Security, Authentication and Authorization

Security, Authentication and Authorization Virginia Martín-Rubio Pascual virginia.martinrubio@rediris.es RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia 6- 9 Julio 2010

Agenda • Introduction • Grid Security Infrastructures • Security at network level • Encryption or Cryptography • Symmetric algorithms • Asymmetric algorithms: PKI (Public Key Infrastructure) • Digital signature • Certificates • X509 Certificates • Security at VO level • Proxy certificates • Command Line Instructions • Virtual Organizations • VO concept and authorization

Agenda • Principal • An entity: a user, a program, or a machine • Credentials • Some data providing a proof of identity • Authentication • Verify the identity of a principal • Authorization • Map an entity to some set of privileges • Confidentiality • Encrypt the message so that only the recipient can understand it • Integrity • Ensure that the message has not been altered in the transmission • Non-repudiation • Impossibility of denying the authenticity of a digital signature

Introduction • What is Grid Security? • The Grid problem is to enable • “coordinated resource sharing and problem solving in dynamic, multiinstitutional • virtual organizations” From ”The Anatomy of the Grid” by Ian Foster et al. • So Grid Security is security to enable VOs • What is needed in terms of security for a VO?

Introduction • Virtual Organization Concept(VO) • VO for each application, workload or community • Carve out and configure resources for a particular use and set of users • The more dynamic the better…

Introduction • Security issues • How can communication endpoints be identified? • Authentication • How can a secure channel established between two partners? • Encryption • Non-repudiation • Integrity • Authorisation • Who is allowed to access a Virtual Organisation's resources? • What are VO members allowed to do? User Grid Service

K1 K2 Encryption Decryption M C M Grid Security Infraestructure Security at network level • Cryptography • A cryptographic algorithm is a mathematical function that combines simple text or other intelligible information with a digital character string, called key, for producing unintelligible encrypted text. The used key and algorithm are crucial for encrypting. • Simbology: • Simple Text: M • Encrypted Text: C • Encrypted with key K1: E K1(M) = C • Decrypted with keyK2: D K2(C) = M • Algorithms: • symmetric: K1 = K2 • asymmetric: K1 ≠ K2

Grid Security Infraestructure Security at network level • Cryptography • Symmetric algorithms: • Same key for encrypting and decrypting (K1 = K2) • Advantages: • Speed • Disadvantages: • How to distribute the keys? • Examples: • DES • 3DES • Rijndael (AES) • Blowfish • Kerberos María Pedro ciao 3$r 3$r ciao María Pedro ciao 3$r 3$r ciao

Pablo Juan ciao 3$r 3$r ciao Pablo Juan public ciao cy7 cy7 ciao Pablo keys Juan keys public private private Grid Security Infraestructure Security at network level • Cryptography • Asymmetric algorithms: • Also named Public Key Algorithms. • Same conditions: • Every user has two keys: • 1 private and 1 public • To get private key using public one • is impossible. • A encrypted message with one of these keys • can only be decrypted with the other one. • Exchanging the private keys is not necessary. • The transmitter encrypts the message using • the receiver’s public key. • The receiver decrypts the message with his • private key. • Examples: • Diffie-Helmann (1977) • RSA (1978) • DSA • ElGamal

message digital signature message = ? digital signature Claves de Pablo public private Grid Security Infraestructure Security at network level • Cryptography • Digital signature: • Cryptographic method that allows us to associate a person or machine identity with a message or document. • Assure document or file integrity. • How does it work? • Pablo calculates a hash of the message. • Pablo encrypts that hash using his private key: this encrypted hash is the digital signature. • Pablo sends the signed message to Juan. • Juan calculates the hash(B) of the message and verifies that it’s the same as hash(A), decrypted with Pablos’ public key. • If both hashes are the same: • Message wasn’t modifiedIntegriity. • Pablo can’t repudiate it. Pablo message Hash(A) digital signature Juan Hash(B) Hash(A)

Grid Security Infraestructure Security at network level • Digital certificates • The pablo’s digital signature is considered secure if: • Pablos private key hasn’t been compromised. • Juan knows the Pablo public key. • How Juan is able to make sure that Pablo’s public key is in fact his public key and not other person’s public key? • There is a third part that certifies that correspondence between public key and owner identity. • Both parts must trust in that third part. • There are two models to establish that: • X.509  Hierarchical organization (used on Grid). • PGP  Peer to peer.

Grid Security Infraestructure Security at network level • Digital certificates • Certification Authority • The “third part” is named Certification Authority (CA). • CA Responsabilities: • To issue the digital certificates (contains the public key and the user identity) for users, programs and machines. • Verify the user identity and personal information. • Registration Authorities (RAs). • Revoke the certificate if it has been compromised. • Certificate renew when it is going to expire. • Periodically publishes a certificate revocation list in its web page: • Certificate Revocation Lists (CRL): contains all the revoked certificates.

Grid Security Infraestructure Security at network level • Digital certificates • Certification Authority • How to obtain a certificate: Request A certificate request is performed The user identify is confirmed by the RA The certificate is used as a key to access the grid The certificate is issued by the CA

Grid Security Infraestructure Security at network level • Digital certificates • X.509 certificates X.509 certificate structure • An X.509 Certificate contains: • Private key is stored in encrypted file – protected by a passphrase • Private key is created by the grid • user • owner’s public key; • identity of the owner; • info on the CA; • time of validity; • Serial number; • digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature

Grid Security Infraestructure Security at network level • Digital certificates • Secure Socket Layer (SSL) • Certificates are signed by the CA’s. • Each transaction in the Grid is mutually authentificated: • Pedro sends his certificate. • Service verifies the signature in Pedro’s certificate. • Service sends to Pedro a random number. • Pedro encrypts it using his private key. • Pedro sends the encrypted number to Service. • Service uses Pedro’s public key to decrypt the number. • Service compares the decrypted number with the original. • If they are equal, Service verifies Pedro’s identity. Pedro Service Pedro’s certificate Verifies CA signature Random number Encrypts with his private key Encrypted number Decrypt with public key of Pedro Compares the number with the original

Grid Security Infraestructure Security at network level • Digital certificates • Solicitud de Digital certificate • Depending on which is your country you must use one CA or another. • Spanish users must access to: • http://www.irisgrid.es/pki/ • Other CAs are: • http://ca.lip.pt/ (Portugal) • http://security.fi.infn.it/CA/en/RA/ (Italy) • … • There are some users who are in a county without CA, ‘catch-all CAs’ exist for them. For example: • EGEE catch-all CA: http://igc.services.cnrs.fr/GRID2-FR/?lang=en • LCG catch-all CA: http://www.doegrids.org/

Grid Security Infraestructure Security at network level • Digital certificates • Solicitud de Digital certificate a IRISGridCA (1/2) • You have to access to http://www.irisgrid.es/pki/ and select your correspondent Registration Authority (RA), in the example is RedIRIS. • Then you have to select the certificate type: • Solicitud de certificate (CSR): • CSR de Usuario • CSR de Servidor/Servicio • Complete the user information.

Grid Security Infraestructure Security at network level • Digital certificates • Digital certificate request to IRISGridCA (2/2) • The CA sends an email to the user notifying him that his certificate is prepared and gives him the URL for downloading it. • The user must access to that URL and indicate his identifier for downloading the certificate to his browser (this browser must be the same which user used when request the certificate). • After that, the user has to export the certificate from the browser to a pkcs12 file and copies this file to the UI where he is going to submit jobs into the Grid. • When the certificate is a PKCS12 file the user has to convert it to .pem files. We can use the openssl command for the conversion (openssl is available in the UI) : • openssl pkcs12 –nocerts –in my_cert.p12 –out userkey.pem • openssl pkcs12 –clcerts –nokeys –in my_cert.p12 –out usercert.pem

Grid Security Infraestructure Security at network level • Digital certificates • Certificate renew (1/2) • The certificates maximum lifetime is 1 year + 1 month • The idea is that at the end of the year (12th month) a new certificate is issued • Users should be warned about the coming expiration and the need to renew • Don’t revoke a certificate to issue a new one unless the certificate has been compromised or the user has ceased his activity which entitles him to have a certificate

Grid Security Infraestructure Security at network level • Digital certificates • Certificate renew (2/2) • During a renewal it is not required to make the user to pass through the identification procedure: • This is a big advantage for both the users and the RA • However a maximum renewal number without identification is advisable (for instance: every two years the EE must pass through the identification again) • In order not to pass through the identification the renewal request must be signed with the user certificate, examples: • Email signed with user certificate • CA/RA Web interface that would identify the user certificate • If the user certificate expires before renewal the procedure for a new certificate must be followed

Grid Security Infraestructure Security at VO level • Proxy certificate X.509 • It would be dangerous to transfer your certificate through the Grid. • Proxy Certificates: • Signed by the normal end entity cert (or by another proxy). • Support some important features • Delegation • Have a limited lifetime (minimized risk of “compromised credentials”) • Proxy certificates are created by the grid-proxy-init command: • grid-proxy-init • Enter PEM pass phrase: ****** • Options for grid-proxy-init: • -hours <lifetime of credential> • -bits <length of key> • -help

User Certificate File User Proxy certificate file Private Key (Encrypted) Pass Phrase Grid Security Infraestructure Security at VO level • Proxy certificate X.509 • grid-proxy-init • User enters pass phrase, which is used to decrypt private key. • Private key is used to sign a proxy certificate with its own, new public/private key pair. • User’s private key not exposed after proxy has been signed • Proxy certificate: • the private key of the Proxy is not encrypted • stored in local file: must be readable only by the owner • lifetime is short (typically 12 h) to minimize security risks.

Grid Security Infraestructure Security at VO level proxy certificate X.509 grid-proxy-init • grid-proxy-init ≡ “login to the Grid” • To “logout” you have to destroy your proxy: grid-proxy-destroy • To gather information about your proxy: grid-proxy-info Options for printing proxy information: -subject -issuer-type -timeleft-strength -help

Grid Security Infraestructure Security at VO level • Proxy certificate X.509 • Delegation • Delegation = remote creation of a (second level) proxy credential. • New key pair generated remotely on server. • Client signs proxy cert and returns it. • Allows remote process to authenticate on behalf of the user. • Remote process “impersonates” the user.

Grid Security Infraestructure Security at VO level • Proxy X.509 certificate • Long Term Proxy  Myproxy • Proxy has limited lifetime (default is 12 h) • Bad idea to have longer proxy • However, a grid task might need to use a proxy for a much longer time • Grid jobs in HEP Data Challenges on LCG last up to 2 days • MyProxy server: • Allows to create and store a long term proxy certificate: • myproxy-init -s <host_name> • -s: <host_name> specifies the hostname of the myproxy server • myproxy-info • Get information about stored long living proxy • myproxy-get-delegation • Get a new proxy from the MyProxy server • myproxy-destroy • File transfer services in gLite validates user request and eventually renew proxies • contacting myproxy server

Grid Security Infraestructure Security at VO level • Proxy X.509 certificate • VOs y authorization • Grid users MUST belong to virtual organizations • Sets of users belonging to a collaboration • User must sign the usage guidelines for the VO • VOs maintain a list of their members on a LDAP Server • The list is downloaded by grid machines to map user certificate subjects to local “pool” accounts ... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice ...

Grid Security Infraestructure Security at VO level • Proxy X.509 certificate • Servidor VOMS (Virtual Organization Members Service) • Extend information in the proxies members of the VO, groups, roles. • Absolutely compatible with Globus Toolkit. • Every VO has a database which contains information about the members of the group, roles and capacities of each user. • Users contact with voms server requesting their information of authorization • Server sends the information of authorization to the client, who includes it in a proxy certificate. • $voms-proxy-init –-voms gilda • Creates a certificate and extends it with the voms server information. • $voms-proxy-info –all • Shows information of the certificate together with voms extension. 27

Short for Fully Qualified Attribute Name, is what VOMS uses to express membership and other authorization info. Groups membership, roles and capabilities may be expressed in a format that bounds them together: <group>/Role=[<role>][/Capability=<capability>] [tut25@cg02 ~]$ voms-proxy-info -fqan /vo.formacion.es-ngi.eu/Role=NULL/Capability=NULL FQAN are included in an Attribute Certificate. Attribute Certificates are used to bind a set of attributes (like membership, roles, authorization info etc) with an identity. ACs are digitally signed. VOMS uses AC to include the attributes of a user in a proxy certificate • Grid Security Infraestructure Security at VO level • Proxy X.509 certificate • FQAN y AC (Atribute Certificate)

Server creates and signs an AC containing the FQAN requested by the user, if applicable AC is included by the client in a well-defined, non critical, extension assuring compatibility with GT-based mechanism [ui-SL5] /home/virginia > voms-proxy-info -all subject : /DC=es/DC=irisgrid/O=rediris/CN=virginia.martinrubio/CN=proxy issuer : /DC=es/DC=irisgrid/O=rediris/CN=virginia.martinrubio identity : /DC=es/DC=irisgrid/O=rediris/CN=virginia.martinrubio type : proxy strength : 1024 bits path : /tmp/x509up_u500 timeleft : 11:59:55 === VO vo.general.es-ngi.eu extension information === VO : vo.general.es-ngi.eu subject : /DC=es/DC=irisgrid/O=rediris/CN=virginia.martinrubio issuer : /DC=es/DC=irisgrid/O=ifca/CN=host/voms01.ifca.es attribute : /vo.general.es-ngi.eu/Role=NULL/Capability=NULL timeleft : 11:59:55 uri : voms01.ifca.es:15003 • Grid Security Infraestructure Security at VO level • Proxy X.509 certificate • VOMS y AC (Atribute Certificate)

At resources level, authorization info is extracted from the proxy and processed by LCAS and LCMAPS Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the site Checks if at that time the site accepts jobs Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.) Map also VOMS group and roles (full support of FQAN) • Grid Security Infraestructure Security at VO level • proxy certificate X.509 • LCAS & LCMAPS "/VO=dteam/GROUP=/dteam" dteam "/VO=eumed/GROUP=/eumed/ROLE=SoftwareManager" eumed "/VO=eumed/GROUP=/eumed" eumed

You need a digital certificate and be member of a VO. ¡¡Keep your private key safe!! Proxy commands voms-* To manage proxies Myproxy commands myproxy-* To delegate proxies REMEMBER… 31

References • Grid • LCG Security: http://proj-lcg-security.web.cern.ch/proj-lcg-security/ • Globus Security Infrastructure: http://www.globus.org/security/ • VOMS: http://infnforge.cnaf.infn.it/projects/voms • CA: http://www.tagpma.org/ • Background • GGF Security: http://www.gridforum.org/security/ • IETF PKIX charter: http://www.ietf.org/html.charters/pkix-charter.html • PKCS: http://www.rsasecurity.com/rsalabs/pkcs/index.html

Thanks for your attention! Questions?

Security, Authentication and Authorization

Security, Authentication and Authorization

Presentation Transcript

Authentication, Authorization, and Accounting

Authentication and Authorization Infrastructure

Authentication and authorization

Authorization and Authentication Infrastructure

API Authentication and Authorization Protocols

Grid Authentication and Authorization

Authentication and Authorization in gLite

Authentication and Authorization

Authorization and Authentication in gLite

Authentication and Authorization

gLite authentication and authorization

Authentication and Authorization

Authentication / Authorization

UAG Authentication and Authorization- part1

Authentication and Authorization in gLite

Authentication/Authorization

Authentication and Authorization

Authentication and Authorization Infrastructure

Authentication, Authorization and Accounting

Authorization and Authentication Infrastructure

Authorization and Authentication in gLite