Volkert 1 Parallel Systems Special Chapter: Foundations of Grid Computing Grid Computing Part 2:...
-
date post
18-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Volkert 1 Parallel Systems Special Chapter: Foundations of Grid Computing Grid Computing Part 2:...
VolkertVolkert 11
Parallel Systems Special ChapterParallel Systems Special Chapter Foundations of Grid ComputingFoundations of Grid Computing
Grid ComputingGrid ComputingPart 2 SecurityPart 2 Security
Jens VolkertJens VolkertDieter KranzlmuumlllerDieter Kranzlmuumlller
22 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
33 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
44 VolkertVolkert
GlossaryGlossary
Principal PartnerPrincipal Partner An entity Human program or machineAn entity Human program or machine
CredentialsCredentials Some data which prove identity (Some data which prove identity (Particular features certificatesParticular features certificates))
AuthenticationAuthentication Verification of a principals identityVerification of a principals identity
AuthorizationAuthorization Assignment of a set of privileges to a principalAssignment of a set of privileges to a principal
ConfidentialityConfidentiality Messages are encrypted such that only the receiver can understand Messages are encrypted such that only the receiver can understand
themthemIntegrityIntegrity
The message is not modified on the wayThe message is not modified on the wayNon-repudiationNon-repudiation
Impossibility to deny the authenticity of a digital signatureImpossibility to deny the authenticity of a digital signature
55 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
22 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
33 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
44 VolkertVolkert
GlossaryGlossary
Principal PartnerPrincipal Partner An entity Human program or machineAn entity Human program or machine
CredentialsCredentials Some data which prove identity (Some data which prove identity (Particular features certificatesParticular features certificates))
AuthenticationAuthentication Verification of a principals identityVerification of a principals identity
AuthorizationAuthorization Assignment of a set of privileges to a principalAssignment of a set of privileges to a principal
ConfidentialityConfidentiality Messages are encrypted such that only the receiver can understand Messages are encrypted such that only the receiver can understand
themthemIntegrityIntegrity
The message is not modified on the wayThe message is not modified on the wayNon-repudiationNon-repudiation
Impossibility to deny the authenticity of a digital signatureImpossibility to deny the authenticity of a digital signature
55 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
33 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
44 VolkertVolkert
GlossaryGlossary
Principal PartnerPrincipal Partner An entity Human program or machineAn entity Human program or machine
CredentialsCredentials Some data which prove identity (Some data which prove identity (Particular features certificatesParticular features certificates))
AuthenticationAuthentication Verification of a principals identityVerification of a principals identity
AuthorizationAuthorization Assignment of a set of privileges to a principalAssignment of a set of privileges to a principal
ConfidentialityConfidentiality Messages are encrypted such that only the receiver can understand Messages are encrypted such that only the receiver can understand
themthemIntegrityIntegrity
The message is not modified on the wayThe message is not modified on the wayNon-repudiationNon-repudiation
Impossibility to deny the authenticity of a digital signatureImpossibility to deny the authenticity of a digital signature
55 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
44 VolkertVolkert
GlossaryGlossary
Principal PartnerPrincipal Partner An entity Human program or machineAn entity Human program or machine
CredentialsCredentials Some data which prove identity (Some data which prove identity (Particular features certificatesParticular features certificates))
AuthenticationAuthentication Verification of a principals identityVerification of a principals identity
AuthorizationAuthorization Assignment of a set of privileges to a principalAssignment of a set of privileges to a principal
ConfidentialityConfidentiality Messages are encrypted such that only the receiver can understand Messages are encrypted such that only the receiver can understand
themthemIntegrityIntegrity
The message is not modified on the wayThe message is not modified on the wayNon-repudiationNon-repudiation
Impossibility to deny the authenticity of a digital signatureImpossibility to deny the authenticity of a digital signature
55 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
55 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
66 VolkertVolkert
Situation
View here Here Grid = connected LANs
Someone (principal) communicates with a partner somwhere in the Grid
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
77 VolkertVolkert
Requirements
No unauthorized person is allowed to read or modify the exchanged information
The partner at the other end should be the one which pretends to be
The partner should be trustworthy even when no contact existed until now
AuthenticationCertifying identity or trustworthiness
of the partner or of the provided particular features
FurthermoreThe partner has the same rightsA principal must do something for it
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
88 VolkertVolkert
Principle
Any resource sharing is voluntary
Each resource owner decides whether she wants to share the resource when and how it can be used
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
99 VolkertVolkert
Example Automated Teller Machine (ATM)
Authoritarian modelTrust is build up on interrogation of the pin code
Based on the code the machine makes sure that the partner is eligible
The partner must trust thereon that the machine is not manipulated
eg keep the card for later abuse
Remark In a Grid it would be naive to assume that no machine participating in the communication is manipulated
=gt In such a system partners have equal rights
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1010 VolkertVolkert
The Risks in Grid
Aimed attacks on intermediate locations Large-scale distributed farms
Illegal or improper data distribution and information depending on the access type
Huge distributed storage capacities
Break-in by exploting security leaks Complex heterogeneous and dynamic environments
Damages by viruses worms etc Problem of a highly connected novel infrastructure
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1111 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1212 VolkertVolkert
Cryptography
Mathematical algorithms E and D which play an important role in connection with insecure infrastructuresVariable symbolism (meaning)
Simple text M Encrypted text C Encryption with key K1 E K1
(M) = C Encryption with key K2 D K2 (C) = M
Algorithm Symmetric K2 = K1 Asymmetric K2 ne K1
K2K1
EncryptionEncryption DecryptionDecryptionM C M
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1313 VolkertVolkert
Symmetric AlgorithmsThe same key is used to code and decode
Examples 1048707 DES 1048707 3DES 1048707 Rijndael (AES) 1048707 Blowfish 1048707 Kerberos
Paul John
ciao
3$r ciao
Paul John
ciao
3$r ciao
3$r
3$r
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1414 VolkertVolkert
Simplest Method
Secret key is exchanged between the two communicating partners Not allowed to be crackable Should not produce something regular
Via a secure way Hand it personally (Mils Elektronik) Secure storage
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1515 VolkertVolkert
Key Generation via an Insecure Channel
Diffie-Hellman procedure about 1970 Information exchange using the channel Without information transport the key
reconstruction is allowed
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1616 VolkertVolkert
Common Secret Key Between Alice and Bob
The number α is known modulo arithmetic is usedAlice dices a random number a sends A = αa mod NBob dices random b sends B = αb mod NAlice computes C = Βa = αba = αab mod NBob computes C = Ab = αab = αba mod NC is the common secret key
RemarkEven when A B N and α are known C is practically not discoverableBecause of the modulo arithmetic with high modulo values
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1717 VolkertVolkert
Modulo Computation A = αa mod N is for big N practically irreversible so called one way function
The determination complexity for a typical N is proportional to
exp(C log N (log log N)2)13 with Cgt1 typically N = 10385 (a 1280-digit binary number) Even standard exponentiation would be at this order too much
for the most modern chips a computation would take more time than the time the universe exists
Computation exploiting the dual representation Example
a = 37 = 25 + 22 + 20
α 2i is computed by repeated squaringα37 = α32 x α4 x α0 gives the value
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1818 VolkertVolkert
Generally One Way FunctionsFunction H with H(M) = h1 For given h it is almost impossible to compute M = H-1(h)2 For given M it is difficult to find an M with H(Mrsquo) = H(M)
We also speak of one way hash functions when the one way function H creates a fixed length message out of a variable length message
h must be at least 128 Bits long to insure some security
Examples SNEFRU Hash length 128 oder 256 Bits MD4MD5 Hash length 128 Bits SHA (Standard FIPS) Hash length 160 Bits
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
1919 VolkertVolkert
Symmetric Keys
Advantage fast
Disadvantage How to distribute the key The number of keys is O(n2)
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2020 VolkertVolkert
Deceiving Partner
One of the partners sends himself messages pretending to be from others
Remedy asymmetric keys
Each used has a private key D and a public key E The personal key can not be derived from the public one A message encrypted with the public key can only be decrypted
with a personal key Often both keys function reversely
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2121 VolkertVolkert
Public Key MethodEach user has a private and a public keyNumber of keys is O(n)No exchange of secret information is needed
The sender encrypts with the receivers public key
The receiver decrypts with its personal key
Example Diffie-Helmann (1977) Lower sums (Ralph Merkle
Martin E Helman) RSA (1978)
John keys
public private
Paul keys
public private
Paul John
ciao
3$r ciao
Paul John
ciao
cy7 ciao
3$r
cy7
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2222 VolkertVolkert
Lower Sums Principle Given
Key E = (a1a2hellipan) Message N
Procedure Message is binary coded Decomposed in blocks of length n Blocks x = (x1x2hellipxn) are encrypted as a scalar product E x
Example E = (229210892111625128359975931525972463) E x = 6790 x =
With a suited choice of E hardly breakable All 2n possibilities should be tried Tipically today n = 1280 Even the receiver does not manage it otherwise
Solution X = (0011101110)
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2323 VolkertVolkert
Lower Sums Obtaining the Key
Significant part of the private key Choose random numbers such that with increasing n each
number is bigger than the sum of all previous onesD = (d1d2hellipdn)
Example D = (35112041831693406791358) Remark an x coded this way can be easily decrypted eg 1260
for the old x
Public key Choose random numbers w and m and compute ai = di w mod m
Remark w and m remain secret being therefore part of the private key
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2424 VolkertVolkert
Lower Sums Essential Statements
Due to modulo almost unbreakable Example w = 764 m = 2731 A = (229210892111625128359975931525972463) Our old message A x = 6790
Decryption is easy One uses w-1 with w-1 w = 1 modulo m (it exists when m and w have no common divizors
easy to compute) Example 764-1 = 1605 mod 2731
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2525 VolkertVolkert
Low Sums Decryption
Compute Crsquo = C w-1 mod m Crsquo = 6790 x 1605 mod 2731 = 1260
Further it is valid that because C = Σ ai xi
C w-1 = Σ ai xi w-1 = Σ ai w-1 xi = Σ di xi mod m
With the private key it is easy to decrypt
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2626 VolkertVolkert
RSA
Basic principle big prime factors are difficult to find Public key
Choose 2 bog prime numbers p and q n = pq and another random number E make the
public key Encryption
Each character of the text is decimally coded (0-99) with a fixed code
The code is decomposed in blocks Pi of same length such that the resulted numbers are lower than n
Encrypted text is Ci = PiE mod n
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2727 VolkertVolkert
RSA
One takes advantage of the fact that
aE mod n = aE mod φ(n) mod n
with φ(n) = (p-1)(q-1)
So when in addition to E an easily determined D and ED=1 is used we obtain
CiD = Pi
ED = Pi mod n
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2828 VolkertVolkert
OverviewOverviewGlossaryGlossaryNecessity of security in data networksNecessity of security in data networksEncryptionEncryption
Symmetric algorithmsSymmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital signaturesDigital signatures X509 certificatesX509 certificates
Grid SecurityGrid Security Basic conceptsBasic concepts Grid Security InfrastructureGrid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganizationVirtual Organization Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
2929 VolkertVolkert
Securer Partner
Third person Cleo is located inbetween Towards Alice she behaves as Bob
Generates the random number c Generates a common key with Alice
Crsquo = αac = αca
Towards Bob she behaves like Alice Generate a common key with Bob
Crsquorsquo = αbc = αcb
Can now read and manipulate each message between Alice and Bob
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3030 VolkertVolkert
Remedy
Introduction of a pass and the corresponding authority
The pass does not strictly speaking prove that to the given image the given name does belong but the emitting authority believes this
Here Certificate from an authorizer Signatures
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3131 VolkertVolkert
Digital SignaturesPaul computes the Hash of the message
Paul encrypts with his own privateprivate Key obtaining the digital signaturedigital signature
Paul sends the signed message to John
John computes himself the hash of the message and verifiesverifies by comparing with has decoded using the publicpublic key
If they are the same the message was not modified Paul cannot repudiate it
John
This is some
message
Digital Signature
Paul
This is some
message
Digital Signature
This is some
message
Digital Signature
Hash(A)
Hash(B)
Hash(A)
=
Paul keys
public private
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3232 VolkertVolkert
Digital CertificatesPaulrsquos digital signature is secure when
1 Paulrsquos private key was indeed used2 John knows Paulrsquos public key
How can John be sure that he knows Pauls public key and not of someone other
A third party (a kind of authority) guarantees the conformity of the public key with the owner
Both Paul and John must trust this third party
2 ModelsX509 hierarchical organizationPGP ldquoweb of trustrdquo
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3333 VolkertVolkert
PGP ldquoweb of trustrdquo
F knows D and E who knows A and C who knows A and BF is reasonably sure that the key from A is really from A
A
B
C
D
E
F
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3434 VolkertVolkert
X509
The third party is a Certification Authority (CA)
Emits digital certificates for principals (users programs and machines)Verifies the identity and the personal data of the requirer
Registration Authorities (RAs) execute the actual verification
CAs periodically publish lists of no more valid certificatesCertificate Revocation Lists (CRL) contain all the revoked and expired certificatesCA certificates are self signed
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3535 VolkertVolkert
X509 CertificatesAn X509 certificate contains
ownerrsquos public key
identity of the owner
info on the CA
time of validity
Serial number
digital signature of the CA1048707
Public keyPublic key
SubjectC=CH O=CERN SubjectC=CH O=CERN OU=GRID CN=Andrea Sciaba OU=GRID CN=Andrea Sciaba 89688968
Issuer C=CH O=CERN Issuer C=CH O=CERN OU=GRID CN=CERN CAOU=GRID CN=CERN CA
Expiration date Aug 26 080814 Expiration date Aug 26 080814 2005 GMT2005 GMT
Serial number 625 (0x271)Serial number 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X509 certificate
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3636 VolkertVolkert
GRID Security the playersGRID Security the players
bull Large and dynamic populationbullDifferent accounts at different sites bullPersonal and confidential databullHeterogeneous privileges (roles)bullDesire Single Sign-On
UsersUsers
bull ldquoGrouprdquo data bull Access Patterns bull Membership
ldquoldquoGroupsrdquoGroupsrdquo
SitesSitesbull Heterogeneous Resourcesbull Access Patterns bull Local policiesbull Membership
GridGrid
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3737 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3838 VolkertVolkert
The Grid Security Infrastructure (GSI)The Grid Security Infrastructure (GSI)
every userhostservice has an X509 every userhostservice has an X509 certificatecertificatecertificates are signed by trusted (by the certificates are signed by trusted (by the local sites) CArsquoslocal sites) CArsquosevery Grid transaction is every Grid transaction is mutually mutually authenticatedauthenticated
11 John sends his certificateJohn sends his certificate22 Paul verifies signature in Johnrsquos Paul verifies signature in Johnrsquos
certificatecertificate33 Paul sends to John a challenge stringPaul sends to John a challenge string44 John encrypts the challenge string with John encrypts the challenge string with
his private keyhis private key55 John sends encrypted challenge to PaulJohn sends encrypted challenge to Paul66 Paul uses Johnrsquos public key to decrypt Paul uses Johnrsquos public key to decrypt
the challengethe challenge77 Paul compares the decrypted string with Paul compares the decrypted string with
the original challengethe original challenge88 If they match Paul verified Johnrsquos identity If they match Paul verified Johnrsquos identity
and John can not repudiate it and John can not repudiate it
JohnJohn PaulPaulJohnrsquos certificateJohnrsquos certificate
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypy with Jrsquo s private keyEncrypy with Jrsquo s private key
Encrypted phraseEncrypted phrase
Decrypt with Jrsquo s public keyDecrypt with Jrsquo s public key
Compare with original phraseCompare with original phrase
Based on X509 PKI
VERY IMPORTANTVERY IMPORTANT
Private keysPrivate keys must be stored only
in protectedprotected places
ANDAND
in encryptedencrypted form
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
3939 VolkertVolkert
Certificate request hellip more Certificate request hellip more details details
EgeeLCG recognizes a given set of CAsEgeeLCG recognizes a given set of CAs httpslcg-registrarcernchpki_certificateshtmlhttpslcg-registrarcernchpki_certificateshtml
How do you request a certificate depends on How do you request a certificate depends on your CAyour CA
For GILDA have a look at the Demo VideoFor GILDA have a look at the Demo Video httpsgildactinfnitvideoCertificationAllproxyhtmlhttpsgildactinfnitvideoCertificationAllproxyhtml
(Flash) (Flash) httpsgildactinfnitvideoCertificationAllCertproxyrahttpsgildactinfnitvideoCertificationAllCertproxyra
mm (Real) (Real)
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4040 VolkertVolkert
Certificate RequestCertificate Request
Private Key encrypted on
local disk
CertRequest
Public Key
ID
Cert
User generatespublicprivate
key pair
User send public key to CA along with proof of
identity
CA confirms identity signs certificate and sends back to user
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4141 VolkertVolkert
Certificate InformationCertificate Information
To get cert information run To get cert information run grid-cert-infogrid-cert-info
[scampanagrid019~]$ grid-cert-info -subject [scampanagrid019~]$ grid-cert-info -subject
C=CHO=CERNOU=GRIDCN=Simone Campana C=CHO=CERNOU=GRIDCN=Simone Campana 74617461
Options for printing cert informationOptions for printing cert information-all-all -startdate-startdate-subject-subject -enddate-enddate-issuer-issuer -help-help
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4242 VolkertVolkert
X509 Proxy CertificateX509 Proxy CertificateGSI extension to X509 Identity CertificatesGSI extension to X509 Identity Certificates signed by the normal end entity cert (or by another proxy)signed by the normal end entity cert (or by another proxy)
Enables single sign-onEnables single sign-onSupport some important featuresSupport some important features DelegationDelegation Mutual authenticationMutual authentication
Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) Has a limited lifetime (minimized risk of ldquocompromised credentialsrdquo) It is created by the It is created by the grid-proxy-initgrid-proxy-init command command grid-proxy-initgrid-proxy-initEnter PEM pass phrase Enter PEM pass phrase
Options for grid-proxy-initOptions for grid-proxy-init-hours ltlifetime of credentialgt-hours ltlifetime of credentialgt-bits ltlength of keygt-bits ltlength of keygt-help-help
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4343 VolkertVolkert
grid-proxy-initgrid-proxy-initUser enters pass phrase which is used to decrypt private keyUser enters pass phrase which is used to decrypt private key
Private key is used to sign a proxy certificate with its own new publicprivate Private key is used to sign a proxy certificate with its own new publicprivate key pairkey pair
Userrsquos private key not exposed after proxy has been signedUserrsquos private key not exposed after proxy has been signed
User certificate file
Private Key(Encrypted)Pass
Phrase
User Proxycertificate file
Proxy placed in tmp the private key of the Proxy is not encrypted stored in local file must be readable only by the owner proxy lifetime is short (typically 12 h) to minimize security risks
NOTE No network traffic
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4444 VolkertVolkert
Proxy again hellip Proxy again hellip
grid-proxy-init grid-proxy-init equiv ldquologin to the Gridrdquoequiv ldquologin to the Gridrdquo
To ldquologoutrdquo you have to destroy your proxy To ldquologoutrdquo you have to destroy your proxy grid-proxy-destroygrid-proxy-destroy This does This does NOTNOT destroy any proxies that were delegated from this destroy any proxies that were delegated from this
proxyproxy You cannot revoke a remote proxyYou cannot revoke a remote proxy Usually create proxies with short lifetimesUsually create proxies with short lifetimes
To gather information about your proxy To gather information about your proxy grid-proxy-infogrid-proxy-info Options for printing proxy informationOptions for printing proxy information
-subject-subject -issuer-issuer-type-type -timeleft-timeleft-strength-strength -help-help
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4545 VolkertVolkert
Delegation and limited proxyDelegation and limited proxyDelegation = remote creation of a (second level) proxy credentialDelegation = remote creation of a (second level) proxy credential
New key pair generated remotely on serverNew key pair generated remotely on server Client signs proxy cert and returns itClient signs proxy cert and returns it
Allows remote process to authenticate on behalf of the userAllows remote process to authenticate on behalf of the user Remote process ldquoimpersonatesrdquo the userRemote process ldquoimpersonatesrdquo the user
The client can elect to delegate a ldquolimited proxyrdquoThe client can elect to delegate a ldquolimited proxyrdquo Each service decides whether it will allow authentication with a limited Each service decides whether it will allow authentication with a limited
proxyproxy Job manager service requires a full proxyJob manager service requires a full proxy GridFTP server allows either full or limited proxy to be usedGridFTP server allows either full or limited proxy to be used
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4646 VolkertVolkert
Long term proxyLong term proxyProxy has limited lifetime (default is 12 h)Proxy has limited lifetime (default is 12 h)
Bad idea to have longer proxyBad idea to have longer proxy
However a grid task might need to use a proxy for a much longer time However a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 daysGrid jobs in HEP Data Challenges on LCG last up to 2 days
myproxy servermyproxy server Allows to create and store a long term proxy certificateAllows to create and store a long term proxy certificate myproxy-init -s lthost_namegt myproxy-init -s lthost_namegt
-s lthost_namegt specifies the hostname of the myproxy server-s lthost_namegt specifies the hostname of the myproxy server myproxy-info myproxy-info
Get information about stored long living proxy Get information about stored long living proxy myproxy-get-delegation myproxy-get-delegation
Get a new proxy from the MyProxy serverGet a new proxy from the MyProxy server myproxy-destroymyproxy-destroy Chech out the myproxy-xxx - - help option Chech out the myproxy-xxx - - help option
A dedicated service on the RB can renew automatically the proxyA dedicated service on the RB can renew automatically the proxy contacts the myproxy server contacts the myproxy server
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4747 VolkertVolkert
GSI environment variablesGSI environment variablesUser certificate filesUser certificate files
CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default $HOMEglobususercertpem$HOMEglobususercertpem))
Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default $HOMEglobususerkeypem$HOMEglobususerkeypem))
ProxyProxy X509_USER_PROXYX509_USER_PROXY (default (default tmpx509up_ultidgttmpx509up_ultidgt))
Host certificate filesHost certificate files CertificateCertificate X509_USER_CERTX509_USER_CERT (default (default etcgrid-etcgrid-
securityhostcertpemsecurityhostcertpem)) Private keyPrivate key X509_USER_KEYX509_USER_KEY (default (default etcgrid-etcgrid-
securityhostkeypemsecurityhostkeypem))
Trusted certification authority certificatesTrusted certification authority certificates X509_CERT_DIRX509_CERT_DIR (default (default
etcgrid-securitycertificatesetcgrid-securitycertificates))
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4848 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
4949 VolkertVolkert
Virtual Organizations and Virtual Organizations and authorizationauthorization
Grid users MUST belong to Virtual OrganizationsGrid users MUST belong to Virtual Organizations What we previously called ldquoGroupsrdquoWhat we previously called ldquoGroupsrdquo Sets of users belonging to a collaborationSets of users belonging to a collaboration List of supported VOsList of supported VOs
httpslcg-registrarcernchvirtual_organizationhtmlhttpslcg-registrarcernchvirtual_organizationhtml
VOs maintain a list of their membersVOs maintain a list of their members The list is downloaded by Grid machines to map user certificate subjects The list is downloaded by Grid machines to map user certificate subjects
to local ldquopoolrdquo accountsto local ldquopoolrdquo accounts
Sites decide which VOs to acceptSites decide which VOs to accept
C=CHO=CERNOU=GRIDCN=Simone Campana 7461 dteamC=CHO=CERNOU=GRIDCN=Andrea Sciaba 8968 cmsC=CHO=CERNOU=GRIDCN=Patricia Mendez Lorenzo-ALICE alice
etcgrid-securitygrid-mapfile
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5050 VolkertVolkert
On the side user Registration in a VOOn the side user Registration in a VO
Import your certificate in your browserImport your certificate in your browser If you received a pem certificate you need to convert it to PKCS12 If you received a pem certificate you need to convert it to PKCS12 Use Use opensslopenssl command line (available in each egeeLCG UI) command line (available in each egeeLCG UI)
openssl pkcs12 ndashexport ndashin usercertpem ndashinkey openssl pkcs12 ndashexport ndashin usercertpem ndashinkey userkeypem ndashout my_certp12 ndashname rsquoMy Namersquouserkeypem ndashout my_certp12 ndashname rsquoMy Namersquo
Sign the usage guidelines for the VO Sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification)You will be registered in the VO-LDAP server (wait for notification)
Gilda (and other VO) Gilda (and other VO) You receive already a PKCS12 certificate (can import it directly into web You receive already a PKCS12 certificate (can import it directly into web
browser)browser) For future use you will need For future use you will need usercertpemusercertpem and and userkeypemuserkeypem in a directory in a directory
~globus on your UI~globus on your UI Export the PKCS12 cert to a local dir on UI and use again Export the PKCS12 cert to a local dir on UI and use again opensslopenssl
openssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -nocerts -in my_certp12 -out userkeypemopenssl pkcs12 -clcerts -nokeys -in my_certp12 -out openssl pkcs12 -clcerts -nokeys -in my_certp12 -out usercertpemusercertpem
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5151 VolkertVolkert
VOMS LCAS LCMAPSVOMS LCAS LCMAPSVirtual Organization Membership ServiceVirtual Organization Membership Service
Extends the proxy info with Extends the proxy info with VO membership group roleVO membership group role and and capabilitiescapabilities
Local Centre Authorization Service (LCAS)Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile)Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the siteChecks if the user is banned at the site Checks if at that time the site accepts jobsChecks if at that time the site accepts jobs
Local Credential Mapping Service (LCMAPS)Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens Maps grid credentials to local credentials (eg UNIX uidgid AFS tokens
etc)etc) Currently uses the grid-mapfile (based only on certificate subject)Currently uses the grid-mapfile (based only on certificate subject) In the near future will map also VOMS group and rolesIn the near future will map also VOMS group and roles
VO=cmsGROUP=cms cmsVO=cmsGROUP=cmsprod cmsprodVO=cmsGROUP=cmsprodROLE=manager cmsprodman
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5252 VolkertVolkert
OverviewOverview
GlossaryGlossaryEncryptionEncryption
Symmetric algorithms Symmetric algorithms Asymmetric algorithms PKIAsymmetric algorithms PKI
CertificatesCertificates Digital Signatures Digital Signatures X509 certificates X509 certificates
Grid SecurityGrid Security Basic concepts Basic concepts Grid Security Infrastructure Grid Security Infrastructure Proxy certificatesProxy certificates Command line interfacesCommand line interfaces
Virtual OrganisationVirtual Organisation Concept of VO and authorizationConcept of VO and authorization VOMS LCAS LCMAPSVOMS LCAS LCMAPS
CC++ interfaces (GSS-API GSS Assist)CC++ interfaces (GSS-API GSS Assist)
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5353 VolkertVolkert
Security APIs in egeeLCGSecurity APIs in egeeLCG
Currently there are no API developed specifically by Currently there are no API developed specifically by egeeLCGegeeLCG
The existing API come from other projectsThe existing API come from other projects AuthenticationAuthentication
Globus GSS-API GSS Assist COG KitsGlobus GSS-API GSS Assist COG Kits AuthorizationAuthorization
LCAS pluginsLCAS plugins
LCMAPS pluginsLCMAPS plugins
VOMS APIVOMS API
The documentation is generally poorThe documentation is generally poor
Some development is on the way Check CHEP 2004Some development is on the way Check CHEP 2004 httpindicocernchcontributionDisplaypyhttpindicocernchcontributionDisplaypy
contribId=78ampsessionId=23ampconfId=0contribId=78ampsessionId=23ampconfId=0
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5454 VolkertVolkert
API GSS-API and GSS AssistAPI GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-Interface) is a generic API for client-server authentication (RFC-2743 2744)2743 2744)
Traditionally interfaces to KerberosTraditionally interfaces to Kerberos Globus interfaced it to GSIGlobus interfaced it to GSI Unfortunately rather complicated to useUnfortunately rather complicated to use
GSS-API as user interface to GSIGSS-API as user interface to GSI C APIC API Java APIJava API
The Globus GSS Assist routines are designed to simplify the use of The Globus GSS Assist routines are designed to simplify the use of the GSSAPIthe GSSAPI
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5555 VolkertVolkert
GSS-APIGSS-API
1 The client initiates a context and prepares a token for the server
2 The token is sent to the server 3 The server interprets the token and
prepares a new one to be sent to the client 4 The token is sent to the client 5 Iterate process until authentication process
succeeds or fails
1 The client wraps a message for the server and sends it
2 The server receives the message and unwraps it
3 The server sends a confirmation message to the client (MIC)
4 The client verifies the MIC
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5656 VolkertVolkert
GSS-API data typesGSS-API data types
IntegersIntegers OM_uint32OM_uint32
StringsStrings typedef struct gss_buffer_struct typedef struct gss_buffer_struct
size_tsize_t lengthlength
voidvoid valuevalue
gss_buffer_desc gss_buffer_tgss_buffer_desc gss_buffer_t
NamesNames gss_name_tgss_name_t
OIDsOIDs typedef struct gss_OID_desc_struct typedef struct gss_OID_desc_struct
OM_uint32OM_uint32 lengthlength
voidvoid valuevalue
gss_OID_desc gss_OIDgss_OID_desc gss_OID
OID setsOID sets typedef struct gss_set_desc_struct typedef struct gss_set_desc_struct
size_tsize_t countcount
gsss_OIDgsss_OID elementselements
gss_OID_set_desc gss_OID_setgss_OID_set_desc gss_OID_set
CredentialsCredentials gss_cred_id_tgss_cred_id_t
ContextsContexts gss_ctx_id_tgss_ctx_id_t
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5757 VolkertVolkert
More on data typesMore on data types
Strings are used for character strings and tokensStrings are used for character strings and tokensNames are an opaque representation of a principalNames are an opaque representation of a principalObject Identifiers (OIDs) are used forObject Identifiers (OIDs) are used for
Security mechanismsSecurity mechanisms Quality of Protection (QOP) valuesQuality of Protection (QOP) values Name typesName types
GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_HOSTBASED_SERVICE (servicehost)GSS_C_NT_USER_NAME (username)GSS_C_NT_USER_NAME (username)EtcEtc
GSS_C_NO_OID for default or null valueGSS_C_NO_OID for default or null value
Status codesStatus codes OM_uint32 major-status generic GSS-API routine errorsOM_uint32 major-status generic GSS-API routine errors OM_uint32 minor-status mechanism-specific errorsOM_uint32 minor-status mechanism-specific errors
TokensTokens Context level tokens used for context establishmentContext level tokens used for context establishment Per-message tokens used for data protection (cryptographic tag encrypted Per-message tokens used for data protection (cryptographic tag encrypted
message)message)
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5858 VolkertVolkert
Name manipulationName manipulation
Convert a string to a name and vice versaConvert a string to a name and vice versa gss_import_name()gss_import_name() gss_display_name()gss_display_name()
Compare duplicate namesCompare duplicate names gss_compare_name()gss_compare_name() gss_duplicate_name()gss_duplicate_name()
Generate a Mechanism Name a mechanism-specific Generate a Mechanism Name a mechanism-specific representation of a namerepresentation of a name
gss_canonicalize_name()gss_canonicalize_name()
Export a MN in a format suitable for comparisonExport a MN in a format suitable for comparison gss_export_namegss_export_name
Destroy a nameDestroy a name gss_release_name()gss_release_name()
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
5959 VolkertVolkert
Credential managementCredential management
Acquire an existing credential by nameAcquire an existing credential by name gss_acquire_cred()gss_acquire_cred() If name is GSS_C_NO_NAME default credential is If name is GSS_C_NO_NAME default credential is
usedused
Obtain information about a credentialObtain information about a credential gss_inquire_cred()gss_inquire_cred() gss_inquire_cred_by_mech()gss_inquire_cred_by_mech() name lifetime usage (INITIATE ACCEPT BOTH) name lifetime usage (INITIATE ACCEPT BOTH)
mechanisms supportedmechanisms supported
Destroy a credential handleDestroy a credential handle gss_release_cred()gss_release_cred()
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
6060 VolkertVolkert
Context managementContext management
Establish a secure contextEstablish a secure context gss_init_sec_context()gss_init_sec_context() gss_accept_sec_context()gss_accept_sec_context()
Retrieve residual duration or other info about Retrieve residual duration or other info about contextcontext gss_context_time()gss_context_time() gss_inquire_context()gss_inquire_context()
Export a context from a process to another by Export a context from a process to another by means of an interprocess tokenmeans of an interprocess token gss_export_sec_context()gss_export_sec_context() gss_import_sec_context()gss_import_sec_context()
Destroy a secure contextDestroy a secure context gss_delete_sec_contextgss_delete_sec_context
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
6161 VolkertVolkert
Confidentiality and integrityConfidentiality and integrity
Generate a cryptographic message integrity code (MIC) Generate a cryptographic message integrity code (MIC) for a message to transfer to the peer applicationfor a message to transfer to the peer application
gss_get_mic()gss_get_mic()
Verify the received message against the received MICVerify the received message against the received MIC gss_verify_mic()gss_verify_mic()
Embed the MIC in the (possibly encrypted) messageEmbed the MIC in the (possibly encrypted) message gss_wrap()gss_wrap()
(possibly decrypt and) verify the embedded MIC(possibly decrypt and) verify the embedded MIC gss_unwrap()gss_unwrap()
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
6262 VolkertVolkert
Globus extensionsGlobus extensions
Credential import and exportCredential import and export To pass credentials from a process to another or storing themTo pass credentials from a process to another or storing them Export to 1) an opaque buffer or 2) a file in GSI native formatExport to 1) an opaque buffer or 2) a file in GSI native format gss_import_cred()gss_import_cred() gss_export_cred()gss_export_cred()
Delegation at any timeDelegation at any time A lot more flexible than standard GSS-API delegationA lot more flexible than standard GSS-API delegation
Delegation at times other than context establishmentDelegation at times other than context establishment
Possible to delegate credentials different than those used for Possible to delegate credentials different than those used for context establishment even for different mechanismscontext establishment even for different mechanisms
Ex delegate a Kerberos credential over a context established with GSIEx delegate a Kerberos credential over a context established with GSI
gss_init_delegation()gss_init_delegation() gss_accept_delegation()gss_accept_delegation()
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
6363 VolkertVolkert
GSS AssistGSS Assist
Simpler functions forSimpler functions for Credential handle creationCredential handle creation
major_status = globus_gss_assist_acquire_cred(ampminor_statusmajor_status = globus_gss_assist_acquire_cred(ampminor_status
GSS_C_INITIATE or GSS_C_ACCEPT GSS_C_INITIATE or GSS_C_ACCEPT
ampcredential_handle)ampcredential_handle)
Context establishmentContext establishmentmajor_status = globus_gss_assist_init_sec_context(ampminor_statusmajor_status = globus_gss_assist_init_sec_context(ampminor_status credential_handlecredential_handle ampcontext_handleampcontext_handle (char ) server_princ(char ) server_princ GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAGGSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG ampret_flagsampret_flags amptoken_statusamptoken_status globus_gss_assist_token_get_fdglobus_gss_assist_token_get_fd (void ) ampsocket_fd(void ) ampsocket_fd globus_gss_assist_token_send_fdglobus_gss_assist_token_send_fd (void ) ampsocket_fd)(void ) ampsocket_fd)
Little documentationLittle documentationhttpwwwglobusorgsecuritygss_assisthtmlhttpwwwglobusorgsecuritygss_assisthtml
Pointers to functions to send and receive tokens using sockets
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml
6464 VolkertVolkert
Further Information
GridGrid
bull LCG Security httpproj-lcg-securitywebcernchproj-lcg-security
bull LCG Registration httplcg-registrarcernch
bull Globus Security httpwwwglobusorgsecurity
BackgroundBackground
bull GGF Security httpwwwgridforumorgsecurity
bull GSS-API httpwwwfaqsorgfaqskerberos-faqgeneralsection-84html
bull GSS-API httpdocsuncitesuiucedusun_docsCsolaris_9SUNWdev
GSSAPIPGtochtml
bull IETF PKIX charter httpwwwietforghtmlcharterspkix-charterhtml
bull PKCS httpwwwrsasecuritycomrsalabspkcsindexhtml