Security Issues in Grid Computing

Reading: Grid Book, Chapter 16:

“Security, Accounting and Assurance”

By Clifford Neuman

Security IssuesTraditional systems: Protect a system from its users Protect data of one user from compromise

In Grid systems: Protect applications and data from system

where computation executes Stronger authentication needed (for users

and code) Protect local execution from remote

systems Different admin domains/security policies

Organization

AuthenticationPassword-basedKerberos authenticationSSL authenticationCertification authorities

Authorization Integrity and Confidentiality

Symmetric and asymmetric cryptographyPGP (Pretty Good Privacy)SSL

Organization (cont.)

More Security IssuesAssuranceAccountingAudit

More Security TechnologiesIPSec and IPv6VPN (Virtual Private Networks)FirewallsGSS-API

Authentication Process of verifying identity of a participant to

an operation or request

Principal: entity whose identity is verifiedlocal user OR user logged into remote system

Traditional systems: authenticate client to protect server

Grid systems: mutual authentication requiredEnsure that resources and data not provided by

an attacker

Authentication Methods:Password-based Authentication

Send unencrypted passwords: only suitable when messages can’t be read by

untrusted processes while on network

Instead: Prove knowledge of a password:Don’t send password over networkUse password as an encryption keyEncrypt a known but non-repeating valueSend encrypted value to party verifying

authenticationBoth parties must know password or trust a

third-party to distribute it

Authentication Systems:Kerberos

Authentication and key distribution protocolUsed with symmetric encryption systems

(both sides must share same key)Better performance than systems using

public key or asymmetric cryptography Well-suited to frequent authentication Centrally administered Requires trusted, on-line certification

authority: Key Distribution Center (KDC)

Using Kerberos to authenticate a client and a server

1. Each client and server register their keys in advance with Kerberos authentication server

2. Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server

3. Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server

4. Kerberos server sends session key to client as well as a ticket that contains client’s name and session key, all encrypted with server’s key

Kerberos Authentication (cont.)

5. Client caches encrypted session key and ticket, which are valid for some period Reduces number of authentication requests to

server

6. Client forwards ticket to service provider AND sends server a timestamp encrypted using the session key

7. Server decrypts ticket and extracts session key8. Server uses session key to decrypt timestamp and

checks that timestamp is recent9. If client needs to authenticate server, server

encrypts the timestamp with the session key and sends it back to client

Authentication Systems: Secure Sockets Layer (SSL)

Widely-deployed: every web browser!

Client authenticates identity of the server

Send a session key from client to server to set up an encrypted communication

Server has a certificate that contains its public key

If client has a certificate, can authenticate itself to the server

Using SSL to authenticate a server1. Client web browser with SSL contacts web server

with SSL2. Server sends public-key certificate to client3. Client uses public key of a trusted Certificate

Authority (CA) to verify server’s certificate is valid4. Client verifies that hostname embedded in

certificate is hostname of intended server5. Client extracts server’s public key from certificate6. Client uses server’s public key to encrypt a

session key for a symmetric cryptosystem7. Client sends encrypted session key to server8. Server uses its private key to decrypt session key9. Client and server communicate using symmetric

cryptosystem with session key

Certificates and Certification Authorities (CA)

Certification mechanism provides binding between encryption key and authenticated identity

Certification authority (CA) is a third party that certifies or validates the binding

CA issues a certificate and signs it Certificate is a data object that contains:

Distinguished name of a principalIn asymmetric cryptographic systems: the

public key of the principalOptional attributes: authorizations, group

memeberships, email addresses, alternate names

Certification (cont.) X.509 certificates:most widely used format

Web browsersSecure email servicesPublic-key-based electronic payment

systems Validating the binding

Verifier must know the CA’s public keyUses CA’s public key to validate CA’s

signature Hierarchy of CAs: each CA certified by

higher-level CA except for root CA(s) Applications and servers must know public

key of trusted root CAs

Data Origin Authentication

Provides assurance that a particular message, data item or executable originated with a particular principalDetermines whether program was modified

or sent by attacker

Delegation of Identity

Process that grants one principal the authority to act as another individual

Assume another’s identity to perform certain functions

E.g., in Globus: use the gridmap file on a particular resource to map authenticated user onto another’s account, with corresponding privileges

Reminder: Organization

AuthenticationPassword-basedKerberos authenticationSSL authenticationCertification authorities

Authorization Integrity and Confidentiality

Symmetric and asymmetric cryptographyPGP (Pretty Good Privacy)SSL

Authorization

Process that determines whether a particular operation is allowed

Traditionally: based on authenticated identity of requester and local information Access Control Lists (ACLs)

Grids: determine whether access to resource is allowed Might have access control lists associated with

resources, principals or authorized programs User-provided code must also be authenticated

Distributed Authorization E.g., Distributed Computing Environment Systems still being developed

Distributed maintenance of authorization information: Group membership Access control lists

Need to verify the authenticity of authorization (and assurance) information

One approach: Embed these attributes in certificates Signed by trusted third-party “Privilege attribute certificates”

Distributed Authorization (cont.)

Restricted proxy: authorization certificate that grants authority to perform operation on behalf of grantorRestricted for access to particular objects Only when specified restrictions are

satisfied

Alternative: separate authorization server Party providing a service checks with

server whether a named principal is authorized

Delegation of Authority

User or process that is authorized to perform an operation can grant authroity to perform the operation to another process

More restricted than identity delegation In Grids:

Used for tasks that run remotely on grid that must read or write data stored across the network

E.g., resource manager allocates a node to a job and delegates to job’s initator authority to use that node

Integrity and Confidentiality

Protect data during transmission on networkAnyone connected to an open network may

observe, insert or possibly remove messages

CryptographyEncryption: scrambles data in a way that

varies based on a secret encryption keyDecryption: unscramble data using

corresponding decryption keyCiphertext: scrambled dataPlaintext: original or unscrambled data

Encrypted messages provide integrity and confidentiality

Protect data from eavesdroppersdata encrypted before transmission and

decrypted afterward

Checksums protect data integrityAttach a checksum to data before enryptionAfter decryption, receiver verifies checksumDetect modifications of data by someone

who doesn’t know encryption key

Symmetric Cryptosystems Examples:DES (data encryption standard),

triple-DES, idea, blowfish, RC4, RC5 Uses same key for encryption & decryption Both parties must share same key With static keys:

User needs different key for every other user or service provider

Service provider maintains key for every user

Or, use mutually-trusted intermediary to generate and distribute session key to both partiesE.g., Kerberos Key Distribution Center

Symmetric Encryption Key Distribution Using Kerberos

1. Each client and server register their keys with Kerberos authentication server in advance

2. Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server

3. Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server

4. Kerberos server sends session key to client as well as a ticket that contains client’s name and session key, all encrypted with server’s key

Key Distribution Using Kerberos (cont.)

5. Client caches encrypted session key and ticket, which are valid for some period Reduces number of authentication requests to

server

6. Client forwards ticket to service provider AND sends server a timestamp encrypted using the session key

7. Server decrypts ticket and extracts session key8. Server uses session key to decrypt timestamp,

checks that it is recent9. If client needs to authenticate server, server

encrypts the timestamp with the session key and sends to client

Asymmetric Cryptography Also Public Key cryptography (PKI) E.g., RSA or DSA (digital signature algorithm)

Uses a pair of keys for encryption and decryption Knowledge of one key does not reveal the other

Public key: published and available to anyone Private key: secret, known to only one party

Advantage: can disseminate public key freely Disadvantage: significantly worse

performance than symmetric encryption Because of performance, rarely used in isolation Used in combination with symmetric encryption

Using Asymmetric Encryption to Exchange a Symmetric Key

1. Sender generates a symmetric session key and an associated checksum

2. Sender encrypts key and checksum using recipient’s public key and sends them to recipient

3. Recipient decrypts key and checksum using its private key

4. Recipient verifies checksum is correct and extracts session key

5. Communication proceeds using symmetric encryption with the session key

Using Asymmetric Encryption to Exchange Symmetric Key (cont.)

Pay asymmetric performance penalty at startup but not on every block transferred

Relies on each party knowing public keys or relying on trusted third party (CA) to verify public keys

Otherwise, attacker could replace public key with different public key that has a private key known by attacker

Encryption with PGP (Pretty Good Privacy)

Provides integrity, authentication and confidentiality for email and data files

Sender:Computes a message digest (similar to a

checksum)Encrypts original message using symmetric

cryptography with a message keyEncrypts the message digest with

asymmetric cryptography using the private key of the senderProvides a digital signature (integrity)

Encrypts the message key with asymmetric cryptography using recipient’s public key

PGP (Pretty Good Privacy) (cont.)

Recipient:Decrypts message digest using public key

of senderDecrypts message key using its own

private keyUses message key to decrypt original

messageVerifies the correctness of message using

digest

Digital Signatures

Does not require encryption of original message

Message digestComputationally infeasible for another

message to produce the same digestEncryptedAttached to messageCan detect if message was altered during

transmission Provides a digital signature

Reminder: Organization

More Security IssuesAssuranceAccountingAudit

More Security TechnologiesIPSec and IPv6VPN (Virtual Private Networks)FirewallsGSS-API

More Security Issues: Assurance Service requester has requirements for:

performance, security, reliability Does candidate service provider meet these

requirements?

Form of authorization (“accreditation”) used to validate service provider

Grid example: check assurance credentials when selecting nodes for computation: Do they meet performance, reliability, or security

requirements?

Assurance schemes: not widely deployed

More Security Issues: Accounting Means of tracking, limiting or charging for

consumption of resources Critical for fair allocation of resources Tied in with authorization

In the grid: accounting is critical Need a means of payment

Correctly charge user at time a resource is consumed Need an incentive to make resources available

Grids require a distributed mechanism to maintain quotas across systems Prevent users from exceeding resource limits by

spreading use across machines

Grid accounting schemes still being developed

More Security Issues: Audit Record operations performed by a system and

associate actions with principals Problems: Find out what went wrong Security breaches: Intrusion detection

In a grid: audit mechanism must be distributed

Intrusion Detection Need log of events for later or concurrent analysis Protect confidentiality of audit data

Vulnerable to modification, deletion or denial of service

Grid applications will affect intrusion detection algorithms Normal grid activities may look similar to certain

network attacks

More Security Technologies: IPSec and IPv6

Transport layer protection for confidentiality and integrity

When communication established between two network hosts: Use key distribution to exchange key for

symmetric encryption Key distribution may use Kerberos, PKI, …

Keys are associated with hosts, not with applications or users

More Security Technologies:Virtual Private Networks (VPNs)

Use transport-layer confidentiality and integrity Share physical infrastructure of internet Communication only between participating nodes Protected from disclosure to/modification by nodes that

are not participants

Used when impractical to integrate security at application layer

Since they operate at tranport layer, cannot: Authenticate end users Understand application-level objects that need protection Support security policies that distinguish users &

application objects

More Security Technologies:Firewalls

Provide a barrier at boundary of organization’s network Only specifically authorized communication may

pass through Prevent many attacks on hosts within organization

In grids: less useful Grid applications will often require communication

through firewall

Need to integrate IPSec and VPN technologies at network boundaries with firewalls Messages on internal network remain unprotected Encrypt/decrypt messages as they leave/enter VPN

at the firewall

More Security Technologies:GSS-API

Generic Security Services Application Programming Interface

Facilitates integration of security at application layer

Applications make calls to authentication, confidentiality and integrity servicesCalls are independent of underlying security

services