Authentication, Authorisation and Security
description
Transcript of Authentication, Authorisation and Security
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
Authentication, Authorisation and Security
Authentication, Authorisation and Security 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Security Services
Authentication, Authorisation and Security 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Security Overview
Grid SecurityInfrastructure
Authentication
Encryption & Data Integrity
Authorization
Security
Authentication, Authorisation and Security 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
• Asymmetric encryption…
– Private key and public key are in pair. it is impossible to derive one key from another key.
– a message encrypted by one key can be decrypted only by another one.
• Examples of public key algorithms:– Diffie-Helmann (1977)– RSA (1978)
Basis of security & authentication
Encrypted Encrypted texttext
Private Key Public Key
plain textplain text plain textplain text
Authentication, Authorisation and Security 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
An Example of Public Key Algorithms
• Public keys are exchanged– Paul gets John’s public
key..
• Paul ciphers using the public key of John
• John decrypts using his private key;
• Make sure of data confidentiality
John’s keys
private
public
Paul John
ciao
3$r ciao
3$r
Authentication, Authorisation and Security 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Data Integrity - Digital Signature
• Paul calculates the hashhash of the message
• Paul encrypts the hash using his privateprivate key: the encrypted hash is the digital signaturedigital signature.
• Paul sends the signed message to John.
• John calculates the hash of the message
• Decrypts signature, to get Hash A, using Paul’s publicpublic key.
• If hashes equal: 1. message wasn’t modified; 2. hash A is fromPaul’sprivate key(Paul encrypted it)
John
message
Digital Signature
Paul
message
Digital Signature
message
Digital Signature
Hash A
Paul’s keys
public private
Hash B
Hash A
= ?
Authentication, Authorisation and Security 7
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Digital Signature (cont.)
• With Digital Signature, it is easy to know..
– I receive the message that you intended to send me– You are really the one person who sent this message
Authentication, Authorisation and Security 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Digital Certificate ( or Certificate)
• Certificate– It is based on Digital Signature
mechanism.– Grid authenticates users or
resources by verifying their certificate.
– Certificate is issued by one of the national Certification Authorities.
user key
user’s certificate
User’sInformation
CA’s Digital Signature
CA
Sign
Public Key
Authentication, Authorisation and Security 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
X.509 Certificates
• An X.509 Certificate contains:
owner’s public key;
identity of the owner;
info on the CA;
time of validity;
Serial number; Optional extensions
– digital signature of the CA
Public keyPublic key
Subject:Subject:C=CH, O=CERN, C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba OU=GRID, CN=Andrea Sciaba 89688968
Issuer: C=CH, O=CERN, Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAOU=GRID, CN=CERN CA
Expiration date: Expiration date: Aug 26 08:08:14 Aug 26 08:08:14 2005 GMT2005 GMT
Serial number: 625 (0x271)Serial number: 625 (0x271)
Optional ExtensionsOptional Extensions
CA Digital signatureCA Digital signature
Authentication, Authorisation and Security 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Proxy certificate (my agent)
user key
user cert
CA’ssignature
information
sign
user’ssignature
information
proxy key
proxy certificate
Authentication, Authorisation and Security 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Proxy delegation (my agent’s agent)
proxy1 key
proxy1 cert
user’ssignature
information
sign
proxy1’ssignature
information
proxy2 key
proxy2 cert
Authentication, Authorisation and Security 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Proxy delegation chain
• Every proxy can represent the user• Proxy certificates extend X.509 certificates
– Short-lived certificates signed by the user’s certificate or a proxy– Reduces security risk, enables delegation
• “Single sign on” can be attained.
proxy2 key
proxy2 cert
proxy1’ssignature
information
proxy1 key
proxy1 cert
user’ssignature
information
proxy3 key
proxy3 cert
proxy2’ssignature
information
proxy N key
proxyN cert
Proxy N-1r’ssignature
information
…Sign Sign
Authentication, Authorisation and Security 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Evolution of VO management
• VOMS– VO Administration :
check which VO the user belongs to Add VO information on user’s proxy certificate.
• voms-proxy-init – a gLite command to
Contact the VOMS with user’s proxy certificate Retrieve the certificate that contains VO information on it.
proxy certificate
information
User’s Digital Signature
VO: TWGrid
Authentication, Authorisation and Security 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Summary of AA - 1
• Authentication based on X.509 PKI infrastructure– Trust between Certificate Authorities (CA) and sites, CAs and
users is established (offline)– CAs issue (long lived) certificates identifying sites and
individuals (much like a passport) Commonly used in web browsers to authenticate to sites
– In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates
• Proxies can– Be delegated to a service such that it can act on the user’s
behalf– Include additional attributes (like VO information via the VO
Membership Service VOMS)– Be stored in an external proxy store (MyProxy) – Be renewed (in case they are about to expire)
Authentication, Authorisation and Security 15
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Summary of AA - 2
• Authentication– User obtains certificate from
Certificate Authority– Connects to UI by ssh
(UI is the user’s interface to Grid)– Uploads certificate to UI– Single logon – to UI - create proxy– Grid Security Infrastructure
• Authorisation– User joins Virtual Organisation– VO negotiates access to Grid nodes
and resources – Authorisation tested by resource:
Credentials in proxy determine user’s rights
UI
CA
VO mgr
Annually
VO database
Mapping to access rights
GSI
VO service
Daily update
Authentication, Authorisation and Security 16
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
User Responsibilities
• Keep your private key secure – on USB drive only• Do not loan your certificate to anyone.• Report to your local/regional contact if your certificate
has been compromised.• Do not launch a delegation service for longer than your
current task needs.
If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.