1 / 22

What can you do with a Grid Certificate?

What can you do with a Grid Certificate?. Andrew McNab High Energy Physics University of Manchester. Overview. Public Key Cryptography Encrypting and Signing with a public key Proving its MY public key - CAs Connecting with a key - ssh Connecting with a certificate - https

justicea
Download Presentation

What can you do with a Grid Certificate?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What can you do with a Grid Certificate? Andrew McNab High Energy Physics University of Manchester Grid Certs, Manchester HEP, 8 Nov 2002

  2. Overview • Public Key Cryptography • Encrypting and Signing with a public key • Proving its MY public key - CAs • Connecting with a key - ssh • Connecting with a certificate - https • Delegating - Globus proxies • Passports vs Visas • Access control lists - GGF • Putting the grid into the OS - SlashGrid • Extending HTTPS - G-HTTPS Grid Certs, Manchester HEP, 8 Nov 2002

  3. Public Key Cryptography • This is one of the most interesting and downright useful areas of applied maths • Invented twice thanks to Official Secrets Act • by people at GCHQ 1970-4 (published 1998) • again by Diffie and Hellman at Stanford, 1976 • Various algorithms exist • Most common is RSA, invented by Rivest, Shamir and Adelman in 1977 • Initially patented (expired in 2000) • Also subject to US export legislation, despite being simple enough to put on a T-Shirt! Grid Certs, Manchester HEP, 8 Nov 2002

  4. RSA algorithm (simplified a bit) • Say have public key n = pq, p and q are prime. • Private key d, 3d = 1 (mod [[p-1][q-1]]) • Encrypt message M (< n) as C = (M^3) mod n • Decrypt message M = (C^d) mod n • For example, n = 5 x 3 = 15, M=12 • d = 3 • C = 12^3 mod 15 = 3 • M’ = 3^3 mod 15 = 12 !! • However, if I don’t know p and q, I can’t get d. • If n=pq is very big, I can’t easily find prime numbers such that p q = n Grid Certs, Manchester HEP, 8 Nov 2002

  5. Encrypting with public key • I can generate public and private keys • I publish my public key • You can turn a message into a number and encrypt it • Only I, who also know the private key, can decrypt it • This solves one of the ancient problems of cryptography, going back to Greeks etc • how to first get the encryption “secret” from the recipient to the sender in a secure way Grid Certs, Manchester HEP, 8 Nov 2002

  6. Simple application: secret emails • Internet email is pretty insecure • Anyone who can listen on the network can see what’s in the emails as they go past • But using public and private keys, people can encrypt a message and include it in an email • Keys and messages are base64-encoded blobs of text like this: -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAOd5Zstqe+PGkfg4T8e3tDAr3ykv79ErTvERwFlO64/6IA5KkpMK FizFR3hZmnC8lrS+5DItxdGkUo7y03mMMUsCAwEAAQJBAKQv0qA62cHJGcTtfHl3 bpI0rEg0vnCpvYb1RnCSsDggo4Banb7/ak2a/QrvfWoyt4Y60PE/6ypGvgiy6eqM d+ECIQD8+88SCzXjDoNHxfjceTdeS2ZcA2xHdoL9179guWUM0wIhAOo78FEVh45/ DagJRqXWNo81Sp1fk5LaIkmVXx2akh6pAiEAj2PCeH22K14cdt/1MDHceivOdrTR +Kdpk6tno9ExP1UCIQChLwHeKjyP+CpDma596/y7a2afCOgaQ/UYQaukSXuHkQIg ZQFJimvH4ZZjErleQ+KsmyI2NuTk2/EDQxbnpyN35+g= -----END RSA PRIVATE KEY----- Grid Certs, Manchester HEP, 8 Nov 2002

  7. Signing emails • This technology doesn’t only allow us to encrypt messages • I can use my private key to generate a digital “signature” • Using my public key, you can verify that only I could have generated it • This gives both simple signing (you can verify the source) and non-repudiation (you can prove the same key signed a group of messages and I can’t deny it) • Signature is another block of text at the end of the original message in plaintext Grid Certs, Manchester HEP, 8 Nov 2002

  8. Proving it’s MY public key • However, other people still have to verify it really is MY public key they are using • What if I can’t physically give you the key? • Certificate Authorities (CAs) / Trusted 3rd Parties resolve this • They sign other people’s public keys, along with a unique name -> “a certificate” • You still have to get the CA public key somehow • So: I can get my public key signed, put it on my webpage and you can verify it’s really mine • it’s hasn’t been replaced by a hacker, say Grid Certs, Manchester HEP, 8 Nov 2002

  9. Certificate Authority namespaces • CA needs to have some unique naming for individuals • Could use Name + Postal Address, or Email Address. • In practice, use an X500 hierarchy: • /C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab • We use the UK HEP CA and now also the general e-Science CA at RAL • We are now directly responsible for names under /C=UK/O=eScience/OU=Manchester/L=HEP/… • New CA requires us to check some photo ID Grid Certs, Manchester HEP, 8 Nov 2002

  10. Connecting with a key • ssh uses RSA and similar algorithms • Server generates a key pair to identify itself • Users can generate key pairs to use instead of passwords • At CERN, SLAC etc, put your public key in ~/.ssh/authorized_keys • When you connect, ssh checks if server key pair is the same as last time • but, the first time, it has to take it on trust • would be better to use a signed certificate, rather than just a public key Grid Certs, Manchester HEP, 8 Nov 2002

  11. Connecting with a certificate • You’re probably familiar with https websites • eg for credit card orders from Easyjet • These use RSA etc to secure the connection • Hosts have certificates rather than just public keys • in cert name have …/CN=www.easyjet.com • So web browser can verify you’re really giving your credit card number to Easyjet • Also, if you put a user certificate into the browser, webserver can verify who you are Grid Certs, Manchester HEP, 8 Nov 2002

  12. GridSite • GridSite system has user authentification • Written here and used for www.gridpp.ac.uk • Maintains lists of users in different groups • Each directory has a list of groups who can modify its webpages • Tools on website allow you to upload files, edit pages • Group admins can modify the membership of their group too • Devolves the work of maintaining the site down to each subgroup Grid Certs, Manchester HEP, 8 Nov 2002

  13. Other services using certificates • Globus’s grid services use the same idea: • GridFTP for bulk file transfers • GRAM for job submission • GSI-ssh: normal ssh modified to use server and user certificates rather than just key pairs • Since both Globus and https use the same, X509 format certificates, Grid/Web can be integrated • Only need to get 1 user certificate, both for purely Grid and https Web sites. Grid Certs, Manchester HEP, 8 Nov 2002

  14. Globus Delegation • In normal https, I can prove who I am to the website, but that’s it • Globus extended this idea with delegation • When I contact a remote host, it also makes a new, temporary key pair with my name • I agree to sign the public key, like a CA does • My programs on the host can then contact other hosts with the “proxy” = chain of certs • A 2nd remote host can check I authorised all this, by checking the chain of certs one by one • no need to take 1st host’s word for it! Grid Certs, Manchester HEP, 8 Nov 2002

  15. “Single sign-on” • Delegation allows you to just sign on once • Do grid-proxy-init command once each day • locally delegates proxy as /tmp/x509up_uXX • Each Globus program looks for this when connecting: • globus-job-run for job submission • globus-url-copy for file copying • gsi-ssh for getting a remote command line • EU DataGrid programs built with this do too: • dg-job-submit • dg-job-get-output Grid Certs, Manchester HEP, 8 Nov 2002

  16. Delegation in jobs • As the Grid becomes more complex, delegation becomes vital • User at Site A submits a job • Job goes to Resource Broker at Site B • RB sends job to Site C which has spare CPUs • Job running at C reads data catalog at Site D • Job at C reads closest data replica from Site E • Job finishes hours later and sends output to file server back at Site A • Delegation means not having to take other sites’ “word for it” - which wouldn’t scale up Grid Certs, Manchester HEP, 8 Nov 2002

  17. Passports vs Visas • Globus uses grid-mapfile - lists mapping of certificate name to local unix user ID • if you’re “on the list” then you are in • This is equivalent to a Passport + a Ban / Invitation List • New systems being built with a Visa model • when I make my initial proxy, I also include a signed statement from my organisation • this “attribute cert” proves my membership • since I can’t forge the Atlas signature, each site doesn’t need the list of “all Atlas Users” Grid Certs, Manchester HEP, 8 Nov 2002

  18. Grid Access Control Lists • Our GACL format provides a way of writing ACLs using Grid credentials • user certificate names, group certificates etc • GridSite uses this format already • Other projects (eg EDG Storage Element) taking it up • Now part of the authorisation work in Global Grid Forum (GGF) • GGF: world wide standards body for Grids • I co-chair the Authorisation Working Group Grid Certs, Manchester HEP, 8 Nov 2002

  19. SlashGrid: Grid filesystems • Almost all EDG sites use Manchester’s pool accounts system • get a temporary Unix UID when you run a job • SlashGrid adds to this by controlling disk access and file ownership • use GACL access control lists to say who owns each directory • enforced at kernel level so all programs see it • Unix ID doesn’t matter: Grid ID does • Also provides a remote filesystem using https • Like AFS, but Grid credentials and web servers Grid Certs, Manchester HEP, 8 Nov 2002

  20. Extending HTTPS - G-HTTPS • Normal HTTPS is already very Grid-like • Work now underway to add more Grid features • need to avoid breaking existing HTTPS • our G-HTTPS proposal designed to do this • Delegation from client to server • so get all the benefits discussed already • Servers can return the ACL along with the file • so if I cache a copy locally, I know who I can share the copy with • Relevant EDG groups involved; taking it to GGF Grid Certs, Manchester HEP, 8 Nov 2002

  21. fileGridSite • fileGridSite is a cut down version of GridSite • just does plain text/binary files • group/webpage management features removed • A testbed for new HTTPS extensions • Made possible by Mike Jones’ mod_ssl-GSI • this makes web servers understand Globus delegated proxies • G-HTTPS lets the server get a delegated proxy itself • fileGridSite aims to offer the same functions as a GridFTP server, but with HTTP/HTTPS Grid Certs, Manchester HEP, 8 Nov 2002

  22. Summary • Public key cryptography provides privacy and authentification • Certificate Authority infrastructure makes it scalable • Lots of Web and now Grid tools have been built to use it • Delegation makes Grids practical • New tools for group membership, and disk/web access control being developed • much of it here at Manchester • All this feeding into new Grid-wide standards Grid Certs, Manchester HEP, 8 Nov 2002

More Related