Grid Security
Heinz StockingerSwiss Institute of BioinformaticsLausanne, Switzerland
EMBRACE Grid Tutorial,Helsinki, 16 June 2006
Grid Security - n° [email protected]
I guess you all know that …
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Grid Security - n° [email protected]
How about that one?
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Grid Security - n° [email protected]
What does this have to do with computing?
Well, it’s all about codes and access to information
In Grid computing: Limit access to resources Use standard computer security
Grid Security - n° [email protected]
Motivation: Security in the Grid
In industry, several security standards exist: Public Key Infrastructure (PKI)
PKI keys SPKI keys (focus on authorisation rather than certificates) RSA
Secure Socket Layer (SSL) SSH keys
Kerberos
Need for a common security standard for Grid services Above standards do not meet all Grid requirements (e.g.
delegation, single sign-on etc.)
Grid community mainly uses X.509 PKI for the Internet Well established and widely used (also for www, e-mail, etc.)
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
Introduction
Distribution of resources: secure access is a basic requirement secure communication, secure data, resources etc. security across organisational boundaries single sign-on for users of the Grid
Three basic concepts:
Secure communication: Data Encryption
Authentication: Who am I? “Equivalent” to a pass port, ID card etc.
Authorisation: What can I do? Certain permissions, duties etc.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Grid Security - n° [email protected]
Data Encryption
Symmetric encryption: same key (“secret”) used for encryption and decryption
Kerberos, DES / 3DES, IDEA
Asymmetric encryption: different keys used for encryption and decryption
RSA, DSA
Clear text Clear text messagemessage
Encrypted Encrypted texttext
Clear text Clear text messagemessage
Encryption
Decryption
Shared key
Clear text Clear text messagemessage
Encrypted Encrypted texttext
Clear text Clear text messagemessage
Encryption
Decryption
Key A
Key B
Grid Security - n° [email protected]
Authentication
Do we want authorised users or anonymous access to our service?
How can I prove how I am? In private life: people have passports, identity cards
Issued by a certain authority In office life: we use ids and passwords to access computers
Grid Security - n° [email protected]
Certificate = “Grid Passport”
Public Key Infrastructure: Use a public and private key
Grid Certificate: Name
Issuer (Certificate Authority)
Valitidy
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
A passport has several importantitems
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
Public Key Infrastructure (PKI)
Asymmetric encryption
Digital signatures A hash derived from the message and encrypted with the signer’s private
key Signature checked decrypting with the signer’s public key
Allows key exchange in an insecure medium using a trust model Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal
Certificate Public key + information about the principal + CA signature X.509 format most used
PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.
Encrypted Encrypted texttext
Private Key Public Key
Clear text Clear text messagemessage
Clear text Clear text messagemessage
Grid Security - n° [email protected]
PKI – Example
ciphertext c = Ee(m)
m = Dd(c).
public key eprivate key d
encryption transformation Ee
decryption transformation Dd
wishing to send a message m to A:
applies the decryption transformation
Entity A (Alice) Entity B (Bob)
public key
private key
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
X.509 certificates and authentication
A B
A’s certificateA’s certificate
A
Verify CA signatureVerify CA signature
Random phraseRandom phrase
Encrypt with A’ s private keyEncrypt with A’ s private key
Encrypted phraseEncrypted phrase
Decrypt with A’ s public keyDecrypt with A’ s public key
Compare with original phraseCompare with original phrase
Public keyPublic key
Subject:Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968C=CH, O=CERN, OU=GRID, CN=John Smith 8968
Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAIssuer: C=CH, O=CERN, OU=GRID, CN=CERN CA
Expiration date: Expiration date: Aug 26 08:08:14 2005 GMTAug 26 08:08:14 2005 GMT
Serial number: 625 (0x271)Serial number: 625 (0x271)
CA Digital signatureCA Digital signature
Structure of a X.509 certificate
Performace !
Grid Security - n° [email protected]
X.509 alias ISO/IEC/ITU 9594-9
X.509 is ITU Standard: ITU-T Recommendation X.509 (1997 E). Information technology -
Open Systems Interconnection - The Directory: Authentication Framework
Defines a certificate format (originally based on X.500 Directory Access Protocol)
Latest standard: X.509 version 3 certificate format
X.509 certificate includes: User identification (someone’s subject name) Public key A “signature” from a Certificate Authority (CA) that:
Proves that the certificate came from the CA. Vouches for the subject name Vouches for the binding of the public key to the subject
Grid Security - n° [email protected]
Involved entities
User
Certificate Authority
Public keyPrivate keycertificate
CA
Resource (site offering services)
Grid Security - n° [email protected]
Certification Authorities
Issue certificates for users, programs and machines
Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation
Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire
CA certificates are self-signed
In Grid projects on certain CAs are mutually recognised
Grid Security - n° [email protected]
Certificate classification User certificate
issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc.
Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch
Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch
Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch
Grid Security - n° [email protected]
Grid Certificate
A certificate needs to be requested from a Certificate Authority
When using the Grid Security Infrastructure (GSI), the certificate consists of two parts:
usercert.pem
userkey.pem
Grid Security - n° [email protected]
X.509 Certificate Example (1)
openssl x509 –in ~/.globus/usercert.pem –textCertificate:
Data:
Version: 3 (0x2) X509.3 – with extensions
Serial Number: 199 (0xc7)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Issuer CA
Validity
Not Before: Sep 25 10:33:05 2005 GMT long term certificate
Not After :Sep 24 10:33:05 2006 GMT
Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe User user identification
Subject Public Key Info:
Public Key Algorithm: rsaEncryption public key
RSA Public Key: (1024 bit)
Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38:
[…]
Grid Security - n° [email protected]
X.509 Certificate Example (2) X509v3 extensions:
X509v3 Basic Constraints: critical Certificate extensions
CA:FALSE
X509v3 Subject Key Identifier:
71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53
X509v3 CRL Distribution Points: Certificate Revocation List URI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL
X509v3 Issuer Alternative Name:
email:[email protected]
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.96.10.1.2.1
Netscape Cert Type:
SSL Client, S/MIME, Object Signing client/user Certificate
Netscape Base Url:
http://service-grid-ca.web.cern.ch/service-grid-ca/
Signature Algorithm: md5WithRSAEncryption
54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13: [...] Signature on the information
Grid Security - n° [email protected]
Private Key Example
openssl rsa -in ~/.globus/userkey.pem –text
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus: [...]
publicExponent: ..... (0x......)
privateExponent: [...]
prime1: [...] private parameters
prime2: [...]
exponent1: [...]
exponent2: [...]
coefficient: [...]
writing RSA key
-----BEGIN RSA PRIVATE KEY----- PEM encoded private key
-----END RSA PRIVATE KEY-----
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
Globus Grid Security Infrastructure (GSI)
de facto standard for Grid middleware
Based on PKI
Implements some important features Single sign-on: no need to give one’s password every time
Delegation: a service can act on behalf of a person
Mutual authentication: both sides must authenticate to the other
Introduces proxy certificates Short-lived certificates including their private key and signed with the
user’s certificate
Grid Security - n° [email protected]
GSI General Overview
PKI(CAs and
Certificates)
SSL/TLS
Proxies and Delegation
PKI forcredentials
SSL forAuthenticationand messageprotection
Proxies and delegation (GSIExtensions) for secure singleSign-on
Based on Slide from Globus Tutorial
Grid Security - n° [email protected]
Virtual Organizations and authorization
Grid users must belong to a Virtual Organization Sets of users belonging to a collaboration Each VO user has the same access privileges to Grid resources
VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate
subjects to local “pool” accounts: only mapped users are authorized in LCG
Sites decide which VOs to accept
..."/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam"/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms"/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice...
grid-mapfile
Grid Security - n° [email protected]
Globus command line interface: certificate and proxy management
Get information on a user certificate grid-cert-info[-help] [-file certfile] [OPTION]...
-all whole certificate
-subject | -s subject string
-issuer | -I Issuer
-startdate | -sd Start of validity
-enddate | -ed End of validity
Create a proxy certificate grid-proxy-init
Destroy a proxy certificate grid-proxy-destroy
Get information on a proxy certificate grid-proxy-info
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
Secure your services - but how?
client program
Server
user certificate
host certificate
Security library
Security library
Authorisation
Grid Security - n° [email protected]
Different kinds of services
“Simple” services with standard socket communication Any service written in C/C++, Java, Python, Perl, etc.
Use GSI libraries e.g. provided by Globus Toolkit 2 http://www.globus.org/security/ The libraries handle certificate based authentication
Often considered a 1st generation “Grid services”
Web services Based on SOAP
2nd generation “Grid services”
Web sites
Grid Security - n° [email protected]
API: GSS-API and GSS Assist
GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-2743, 2744)
Traditionally, it interfaces to Kerberos The Globus project interfaced it to GSI Communication is kept separate: it just creates data buffers, does not
move them Rather complicated to use… Documentation at http://docs.sun.com/app/docs/doc/816-1331
http://www.gnu.org/software/gss/manual/html_node/index.html
GSS-API as user interface to GSI: C API Java API (http://www-unix.globus.org/cog/java/)
The Globus GSS Assist routines are designed to simplify the use of the GSSAPI: they are a thin layer over them
Grid Security - n° [email protected]
Globus extensions Credential import and export
To pass credentials from a process to another or storing them in a file Export to 1) an opaque buffer, or 2) a file in GSI native format gss_import_cred(), gss_export_cred()
Delegation an any time A lot more flexible than standard GSS-API delegation
Delegation at times other than context establishment Possible to delegate credentials different than those used for context establishment: even for
different mechanisms! Ex.: delegate a Kerberos credential over a context established with GSI
gss_init_delegation(), gss_accept_delegation()
Credentials extension handling support for credential information other than just the identity
Set context options at the server side
Documentation http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h
Grid Security - n° [email protected]
Web Service Security
Transport level security SOAP messages are transmitted encrypted
used by some gSOAP GSI plugins
Based on SSL/TSL
Message level security WS-Security
set of SOAP extensions to implement integrity and confidentiality in Web Services
<Security> header contains the security-related information http://www-128.ibm.com/developerworks/library/ws-secure/
WS-SecureConversation defines how to establish secure contexts and exchange keys
Performance issue
Used in Globus Toolkit 4
Grid Security - n° [email protected]
Performance - Mutual Authentication
Having secure connections creates a performance overhead
Let’s have a look at the detailed steps Bob - Alice Bob uses proxy to create a request (incl. public key, about 2000
bytes) Alice uses private key to sign the request - sends signed cert.
back (in addition, CAs have to match) Alices generates a random message and sends it to Bob, asking Bob to
encrypt it. Bob encrypts the message using his private key, and sends it back to
Alice. Alice decrypts the message using Bobs's public key. If this results in the original random message, then Alice knows that Bob is who he says he is.
Now that Alice trusts Bob's identity, the same operation must happen in reverse.
By default, all further message exchange is not encrypted !
Grid Security - n° [email protected]
Some performance numbers
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Source: http://webservices.sys-con.com/read/204424.htm
Cryptography is CPU intensive
WS Secure Conversation symmetrical cryptography only
Grid Security - n° [email protected]
Securing Web sites (Portals)
HTML web is is not a web service Web service provides a programmable interface via SOAP
A Web page is purely HTML (potentially generated by tools such as JSP, etc.)
One can still use Grid security for that purpose
Need to load certificate into the web browser
Server side (Web server) needs to use Grid security technologies
Example: http://wwww.gridsite.org provide modules for Apache server
Grid Security - n° [email protected]
Security Overview
Introduction
Public Key Infrastructure
Grid Certificates (X.509)
Grid Security Infrastructure (GSI)
Securing Services
GSI in Practice
Grid Security - n° [email protected]
Certificate Request / Obtaining a certificate
CA
VO
user service
cert-request
grid-cert-request
once in every year
Grid Security - n° [email protected]
Certificate Signing
CA
VO
user service
cert-request
grid-cert-request
certificate
cert signing
Grid Security - n° [email protected]
Preparation for Registration in VO
CA
VO
user service
cert.pkcs12convert
cert-request
grid-cert-request
certificate
cert signing
Goal: user needs to register with a certain VO
Grid Security - n° [email protected]
Registration
CA
VO
user service
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
Usage guidelines
Account Registration
once for the lifetime of the VO (only the DN not the keys, so they may
change)
Grid Security - n° [email protected]
Starting a Session with Globus
CA
VO
user service
proxy-certgrid-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
every 12/24 hours
Grid Security - n° [email protected]
Usage
You must have a valid certificate from a trusted CA!
„login”: grid-proxy-init
short lifetime certificate: 24 hours
Enter PEM pass phrase:
...........................+++++
....................................+++++
checking the proxy: grid-proxy-info -subject
/O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy
-> use the Grid services
„logout”: grid-proxy-destroy
Grid Security - n° [email protected]
Certificate Request for a Host
CA
VO
user service
proxy-certgrid-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
host-request
grid-cert-request
once in every year
Grid Security - n° [email protected]
Signing the Certificate
CA
VO
user service
proxy-certgrid-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
host-request
grid-cert-request
Grid Security - n° [email protected]
ca-certificate
crl
cert/crl update
Configuration on the Server
CA
VO
user service
proxy-certgrid-proxy-init
registrationcert.pkcs12
convert
cert-request
grid-cert-request
certificate
cert signing
host-cert
cert signing
host-request
grid-cert-request
In EDG: automatically updated every
night/week
Grid Security - n° [email protected]
Service
You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured.
Registering a trusted CA /etc/grid-security/certificates: hashed cert, crl and url
Generating a gridmap file: mkgridmap /etc/grid-security/gridmap: DN -> userid/gid mapping
See Authorisation
Generating host/service certificate: grid-cert-request –host (see user certificates for the whole process)
info
Grid Security - n° [email protected]
Service: CA Certificates
ls /etc/grid-security/certificates0ed6468a.0 c35c1972.0 d64ccb53.0
0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url
0ed6468a.r0 c35c1972.r0 d64ccb53.r0
0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy
16da7552.0 cf4ba8c8.0 df312a4e.0
16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url
16da7552.r0 cf4ba8c8.r0 df312a4e.r0
16da7552.signing_policy cf4ba8c8.signing_policy df312a4e.signing_policy
In General:
*.0 … CA certificate
*.r0 … Certificate Revocation List (CRL)
example
Grid Security - n° [email protected]
Service: a certificate
cat c35c1972.signing_policy
# EACL CERN CA
access_id_CA X509 '/C=CH/O=CERN/CN=CERN CA'
pos_rights globus CA:sign
cond_subjects globus '"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'
openssl x509 -in c35c1972.0 –text Issuer: C=CH, O=CERN, CN=CERN CA [...] the issuer and the subject are the same
Subject: C=CH, O=CERN, CN=CERN CA [...] self signed certificate
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE [...] it may be used to sign other certificates
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA it is a CA certificate
example
Grid Security - n° [email protected]
Certificate Revocation List (CRL)
openssl crl -in c35c1972.r0 –text
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=CH/O=CERN/CN=CERN CA the issuer is the CA itself
Last Update: Jul 1 17:53:17 2002 GMT
Next Update: Aug 5 17:53:17 2002 GMT next update: shall be checked
Revoked Certificates:
Serial Number: 5A the revoced certificate’s number
Revocation Date: May 24 16:45:52 2002 GMT
Signature Algorithm: md5WithRSAEncryption Signature – as usual
example
Grid Security - n° [email protected]
Grid-mapfile
cat /etc/grid-security/gridmap
"/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor
"/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro
"/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/[email protected]" aliprod
"/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/[email protected]" aliprod
"/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones
"/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney
"/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon
"/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/[email protected]" yannick
example
Grid Security - n° [email protected]
Abbreviations CA – Certificate Authority
CP – Certificate Policy
CPS – Certificate Practice Statement
CRL – Certificate Revocation List
GSI – Grid Security Infrastructure
GSS – Generic Security Service
PKI – Public Key Infrastructure
SSL – Secure Socket Layer
TLS – Transport Layer Security
VO – Virtual Organization
VOMS - Virtual Organization Membership Service
Grid Security - n° [email protected]
Conclusion Security is important for Grid middleware:
In particular in commercial use
Security solutions need to be integrated from the very beginning
Grid security relies on PKI Requires: authentication & authorisation
Basic entities: Users – CA (Certificate Authorities) – Resource Providers
“We had a security concept from the very beginning but decided to deal with security later”
The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-
512092.
Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides