature

12

Certificate Authorities (CAs)

The public key from the CA certificate can then be used to verify other certificates

NameIssuerPublic KeySignature

Hash

=?Decrypt

Name: CAIssuer: CACA’s Public KeyCA’s Signature

13

Requesting a Certificate

To request a certificate a user starts by generating a key pair

The private key is stored encrypted with a pass phrase the user gives

The public key is put into a certificate request

CertificateRequest

Public Key

EncryptedOn local

disk

14

Certificate Issuance

The user then takes the certificate to the CA

The CA usually includes a Registration Authority (RA) which verifies the request:

The name is unique with respect to the CA

It is the real name of the user

Etc.

CertificateRequest

Public KeyID

15

Certificate Issuance

The CA then signs the certificate request and issues a certificate for the user

CertificateRequest

Public Key

NameIssuerPublic KeySignature

Sign

16

Secure Socket Layer (SSL)

Also known as TLS (Transport Layer Security) Uses certificates and TCP sockets to provide

a secured connection Authentication of one or both parties using the

certificates Message protection

Confidentiality (encryption) Integrity

Certificates TCP Sockets

SSL/TLS

17

Mutual Authentication

A and B are two parties: Both need to trust each others’ CA.

A B (A establishes connection to B and gives his certificate (name,pub. Key) to B).

B makes sure that it can trust CA of A. B generates random message A and asks it

encrypt it. A encrypts it and send to B B decrypts using A’s public key. If the msg. is

same as what B has sent, then A is who it is claiming to be.

18

Globus Security: Review

GSI extends existing standard protocols & APIs

Based on standards: SSL/TLS, X.509, GSS-API Extensions for single sign-on and delegation

The Globus Toolkit provides: Generic Security Services API (GSS-API) on GSI

protocols The GSS-API is the IETF standard for adding

authentication, delegation, message integrity, and message confidentiality to applications.

Various tools for credential management, login/logout, etc.

19

Obtaining a Certificate

The program grid-cert-request is used to create a public/private key pair and unsigned certificate in ~/.globus/:

usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file

Must be readable only by the owner

Mail usercert_request.pem to ca@ausgrid.org Receive a Globus-signed certificate

Place in ~/.globus/usercert.pem Other organizations use different approaches

NCSA, NPACI, NASA, etc. have their own CA

20

My Certificate (certified by CA)

Certificate: Data: Version: 3 (0x2) Serial Number: 26 (0x1a) Signature Algorithm: md5WithRSAEncryption Issuer: O=Australian Grid Forum, OU=AusGrid Testbed, CN=ausgrid.org Validity Not Before: Feb 8 03:40:20 2004 GMT Not After : Feb 7 03:40:20 2005 GMT Subject: O=Australian Grid Forum, OU=AusGrid Testbed, OU=cs.mu.oz.au, CN=RajkumarBuyya Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bb:c7:92:a8:14:75:81:2c:38:b6:45:e9:db:12: a3:6b:e2:66:41:62:44:ef:1a:56:5c:42:71:ec:8b: 04:1e:01:53:43:84:1a:cb:8e:a9:d1:99:67:1f:ef:.. 07:5f:92:04:6e:ca:29:77:ec:9d:f3:36:c2:49:40: 8f:51:8e:63:4e:82:2b:c7:c9:0c:bc:55:ce:01:d1: 8a:f4:dc:19:c4:01:37:f9:9f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing Signature Algorithm: md5WithRSAEncryption b2:f0:a2:79:bc:2d:0f:02:15:f2:4d:8a:e8:5f:7c:79:1e:43: 09:d9:6e:59:7b:7c:71:87:8c:4a:10:9c:0e:74:ea:26:48:8c: .. 4e:fb:d7:f9:81:eb:d8:74:59:17:fa:c9:64:8d:88:0e:98:1e:

Validity Start/End

21

-----BEGIN CERTIFICATE-----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY

<snip>u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4-----END CERTIFICATE-----

Sample usercert.pem: (public key)

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl

<snip>et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=-----END RSA PRIVATE KEY-----

Sample userkey.pem (private key):

Certificate and Key Data

22

Certificate Information

To get cert information run grid-cert-info% grid-cert-info –subject/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya

Options for printing cert information-all -startdate-subject -enddate-issuer -help

[raj@belle .globus]$ grid-proxy-info subject : /O=Australian Grid Forum/OU=AusGrid

Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya/CN=proxy issuer : /O=Australian Grid Forum/OU=AusGrid

Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya identity : /O=Australian Grid Forum/OU=AusGrid

Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u501 timeleft : 0:59:25

23

“Logging on” to the Grid

To run programs, authenticate to Globus:% grid-proxy-initEnter PEM pass phrase: ******

Creates a temporary, local, short-lived proxy credential for use by our computations

Options for grid-proxy-init:-hours <lifetime of credential>-bits <length of key>-help

24

grid-proxy-init Details

grid-proxy-init creates the local proxy file. User enters pass phrase, which is used to

decrypt private key. Private key is used to sign a proxy certificate

with its own, new public/private key pair. User’s private key not exposed after proxy has

been signed Proxy placed in /tmp, read-only by user NOTE: No network traffic! grid-proxy-info displays proxy details

25

Grid Sign-On With grid-proxy-init

User certificate file

Private Key(Encrypted)

PassPhrase

User Proxycertificate file

26

Destroying Your Proxy (logout)

To destroy your local proxy that was created by grid-proxy-init:% grid-proxy-destroy

This does NOT destroy any proxies that were delegated from this proxy. You cannot revoke a remote proxy Usually create proxies with short lifetimes

27

Proxy Information

To get proxy information run grid-proxy-info% grid-proxy-info -subject/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya

Options for printing proxy information-subject -issuer-type -timeleft-strength -help

Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key>

Returns 0 status for true, 1 for false:

28

Important Files

/etc/grid-security hostcert.pem: certificate used by the server in mutual

authentication hostkey.pem: private key corresponding to the

server’s certificate (read-only by root) grid-mapfile: maps grid subject names to local user

accounts (really part of gatekeeper) /etc/grid-security/certificates

CA certificates: certs that are trusted when validating certs, and thus needn’t be verified

ca-signing-policy.conf: defines the subject names that can be signed by each CA

29

Important Files

$HOME/.globus usercert.pem: User’s certificate (subject name,

public key, CA signature) userkey.pem: User’s private key (encrypted

using the user’s pass phrase) /tmp

Proxy file(s): Temporary file(s) containing unencrypted proxy private key and certificate (readable only by user’s account)

Same approach Kerberos uses for protecting tickets

30

Secure Services

On most Unix machines, inetd listens for incoming service connections and passes connections to daemons for processing.

On Grid servers, the gatekeeper securely performs the same function for many services It handles mutual authentication using files

in /etc/grid-security It maps to local users via the gridmap file

31

Sample Gridmap File

# Distinguished name Local# username"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Rajkumar Buyya" bellegrid

"/O=Australian Grid Forum/OU=AusGrid Testbed/OU=cs.mu.oz.au/CN=Srikumar Venugopal" bellegrid"/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Jia Yu" jiayu"/C=JP/O=AIST GTRC/CN=Peerapon Vateekul/Email=griddemo@mike-33-98.cpe.ku.ac.th" mikegrid

Gridmap file maintained by Globus administrator

Entry maps Grid-id into local user name(s)

32

ExampleSecure Remote Startup

key

cert

gatekeeperclient

1. Exchange certificates, authenticate, delegate

2. Check gridmap file3. Lookup service4. Run service program

(e.g. jobmanager)

jobmanager

key

cert

1.

2.

map

4.

services3.

33

Simple job submission

globus-job-run provides a simple RSH compatible interface % grid-proxy-init Enter PEM pass phrase: *****

% globus-job-run host program [args] Authentication Test

% globusrun –a –r hostname

34

Delegation

Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Proxy cert and public key sent to client Clients signs proxy cert and returns it Server (usually) puts proxy in /tmp

Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user

35

Limited Proxy

During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy GRAM (job submission) client does this

Each service decides whether it will allow authentication with a limited proxy Job manager service requires a full proxy GridFTP server allows either full or limited

proxy to be used

36

Restricted Proxies

A generalization of the simple limited proxies Desirable to have fine-grained restrictions Reduces exposure from compromised proxies

Embed restriction policy in proxy cert Policy is evaluated by resource upon proxy use Reduces rights available to the proxy to a subset of

those held by the user A proxy no longer grants full impersonation rights

Extensible to support any policy language

37

ExerciseSign-On & Remote Process

Creation Use grid-cert-info to examine your cert:

% grid-cert-info -all

Use grid-proxy-init to create a proxy certificate:% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++

Use grid-proxy-info to query proxy:% grid-proxy-info -subject

Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp

38

Generic Security Service API

The GSS-API is the IETF draft standard for adding authentication, delegation, message integrity, and message confidentiality to apps For secure communication between two parties over a

reliable channel (e.g. TCP) GSS-API separates security from communication,

which allows security to be easily added to existing communication code. Filters on each end of the communications link

GSS-API Extensions defined in GGF draft Globus Toolkit components all use GSS-API

39

gss_inquire_cred()

Extract information (e.g. the subject name) from a credential

gss_inquire_cred_by_oid()

Extract information associated with a OID (owner ID) from a credential (e.g. information in certificate extensions)Will be in future version > GT 2.0

40

Authorization

GSI handles authentication, but authorization is a separate issue

Authorization issues: Management of authorization on a multi-organization grid

is still an interesting problem. The grid-mapfile doesn’t scale well, and works only at the

resource level, not the collective level. Large communities that share resources exacerbates

authorization issues, which has led us to CAS (Community Authorization Service)…

Why not use Grid Bank Services ? All those GSPs providing services through the Grid

Marketplace can allow any consumer to access their services as long as GridBank guarantees the payment,

41

X509v3 Digital Certificate

…………

Subject:

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”

…………

Clients

ResourcesResource access authorization file (grid-mapfile)

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” alex

“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya” rajkumar

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald” chris

X509v3 Digital Certificate

…………

Subject:

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”

…………

X509v3 Digital Certificate

…………

Subject:

“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”

…………

Access Scalability Problem

42

Resource access authorization file (grid-mapfile)

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank

GridBank

Template (local) accounts

gbaccount1

gbaccount2

gbaccount3

Resource access authorization file (grid-mapfile)

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=GridBank” gridbank

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta” gbaccount1

Template (local) accounts

gbaccount2

gbaccount3

Request to access resource

Passing client’s Certificate Subject

Execute job

GridBank Accounts“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Alexander Barmouta”

“/O=Grid/O=Globus/OU=cs.mu.oz.au/CN=Rajkumar Buyya”

“/O=Grid/O=Globus/OU=cs.uwa.edu.au/CN=Chris McDonald”

GridBank’s Solution to Access Scalability Problem: Modified gatekeeper

43

Security Summary

Programs for credential management grid-cert-info, grid-proxy-init, grid-proxy-

destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid

Security Infrastructure (GSI) uses this API, which allows programs to easily add security

globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use