Upload
maximillian-reynolds
View
219
Download
1
Embed Size (px)
Citation preview
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Getting Started
Guy WarnerNeSC Training Team
Induction to Grid Computing and the National Grid Service
10th-11th March 2005
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 2
Enabling Grids for E-sciencE
INFSO-RI-508833
Acknowledgements
Some of the slides in this presentation are based on / motivated by:
• The presentation given by Carl Kesselman at the GGF Summer School 2004. This presentation may be found at– http://www.dma.unina.it/~murli/GridSummerSchool2004/
curriculum.htm
• Lectures given by Richard Sinott and John Watt at the University of Glasgow. These lectures may be found at– http://csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN at First Latinamerican Grid Workshop, Merida, Venezuela. This presentation may be found at– http://agenda.cern.ch/fullAgenda.php?ida=a044965
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 3
Enabling Grids for E-sciencE
INFSO-RI-508833
The Problem
• Question:How does a user securely access the Resource without having an account on the machines in between or even on the Resource?
• Question:How does the Resource know who a user is and that they are allowed access?
User Resource
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 4
Enabling Grids for E-sciencE
INFSO-RI-508833
Overview
Grid SecurityInfrastructure
Authentication
Encryption & Data Integrity
Authorization
Security
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 5
Enabling Grids for E-sciencE
INFSO-RI-508833
Approaches to Security: 1
The Poor Security House
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 6
Enabling Grids for E-sciencE
INFSO-RI-508833
Approaches to Security: 2
The Paranoid Security House
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 7
Enabling Grids for E-sciencE
INFSO-RI-508833
Approaches to Security: 3
The Realistic Security House
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 8
Enabling Grids for E-sciencE
INFSO-RI-508833
Approaches to Grid Security
• The Poor Security Approach:– Use unencrypted communications.– No or poor (easily guessed) identification means.– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:– Don’t use any communications (no network at all).– Don’t leave computer unattended.
• The Realistic Security Approach:– Encrypt all sensitive communications– Use difficult to break identification means.– Keep identification secure at all times (e.g. encrypted on a
memory stick).– Only allow access to trusted users.
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 9
Enabling Grids for E-sciencE
INFSO-RI-508833
The Risks of Poor User Security
• Launch attacks to other sites– Large distributed farms of machines, perfect for launching a
Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and access sensitive information– Massive distributed storage capacity ideal for example, for
swapping movies.
• Damage caused by viruses, worms etc.– Highly connected infrastructure means worms spread faster than
on the internet in general.
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 10
Enabling Grids for E-sciencE
INFSO-RI-508833
Authentication and Authorization
• Authentication– Are you who you claim to be?
• Authorisation– Do you have access to the resource you are connecting to?
John Doe755 E. WoodlawnUrbana IL 61801
0598234
Jane
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 11
Enabling Grids for E-sciencE
INFSO-RI-508833
The Trust Model
Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
GSI
CertificationAuthority
Sub-Domain B1
Authority
FederationService
VirtualOrganization
Domain
No Cross-
Domain Trust
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 12
Enabling Grids for E-sciencE
INFSO-RI-508833
INS
EC
UR
E
SE
CU
RE
SE
CU
RE
Public Private Key
Life Savings
Alice Bob
Life Savings
Life Savings
Private Key Message Public Key
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 14
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificates
• Similar to passport or driver’s license: Identity signed by a trusted party
NameIssuerPublic KeySignature
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
John Doe755 E. WoodlawnUrbana IL 61801
BD 08-06-35Male 6’0” 200lbsGRN Eyes
State ofIllinois
Seal
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 15
Enabling Grids for E-sciencE
INFSO-RI-508833
Certificate Authorities
• A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates
• A Certificate Authority is an entity that exists only to sign user certificates
• Users authenticate themselves to CA, for example by use of their Passport or Identity Card.
• The CA signs it’s own certificate which is distributed in a secure manner.
Name: CAIssuer: CACA’s Public KeyCA’s Signature
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 16
Enabling Grids for E-sciencE
INFSO-RI-508833
Delegation and Certificates
Delegation : The act of giving an organization, person or service the right to act on your behalf.
• For example: A user delegates their authentication to a service to allow programs to run on remote sites.
Stage1:
Low Frequency
Stage2:
Medium Frequency
Stage3:
High Frequency
ServiceCA
Certificate
Signs
own
User
Certificatesigns
Proxy
Certificate signs
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 17
Enabling Grids for E-sciencE
INFSO-RI-508833
User Authorisation to Access Resource
slide based on presentation given by Carl Kesselman at GGF Summer School 2004
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 18
Enabling Grids for E-sciencE
INFSO-RI-508833
User Responsibilities
• Keep your private key secure.• Do not loan your certificate to anyone.• Report to your local/regional contact if your certificate
has been compromised.• Do not launch a delegation service for longer than your
current task needs.
If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 19
Enabling Grids for E-sciencE
INFSO-RI-508833
Summary
via Certificates and Delegated Services Authentication
Authorisationdelegated to VO.
Resource
User
Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 20
Enabling Grids for E-sciencE
INFSO-RI-508833
The Practical
• In your information pack is a sheet containing the details for logging on to your workstation and the passwords needed for logging on to your account on lab-07 – the server to be used in this tutorial.
• Login to your workstation• Use the putty program (on your desktop) to connect to
lab-07• Open a browser window to
http://homepages.nesc.ac.uk/~gcw/NGS/GSI.html • Follow the instructions from there.