Grid Computing Fall 2006: Grid Security Infrastructure (GSI) by Paul A. Farrell - Prof. Pa, Study notes of Computer Science

An overview of grid security infrastructure (gsi) used in grid computing. It covers the basics of public-key cryptography, digital signatures, certificates, mutual authentication, and confidential communication. The document also discusses the need for secure communication in the grid, the use of virtual organizations (vos), and the process of acquiring user and host certificates. It further explains the concept of mutual authentication, delegation, and single sign-on.

Typology: Study notes

Pre 2010

Uploaded on 08/01/2009

koofers-user-7b0
koofers-user-7b0 🇺🇸

9 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
10/16/2006
10/16/2006
Dept of Computer Science
Dept of Computer Science
Kent State University
Kent State University 1
1
Grid Computing Fall 2006
Paul A. Farrell
Grid Computing 1
Paul A. Farrell 2006
Security - GSI
Paul A. Farrell
Fall 2006
Grid Computing
Grid Computing 2
Paul A. Farrell 2006
Grid Security Infrastructure (GSI)
Set of tools, libraries, and protocols used in Globus and other
grid middleware, to allow users and applications to securely
access resources securely
Based on PKI, with certificate authorities and X509 certificates.
GSI provides:
A public-key system;
Mutual authentication through digital certificates;
Credential delegation and single sign-on.
Motivated by
Need for secure, authenticated communication in the Grid
Need to support security across organizations, but without central
management
Need to support single sign-on, including delegation of credentials
for computations that involve multiple resources and/or sites
Grid Computing 3
Paul A. Farrell 2006
Grid Security Infrastructure (GSI)
PKI
(CAs and
Certificates
SSL/
TLS
Proxies and Delegation
PKI for
credentials
Secure Sockets
Layer (SSL) for
Authentication
and message
protection
Proxies and delegation (GSI
extensions) for secure single
Sign-on
Grid Computing 4
Paul A. Farrell 2006
Basics
Public-key cryptography
Two keys, private and public, one to encrypt, one to decrypt
Digital signature
A hash of the message, encrypted with my private key
Certificate
My public key, digitally signed by the Certificate Authority
IF you trust the CA, AND believe that you have the public key of the CA,
THEN you can believe that the public key in the message is mine
Mutual authentication
If two parties have certificates, and both parties trust the CA that signed
the other’s certificate, then the two parties can prove to each other that
they are who they say they are
Confidential communication
Encrypted communication is NOT the default in GSI. However, the
public keys can be used to exchange a shared secret key for encrypted
messages if desired
pf3
pf4
pf5

Partial preview of the text

Download Grid Computing Fall 2006: Grid Security Infrastructure (GSI) by Paul A. Farrell - Prof. Pa and more Study notes Computer Science in PDF only on Docsity!

Grid Computing

1

Paul A. Farrell

Security - GSI

Paul A. Farrell

Fall 2006

Grid Computing

Grid Computing

2

Paul A. Farrell

Grid Security Infrastructure (GSI)

-^

Set of tools, libraries, and protocols used in Globus and othergrid middleware, to allow users and applications to securelyaccess resources securely

-^

Based on PKI, with certificate authorities and X509 certificates.

-^

GSI provides:

–^

A public-key system;

-^

Mutual authentication through digital certificates;

-^

Credential delegation and single sign-on.

-^

Motivated by

–^

Need for secure, authenticated communication in the Grid

-^

Need to support security across organizations, but without centralmanagement

-^

Need to support single sign-on, including delegation of credentialsfor computations that involve multiple resources and/or sites

Grid Computing

3

Paul A. Farrell

Grid Security Infrastructure (GSI)

PKI (CAs andCertificates

SSL/TLS

Proxies and Delegation

PKI forcredentials

Secure SocketsLayer (SSL) forAuthenticationand messageprotection

Proxies and delegation (GSIextensions) for secure singleSign-on

Grid Computing

4

Paul A. Farrell

Basics

-^

Public-key cryptography–

Two keys, private and public, one to encrypt, one to decrypt

-^

Digital signature–

A hash of the message, encrypted with my private key

-^

Certificate–

My public key, digitally signed by the Certificate Authority

IF you trust the CA, AND believe that you have the public key of the CA,THEN you can believe that the public key in the message is mine

-^

Mutual authentication–

If two parties have certificates, and both parties trust the CA that signedthe other’s certificate, then the two parties can prove to each other thatthey are who they say they are

-^

Confidential communication–

Encrypted communication is NOT the default in GSI. However, thepublic keys can be used to exchange a shared secret key for encryptedmessages if desired

10/16/200610/16/

Grid Computing

5

Paul A. Farrell

Grid security technologies & requirements•^

Technologies– Security is NOT based on interorganizational trust

relationships

  • It is based on the use of a virtual organization (VO) as a

bridge among entities in a particular community or function

Requirements–

Must support scalable, dynamic, distributed VO’s

Key attributes of VO’s is that

•^

Participants and resources are governed by classicalorganizations of which they are members

-^

Some VO’s are long-lived, other short lived, so the overhead ofsecurity must be small

VO access must be established and coordinated

•^

Between the local user and the organization

-^

Between the VO and the user

CANNOT assume trust relationships between the classicalorganization and the VO or its external members

Grid Computing

6

Paul A. Farrell

Acquiring certificates^2006

All users and services

need to have a certificate issued from a trusted

certificate authority (CA).

-^

It is highly recommended that the builders of production grids eitherestablish their own trusted CA or use an established commercialCA.

-^

The SimpleCA package can be used to run your own CA.

Grid Computing

7

Paul A. Farrell

Acquiring user and host certificates

To request a user certificate, the user simply runs"grid-cert-request“ on a system that has GT4installed.

grid-cert-request will ask for a password to protectyour key, and give you a set of instructions for how tomail your request to the CA.

To request a host certificate, the administrator (root)runs “grid-cert-request“

Grid Computing

8

Paul A. Farrell

grid-cert-request

-^

When you run the grid-cert-request command, it will generatethree files.

–^

usercert_request.pem: the request that you need to send to the CA

-^

userkey.pem: contains the private key

-^

usercert.pem, which will be a 0 byte file.

This is not your certificate!

It is merely a placeholder that helps to remind you where to putyour certificate when the CA responds to your request.

10/16/200610/16/

Grid Computing

13

Paul A. Farrell

Mutual Authentication

C e rt if ic a te

A C e rt if ic a te

A

Certificate

B Certificate

B

User A

User B

Cert

A^

Cert

B

  1. Connection Established2) A sends B its certificate3) B sends A a plaintext file4) A encrypts B's plaintext file withCert

A^ and sends it to B

a) Check the validity of CertAuthority based on Digital signatureofCert Authorityb) Extract the public key of A

  1. B decrypts the encryptedmessage if this matches withthe original message, B can trustA now.

B send its certificate and A then authenticates it similarly

Grid Computing

14

Paul A. Farrell

Delegation and single sign-on

-^

If a Grid computation requires that several Gridresources be used (each requiring mutualauthentication), or if there is a need to have agents(local or remote) requesting services on behalf of auser, the need to re-enter the user's passphrase canbe avoided by creating a

proxy

Grid Computing

15

Paul A. Farrell

Proxy certificate

A proxy consists of•^

A new certificate (with a new public key in it) and a new privatekey.

-^

The new certificate contains the owner's identity, modifiedslightly to indicate that it is a proxy.

-^

The new certificate is signed by the owner, rather than a CA.

-^

The certificate also includes a time notation after which theproxy should no longer be accepted by others.

-^

The proxy certificate is stored in /tmp on linux usually as/tmp/x509up_u

userID

or /tmp/x509up_u_

username

Grid Computing

16

Paul A. Farrell

Use of proxy certificate

10/16/200610/16/

Grid Computing

17

Paul A. Farrell

Use of proxy certificate

-^

The proxy's private key must be kept secure, but not for verylong

-^

Usually the proxy's private key is kept in a local storage systemwithout being encrypted–

File permissions prevent anyone else from looking at them easily.

-^

Once a proxy is created and stored, the user can use the proxycertificate and private key for mutual authentication withoutentering a password.

Grid Computing

18

Paul A. Farrell

Proxy certificate chain of trust

-^

The remote party receives the proxy's certificate (signed by theowner), and also the owner's certificate.

-^

During mutual authentication, the owner's public key (obtainedfrom the certificate) is used to validate the signature on theproxy certificate.

-^

The CA's public key is then used to validate the signature on theowner's certificate.

-^

This establishes a chain of trust from the CA to the proxythrough the owner.

Grid Computing

19

Paul A. Farrell

Creating a proxy certificate

-^

To create a proxy with the default expiration (12 hours), run thegrid-proxy-init program. For example:

% grid-proxy-init

-^

The subject of a proxy certificate is the same as the subject ofthe certificate that signed it, with

/CN=proxy

added to the

name.

-^

A host gatekeeper will accept job requests submitted by theuser, as well as any proxies he has created.

Grid Computing

20

Paul A. Farrell

GSI system configuration

-^

GSI Directories

  • Trusted CA directory: contains the CA certificates and

associated files trusted by the globus installation

  • If they are generated using SimpleCA by user globus they

are in ~globus/.globus/SimpleCA

  • Grid Security directory: contains symbolic links to the

certificate request configuration files