5b.1 Security II – Grid Computing Security and Globus Security ITCS 4010 Grid Computing,...
-
date post
21-Dec-2015 -
Category
Documents
-
view
221 -
download
0
Transcript of 5b.1 Security II – Grid Computing Security and Globus Security ITCS 4010 Grid Computing,...
5b.1
Security
II – Grid Computing Security
and
Globus Security
ITCS 4010 Grid Computing, UNC-Charlotte B. Wilkinson, 2005
5b.2
Aspects
Grid computing involves setting up a virtual organization for the project:
– Setting up the resources that will be used.
– Identifying the users
– Creating a security policy across sites
5b.3
Virtual Organization SecurityIssues
Need to establish and enforce terms of sharing.
• VO-wide identification of users and services
• Authentication across administrative domains
• Authorization policy across administrative domains
• Trust across administrative domains
5b.4
• Dynamics– Changing community roles, members
• Scaling– Support for large numbers of resources and
users
• Policy– VO and stakeholder control of priorities
Modified form a slide by Ian Foster
5b.5
Grid security must define mechanisms for identity, policy, and trust across autonomous domains with minimal arrangements.
Modified form a slide by Ian Foster
5b.6
Dynamic Policy Overlay
Certification
Domain A
Server XServer X Server Y
PolicyAuthority
Server Y
PolicyAuthority
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
TaskDomain B
Sub-Domain A1
common mechanism
CertificationAuthority
Sub-Domain B1
CertificationAuthority
Sub-Domain B1
AuthorityAuthority
FederationService
VirtualOrganization
Domain
No Cross-Domain Trust
Slide by Ian Foster
5b.7
Globus Grid Security Infrastructure (GSI)
• A set of tools, libraries, and protocols to allow users and applications to access resources securely in a grid computing environment.
5b.8
Globus Grid Security Infrastructure (GSI)
• Based upon public key infrastructure with certificate authorities and X509 certificates.
• GT 2 components use SSL for authentication and message protection.
• GT 4 can use WS-Security protocols – extensions to SOAP messaging for security
Data Management
SecurityCommonRuntime
Execution Management
Information Services
Web Services
Components
Non-WS
Components
Pre-WSAuthenticationAuthorization
GridFTP
GridResource
Allocation Mgmt(Pre-WS GRAM)
Monitoring& Discovery
System(MDS2)
C CommonLibraries
GT2
WSAuthenticationAuthorization
ReliableFile
Transfer
OGSA-DAI[Tech Preview]
GridResource
Allocation Mgmt(WS GRAM)
Monitoring& Discovery
System(MDS4)
Java WS Core
CommunityAuthorization
ServiceGT3
ReplicaLocationService
XIO
GT3
CredentialManagement
GT4
Python WS Core[contribution]
C WS Core
CommunitySchedulerFramework
[contribution]
DelegationService
GT4
Security
5b.10
Three important factors in grid computing are:
• Authorization– Process of deciding whether a particular
identity can access a particular resource• Authentication
– Process of deciding whether a particular identity is who he says he is (applies to humans and systems)
• Delegation (somewhat specific to grid computing)
– Process of giving authority to another identity (usually a computer/process) to act on your behalf.
5b.12
Authentication
Process of deciding whether a particular identity is who he says he is (applies to humans and systems)
5b.13
GSI AuthenticationEach user has set of credentials they use to prove their identity on the grid. Consists of:– X509 certificate and – private key
• Long-term private key kept encrypted with a pass phrase– Good for security, inconvenient for
repeated usage
5b.14
Certificate Authorities
• Grid computing group (virtual organization) requires one or more CAs to control access to their grid.
• Generally set up CA’s specifically for grid computing virtual organization.
5b.15
Certificate Authorityfor Grid Computing
• Usually a certificate authority is created for the specific grid computing environment.
• Globus has “simple” implementation called simpleCA.
5b.16
Grid Users
• After Certificate Authority established for grid, users have to register with grid CA.
• Users joining a grid from geographically dispersed locations must communicate with the CA system administrator to verify their identity and to get a certificate.
• Communication often done by email!
5b.17
Setting up a CA• Globus SimpleCA
– For use with small projects with simple requirements.
• Globus Certificate Service– For testing only (example use in sticky note
assignment exercise 10).
• Design your own CA or use existing one.
5b.18
Single CA
• Some grids have established a single CA for the virtual organization.
Example• UK e-Science grid has a centralized
CA.
5b.19
Trans-European Research and Education Networking
Association
Provides a list of CAs with access to their certificates:
http://www.terena.nl/tech/task-forces/
tf-aace/tacar/certs.html
5b.22
Configuring GT4 to Trust a Particular Certificate Authority
GT 4 can be configured to accept certificates from multiple CAs.
• Needs to know the CA’s to accept.
• Consists of loading two files describing each CA:
– cert_hash.0 The trusted CA certificate
– cert_hash.signing_policy
A configuration file defining the distinguished names of certificates signed by the CA
5b.25
Multiple CA’sWith multiple CA’s, users in virtual
organization need:
• Account on each computer system
and
• Access control policy set– An entry in each grid-map file of each
system if grid-maps used, see later.
5b.27
Subject’s identity• X509 certificates use LDAP (Lightweight
Directory Access Protocol) Distinguished Name conventions
• Entries organized in a tree hierarchy, which could reflect the organizational structure:– Organization: O=Grid– Organization: O=UNC-C– Organizational unit: OU= Dept of Computer Science– Common name: CN=Barry Wilkinson
• Must to constructed for uniqueness – could be two Barry Wilkinson’s (There are.)
5b.29
Getting a certificate
3. Generate and sign
Request
Signed X509
Public key
Private Key
X509
CAUser
1. Create
2. Apply to CA
5b.30
Grid Security Infrastructure
From: “Introduction to Grid Computing with Globus,” IBM Redbooks,SG24-6895-012003, Fig. 3-3.
Globus Interaction with Certificate Authority
This step done by email or a more a secure way.
5b.31
grid-cert-request
• Globus command to run to get certificate.
• Requests a pass phrase.
• Can be used to get user certificates, host certificates and CA’s own certificate (chosen with grid-cert-request flags).
5b.32
Files held by user after using grid-cert-request
• Users usercert_request.pem – The certificate request, which you should send to
your CA. • Certificate: usercert.pem
– An empty file. When you receive your actual certificate from your CA, you should place it in this file.
• User’s private key: userkey.pem– Previously held (not transmitted), encrypted with
pass phrase used for grid-cert-request.
5b.33
Getting certificate from SimpleCA
Run:$GLOBUS_LOCATION/bin/grid-cert-request
Certificate request stored in:$HOME/.globus/usercert_request.pem
Email this request to certificate authority given in request. Save signed certificate that is returned.
SimpleCA uses the command grid-ca-sign to sign certificate.
5b.34
Grid Computers• Computers added to a grid (donors)
preferably need their identity verified in a similar fashion.
• Computers registered with certificate authority - only those machines will be allowed to participate in the grid activities.
• Computers might be used under a certain access rights.
5b.35
GSI Authentication
Originally based on SSL protocol where one passes an encrypted random number between parties
5b.36
B authenticating host A’s certificate
• Host A send its certificate to Host B.
• Host B gets Host A’s public key and name using CA’s public key.
• Host B creates a random number and sends it to Host A.
• Host A encrypts random number with its private key and sends it to host B.
• Host B decrypts number and checks number. If correct, Host B authenticates host A’s certificate.
5b.38
Mutual Authentication
Two parties proving to each other that they are who they say they are.
Mutual authentication involves the previous process done both ways.
Both parties need to trust CAs that signed each other's certificates.
5b.39
GSI Mutual Authentication
• Before mutual authentication can occur, parties involved must first trust CAs that signed each other's certificates.
– In practice, this means that they must have copies of the CAs' certificate, which contain the CAs' public keys, and that they trust that these certificates really belong to the CAs.
5b.40
Mutual Authentication cont.To start the authentication process,:• A gives B his certificate.
• B will first make sure that certificate valid by checking CA's digital signature to make sure that the CA actually signed the certificate and that the certificate hasn't been tampered with. (This is where B must trust the CA that signed A's certificate.) Once B has checked out A's certificate, B must make sure that A really is the person identified in the certificate.
5b.41
Mutual Authentication cont.
• B generates a random message and sends it to A, asking A to encrypt it.
• A encrypts the message using his private key, and sends it back to B.
• B decrypts the message using A's public key.
• If this results in the original random message, then B knows that A is who he says he is.
5b.42
Mutual Authentication cont.
• Now that B trusts A's identity, the same operation must happen in reverse.
• B sends A her certificate, A validates the certificate and sends a challenge message to be encrypted.
• B encrypts the message and sends it back to A, and A decrypts it and compares it with the original.
• If it matches, then A knows that B is who she says she is.
At this point, A and B have established a connection to each other and are certain that they know each others' identities.
5b.43
Confidential Communication after Mutual Authentication
By default, GSI does not establish confidential (encrypted) communication between parties.
Communication can occur without the overhead of constant encryption and decryption.
GSI can easily be used to establish a shared key for encryption if confidential communication is desired.
5b.44
Communication integrity
Means that an eavesdropper may be able to read communication between two parties but is not able to modify the communication in any way.
GSI provides communication integrity by default. (It can be turned off if desired).
Communication integrity introduces some overhead in communication, but not as large as encryption.
5b.45
Authorization
Process of deciding whether a particular identity can access a particular resource and what fashion.
5b.46
GSI Authorization
Classical way of doing authorization is an access control list, listing the identities of those allowed and the type of access allowed.
• A grid could use a similar approach, using a grid-map file
5b.47
grid-map file
Globus installations can maintain a so-called grid-map file that contains a list of user DNs authorized for access, and their local username mappings.
Example
"/O=Grid/OU=GlobusTest/OU=simpleCA-myuniversity.edu/OU=myuniversity.edu/
CN=student0" student0
5b.48
Other ways of doing authorization Grid-map file a very primitive way which does not
scale well.
Other ways• SAML – Security Assertions Markup Language, a
OASIS standard– Allows to communicate user authentication,
authorization and attribute information
• Communication Authorization Service (CAS)
5b.49
Community Authorization Service CAS
To handle the situation of many users and many resources.
If each resource were to maintain access policies for each user, will not scale.
Delegate authorization to CAS to handle authorization for resources.
5b.52
A Typical CAS Request
2. CAS reply
CAS Server
What rights does the community
grant to this user?
User
1. CAS request,authenticated with
Resource Server
Does the policy statement authorize the
request?
3. Resource request
4. Resource reply
CAS-maintainedcommunity policy
database
User credential
Is this requestauthorized
for the community?
Local policyinformation
Policy statementsigned by
CAS server
User credentialPolicy statement
signed by CAS server
What local policy appliesto this user?
Resource grant
to community
5b.53
Delegation
• Process of giving authority to another identity (usually a computer/process) to act on your behalf.
• Single sign-on -- to enable user and it’s agents to acquire additional resources without repeated authentication (passwords).
5b.54
GSI Delegation
• Uses additional certificates passed between intermediate parties.
• Certificates called proxies.
• An extension to the standard SSL/TLS protocol.
5b.55
Proxy• Consists of a new certificate with new public,
private keys, and owner’s identify (/CN=proxy added to name).
• Certificate signed by owner (not CA)
• Proxy given limited lifetimes
• Proxy’s private key does not need to be kept as secure as owner’s private key - setting file permissions usually sufficient
5b.56
Use of proxy certificates• Single sign-on
• Create local proxy with say 12 hours lifetime.– Use proxy instead of your certificate– Password typing only once.– No password down wire.
• Delegation– Allows a remote entity to perform tasks on your behalf,
and access to your resources
• Mutual trust domains– All entities with proxies from same issuer will trust each
other
5b.57
• Proxies used to authenticate users and run user programs on grid.
• Proxy created with grid-proxy-int command.
• We shall see a use of this in assignment 3.
5b.58
Proxy Certificate
• Commands:– Grid-proxy-init– Grid-proxy-info– Grid-proxy-destroy
• In GT:– User cert is password protected– Proxy cert is filesystem protected (/tmp)
5b.59
Delegation authority to another host
• Suppose host A wishes to delegate authority to host B to act on its behalf with host C.
• Rather a large number of internal steps.
5b.61
Chain of trust
Continuing this process can have host B delegate authority to host C, host C delegate to host D, etc.
5b.62
Chain of trust
User is acting as a CA, acting within limits of their credentials. Cannot extend credentials
X509
X509
X509
CA
User
Proxy1
Proxy2
5b.63
Additional Proxies
From “Overview of the Grid Security Infrastructure”http://www.globus.org/security/overview.htm
5b.64
Mutual Authentication with Proxies
• Remote party receives owner’s certificate and owner’s proxy certificate.
Chain of trust• Owner’s public key from owner’s certificate used to
validate proxy signature on proxy certificate.
• Certificate authority (CA) public key used to validate owner’s signature on owner’s certificate
5b.65
• On grid, each party identifies itself with credentials.
• Credentials vulnerable to theft.
• No easy way of canceling stolen credentials.
5b.66
MyProxy
• MyProxy is a Grid credential repository.
• Reduces risk of management of many copies of credentials.
5b.68
GT 4 Grid Security Components(from GT 4 documentation)
• Basic Security Mechanisms
• Components for Credential Generation
• Components for Credential Management
• Components for Access Control and Authorization
5b.69
Basic Security Mechanisms
• Pre-Web Services Authentication and Authorization - A non-Web services implementation of GSI, containing core libraries and tools needed to secure applications.
• Web Services Authentication and Authorization - A Web services implementation of GSI, containing core libraries and tools needed to secure applications.
5b.70
Components for Credential Generation
• Globus Certificate Service - An online service that issues low-quality GSI certificates to users who want to experiment with Grid software but don't have any other means to acquire certificates • Simple CA - A convenient method of issuing certificates for users and services that work with GSI and WS-Security
5b.71
Components for Credential Management
• MyProxy - A network service that stores user credentials so they can be accessed from other systems on the network
Also:
• KX.509 and KCA - A system for providing Kerberos users with Grid credentials without operating a conventional Certificate Authority
• PKINIT - A mechanism that allows a Kerberos ticket to be obtained using a Grid credential rather than a Kerberos passphrase.
5b.72
Components for Access Control and Authorization
• Community Authorization Service (CAS) - A service that allows resource providers to specify course-grained access control policies in terms of communities as a whole, delegating fine-grained access control policy management to the community itself.
5b.73
Components for Access Control and Authorization
Also:
•Shibboleth - A set of services that leverage existing user authentication and authorization systems at "home institutions" to give remote services the information they need to make authorization decisions.
• VOMS - A database-driven mechanism for central management of user role and capability data