170 likes | 180 Views
Authentication, Authorisation and Security. Security Services. Security Overview. Security. Authentication. Grid Security Infrastructure. Encryption & Data Integrity. Authorization. plain text. plain text. Encrypted text. Public Key. Private Key. Basis of security & authentication.
E N D
Security Services Authentication, Authorisation and Security
Security Overview Security Authentication Grid SecurityInfrastructure Encryption & Data Integrity Authorization Authentication, Authorisation and Security
plain text plain text Encrypted text Public Key Private Key Basis of security & authentication • Asymmetric encryption… • Private key and public key are in pair. • it is impossible to derive one key from another key. • a message encrypted by one key can be decrypted only by another one. • Examples of public key algorithms: • Diffie-Helmann (1977) • RSA (1978) Authentication, Authorisation and Security
Paul John ciao 3$r 3$r ciao John’s keys public private An Example of Public Key Algorithms • Public keys are exchanged • Paul gets John’s public key.. • Paul ciphers using the public key of John • John decrypts using his private key; • Make sure of data confidentiality Authentication, Authorisation and Security
message Digital Signature message = ? Digital Signature Data Integrity- Digital Signature • Paul calculates the hash of the message • Paul encrypts the hash using his private key: the encrypted hash is the digital signature. • Paul sends the signed message to John. • John calculates the hash of the message • Decrypts signature, to get Hash A, using Paul’s publickey. • If hashes equal: 1. message wasn’t modified; 2. hash A is fromPaul’sprivate key(Paul encrypted it) Paul message Hash A Digital Signature John Paul’skeys Hash B Hash A public private Authentication, Authorisation and Security
Digital Signature (cont.) • With Digital Signature, it is easy to know.. • I receive the message that you intended to send me • You are really the one person who sent this message Authentication, Authorisation and Security
Certificate It is based on Digital Signature mechanism. Grid authenticates users or resources by verifying their certificate. Certificate is issued by one of the national Certification Authorities. Public Key user’s certificate Sign Digital Certificate ( or Certificate) User’sInformation CA’s Digital Signature user key CA Authentication, Authorisation and Security
X.509 Certificates • An X.509 Certificate contains: • owner’s public key; • identity of the owner; • info on the CA; • time of validity; • Serial number; • Optional extensions • digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) Optional Extensions CA Digital signature Authentication, Authorisation and Security
information user’ssignature CA’ssignature sign user cert user key Proxy certificate (my agent) information proxy certificate proxy key Authentication, Authorisation and Security
information information proxy1’ssignature user’ssignature sign proxy2 cert proxy1 cert proxy2 key proxy1 key Proxy delegation (my agent’s agent) Authentication, Authorisation and Security
information information information information Proxy N-1r’ssignature proxy1’ssignature user’ssignature proxy2’ssignature … proxy3 cert proxy1 cert proxyN cert proxy2 cert Sign Sign proxy N key proxy1 key proxy2 key proxy3 key Proxy delegation chain • Every proxy can represent the user • Proxy certificates extend X.509 certificates • Short-lived certificates signed by the user’s certificate or a proxy • Reduces security risk, enables delegation • “Single sign on” can be attained. Authentication, Authorisation and Security
Evolution of VO management • VOMS • VO Administration : • check which VO the user belongs to • Add VO information on user’s proxy certificate. • voms-proxy-init • a gLite command to • Contact the VOMS with user’s proxy certificate • Retrieve the certificate that contains VO information on it. information User’s Digital Signature VO: TWGrid proxy certificate Authentication, Authorisation and Security
Summary of AA - 1 • Authentication based on X.509 PKI infrastructure • Trust between Certificate Authorities (CA) and sites, CAs and users is established (offline) • CAs issue (long lived) certificates identifying sites and individuals (much like a passport) • Commonly used in web browsers to authenticate to sites • In order to reduce vulnerability, on the Grid user identification is done by using (short lived) proxies of their certificates • Proxies can • Be delegated to a service such that it can act on the user’s behalf • Include additional attributes (like VO information via the VO Membership Service VOMS) • Be stored in an external proxy store (MyProxy) • Be renewed (in case they are about to expire) Authentication, Authorisation and Security
Authentication User obtains certificate from Certificate Authority Connects to UI by ssh (UI is the user’s interface to Grid) Uploads certificate to UI Single logon – to UI - create proxy Grid Security Infrastructure UI Summary of AA - 2 Annually CA VO mgr VO service • Authorisation • User joins Virtual Organisation • VO negotiates access to Grid nodes and resources • Authorisation tested by resource: Credentials in proxy determine user’s rights VO database GSI Daily update Mapping to access rights Authentication, Authorisation and Security
User Responsibilities • Keep your private key secure – on USB drive only • Do not loan your certificate to anyone. • Report to your local/regional contact if your certificate has been compromised. • Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. Authentication, Authorisation and Security