Grid Security

Grid Security

Heinz StockingerSwiss Institute of BioinformaticsLausanne, Switzerland

EMBRACE Grid Tutorial,Helsinki, 16 June 2006

Grid Security - n° [email protected]

I guess you all know that …

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.


How about that one?

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.


What does this have to do with computing?

Well, it’s all about codes and access to information

In Grid computing: Limit access to resources Use standard computer security


Motivation: Security in the Grid

In industry, several security standards exist: Public Key Infrastructure (PKI)

PKI keys SPKI keys (focus on authorisation rather than certificates) RSA

Secure Socket Layer (SSL) SSH keys

Kerberos

Need for a common security standard for Grid services Above standards do not meet all Grid requirements (e.g.

delegation, single sign-on etc.)

Grid community mainly uses X.509 PKI for the Internet Well established and widely used (also for www, e-mail, etc.)


Security Overview

Introduction

Public Key Infrastructure

Grid Certificates (X.509)

Grid Security Infrastructure (GSI)

Securing Services

GSI in Practice


Introduction

Distribution of resources: secure access is a basic requirement secure communication, secure data, resources etc. security across organisational boundaries single sign-on for users of the Grid

Three basic concepts:

Secure communication: Data Encryption

Authentication: Who am I? “Equivalent” to a pass port, ID card etc.

Authorisation: What can I do? Certain permissions, duties etc.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.


Data Encryption

Symmetric encryption: same key (“secret”) used for encryption and decryption

Kerberos, DES / 3DES, IDEA

Asymmetric encryption: different keys used for encryption and decryption

RSA, DSA

Clear text Clear text messagemessage

Encrypted Encrypted texttext


Encryption

Decryption

Shared key




Encryption

Decryption

Key A

Key B


Authentication

Do we want authorised users or anonymous access to our service?

How can I prove how I am? In private life: people have passports, identity cards

Issued by a certain authority In office life: we use ids and passwords to access computers


Certificate = “Grid Passport”

Public Key Infrastructure: Use a public and private key

Grid Certificate: Name

Issuer (Certificate Authority)

Valitidy



A passport has several importantitems


Security Overview

Introduction




Securing Services

GSI in Practice


Public Key Infrastructure (PKI)

Asymmetric encryption

Digital signatures A hash derived from the message and encrypted with the signer’s private

key Signature checked decrypting with the signer’s public key

Allows key exchange in an insecure medium using a trust model Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal

Certificate Public key + information about the principal + CA signature X.509 format most used

PKI used by SSL, PGP, GSI, WS security, S/MIME, etc.


Private Key Public Key




PKI – Example

ciphertext c = Ee(m)

m = Dd(c).

public key eprivate key d

encryption transformation Ee

decryption transformation Dd

wishing to send a message m to A:

applies the decryption transformation

Entity A (Alice) Entity B (Bob)

public key

private key


Security Overview

Introduction




Securing Services

GSI in Practice


X.509 certificates and authentication

A B

A’s certificateA’s certificate

A

Verify CA signatureVerify CA signature

Random phraseRandom phrase

Encrypt with A’ s private keyEncrypt with A’ s private key

Encrypted phraseEncrypted phrase

Decrypt with A’ s public keyDecrypt with A’ s public key

Compare with original phraseCompare with original phrase

Public keyPublic key

Subject:Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968C=CH, O=CERN, OU=GRID, CN=John Smith 8968

Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAIssuer: C=CH, O=CERN, OU=GRID, CN=CERN CA

Expiration date: Expiration date: Aug 26 08:08:14 2005 GMTAug 26 08:08:14 2005 GMT

Serial number: 625 (0x271)Serial number: 625 (0x271)

CA Digital signatureCA Digital signature

Structure of a X.509 certificate

Performace !


X.509 alias ISO/IEC/ITU 9594-9

X.509 is ITU Standard: ITU-T Recommendation X.509 (1997 E). Information technology -

Open Systems Interconnection - The Directory: Authentication Framework

Defines a certificate format (originally based on X.500 Directory Access Protocol)

Latest standard: X.509 version 3 certificate format

X.509 certificate includes: User identification (someone’s subject name) Public key A “signature” from a Certificate Authority (CA) that:

Proves that the certificate came from the CA. Vouches for the subject name Vouches for the binding of the public key to the subject


Involved entities

User

Certificate Authority

Public keyPrivate keycertificate

CA

Resource (site offering services)


Certification Authorities

Issue certificates for users, programs and machines

Check the identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation

Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire

CA certificates are self-signed

In Grid projects on certain CAs are mutually recognised


Certificate classification User certificate

issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc.

Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch

Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch

Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch


Grid Certificate

A certificate needs to be requested from a Certificate Authority

When using the Grid Security Infrastructure (GSI), the certificate consists of two parts:

usercert.pem

userkey.pem


X.509 Certificate Example (1)

openssl x509 –in ~/.globus/usercert.pem –textCertificate:

Data:

Version: 3 (0x2) X509.3 – with extensions

Serial Number: 199 (0xc7)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Issuer CA

Validity

Not Before: Sep 25 10:33:05 2005 GMT long term certificate

Not After :Sep 24 10:33:05 2006 GMT

Subject: O=Grid, O=CERN, OU=cern.ch, CN=Joe User user identification

Subject Public Key Info:

Public Key Algorithm: rsaEncryption public key

RSA Public Key: (1024 bit)

Modulus (1024 bit): 00:d6:6a:f3:ad:e3:b2:2e:98:32:7f:dd:44:89:38:

[…]


X.509 Certificate Example (2) X509v3 extensions:

X509v3 Basic Constraints: critical Certificate extensions

CA:FALSE

X509v3 Subject Key Identifier:

71:BC:FC:29:4E:E9:4E:7C:C9:E4:F9:A2:6C:77:4A:E4:55:82:86:53

X509v3 CRL Distribution Points: Certificate Revocation List URI:http://service-grid-ca.web.cern.ch/service-grid-ca/cgi-bin/getCRL

X509v3 Issuer Alternative Name:

email:[email protected]

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.96.10.1.2.1

Netscape Cert Type:

SSL Client, S/MIME, Object Signing client/user Certificate

Netscape Base Url:

http://service-grid-ca.web.cern.ch/service-grid-ca/


54:8b:66:e8:dc:60:cd:e3:dc:43:a7:c9:3a:12:2c:73:05:13: [...] Signature on the information


Private Key Example

openssl rsa -in ~/.globus/userkey.pem –text

Enter PEM pass phrase:

Private-Key: (1024 bit)

modulus: [...]

publicExponent: ..... (0x......)

privateExponent: [...]

prime1: [...] private parameters

prime2: [...]

exponent1: [...]

exponent2: [...]

coefficient: [...]

writing RSA key

-----BEGIN RSA PRIVATE KEY----- PEM encoded private key

-----END RSA PRIVATE KEY-----


Security Overview

Introduction




Securing Services

GSI in Practice


Globus Grid Security Infrastructure (GSI)

de facto standard for Grid middleware

Based on PKI

Implements some important features Single sign-on: no need to give one’s password every time

Delegation: a service can act on behalf of a person

Mutual authentication: both sides must authenticate to the other

Introduces proxy certificates Short-lived certificates including their private key and signed with the

user’s certificate


GSI General Overview

PKI(CAs and

Certificates)

SSL/TLS

Proxies and Delegation

PKI forcredentials

SSL forAuthenticationand messageprotection

Proxies and delegation (GSIExtensions) for secure singleSign-on

Based on Slide from Globus Tutorial


Virtual Organizations and authorization

Grid users must belong to a Virtual Organization Sets of users belonging to a collaboration Each VO user has the same access privileges to Grid resources

VOs maintain a list of their members The list is downloaded by Grid machines to map user certificate

subjects to local “pool” accounts: only mapped users are authorized in LCG

Sites decide which VOs to accept

..."/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461" .dteam"/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968" .cms"/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE" .alice...

grid-mapfile


Globus command line interface: certificate and proxy management

Get information on a user certificate grid-cert-info[-help] [-file certfile] [OPTION]...

-all whole certificate

-subject | -s subject string

-issuer | -I Issuer

-startdate | -sd Start of validity

-enddate | -ed End of validity

Create a proxy certificate grid-proxy-init

Destroy a proxy certificate grid-proxy-destroy

Get information on a proxy certificate grid-proxy-info


Security Overview

Introduction




Securing Services

GSI in Practice


Secure your services - but how?

client program

Server

user certificate

host certificate

Security library

Security library

Authorisation


Different kinds of services

“Simple” services with standard socket communication Any service written in C/C++, Java, Python, Perl, etc.

Use GSI libraries e.g. provided by Globus Toolkit 2 http://www.globus.org/security/ The libraries handle certificate based authentication

Often considered a 1st generation “Grid services”

Web services Based on SOAP

2nd generation “Grid services”

Web sites


API: GSS-API and GSS Assist

GSS-API (Generic Security Services Application Programming Interface) is a generic API for client-server authentication (RFC-2743, 2744)

Traditionally, it interfaces to Kerberos The Globus project interfaced it to GSI Communication is kept separate: it just creates data buffers, does not

move them Rather complicated to use… Documentation at http://docs.sun.com/app/docs/doc/816-1331

http://www.gnu.org/software/gss/manual/html_node/index.html

GSS-API as user interface to GSI: C API Java API (http://www-unix.globus.org/cog/java/)

The Globus GSS Assist routines are designed to simplify the use of the GSSAPI: they are a thin layer over them


Globus extensions Credential import and export

To pass credentials from a process to another or storing them in a file Export to 1) an opaque buffer, or 2) a file in GSI native format gss_import_cred(), gss_export_cred()

Delegation an any time A lot more flexible than standard GSS-API delegation

Delegation at times other than context establishment Possible to delegate credentials different than those used for context establishment: even for

different mechanisms! Ex.: delegate a Kerberos credential over a context established with GSI

gss_init_delegation(), gss_accept_delegation()

Credentials extension handling support for credential information other than just the identity

Set context options at the server side

Documentation http://www.ggf.org/documents/GWD-I-E/GFD-E.024.pdf ${GLOBUS_LOCATION}/include/gcc32dbg/gssapi.h


Web Service Security

Transport level security SOAP messages are transmitted encrypted

used by some gSOAP GSI plugins

Based on SSL/TSL

Message level security WS-Security

set of SOAP extensions to implement integrity and confidentiality in Web Services

<Security> header contains the security-related information http://www-128.ibm.com/developerworks/library/ws-secure/

WS-SecureConversation defines how to establish secure contexts and exchange keys

Performance issue

Used in Globus Toolkit 4


Performance - Mutual Authentication

Having secure connections creates a performance overhead

Let’s have a look at the detailed steps Bob - Alice Bob uses proxy to create a request (incl. public key, about 2000

bytes) Alice uses private key to sign the request - sends signed cert.

back (in addition, CAs have to match) Alices generates a random message and sends it to Bob, asking Bob to

encrypt it. Bob encrypts the message using his private key, and sends it back to

Alice. Alice decrypts the message using Bobs's public key. If this results in the original random message, then Alice knows that Bob is who he says he is.

Now that Alice trusts Bob's identity, the same operation must happen in reverse.

By default, all further message exchange is not encrypted !


Some performance numbers



Source: http://webservices.sys-con.com/read/204424.htm

Cryptography is CPU intensive

WS Secure Conversation symmetrical cryptography only


Securing Web sites (Portals)

HTML web is is not a web service Web service provides a programmable interface via SOAP

A Web page is purely HTML (potentially generated by tools such as JSP, etc.)

One can still use Grid security for that purpose

Need to load certificate into the web browser

Server side (Web server) needs to use Grid security technologies

Example: http://wwww.gridsite.org provide modules for Apache server


Security Overview

Introduction




Securing Services

GSI in Practice


GSI Authentication using Globus

CA

VO

user service


Certificate Request / Obtaining a certificate

CA

VO

user service

cert-request

grid-cert-request

once in every year


Certificate Signing

CA

VO

user service

cert-request

grid-cert-request

certificate

cert signing


Preparation for Registration in VO

CA

VO

user service

cert.pkcs12convert

cert-request

grid-cert-request

certificate

cert signing

Goal: user needs to register with a certain VO


Registration

CA

VO

user service

registrationcert.pkcs12

convert

cert-request

grid-cert-request

certificate

cert signing

Usage guidelines

Account Registration

once for the lifetime of the VO (only the DN not the keys, so they may

change)


Starting a Session with Globus

CA

VO

user service

proxy-certgrid-proxy-init


convert

cert-request

grid-cert-request

certificate

cert signing

every 12/24 hours


Usage

You must have a valid certificate from a trusted CA!

„login”: grid-proxy-init

short lifetime certificate: 24 hours

Enter PEM pass phrase:

...........................+++++

....................................+++++

checking the proxy: grid-proxy-info -subject

/O=Grid/O=CERN/OU=cern.ch/CN=Joe User/CN=proxy

-> use the Grid services

„logout”: grid-proxy-destroy


Certificate Request for a Host

CA

VO

user service



convert

cert-request

grid-cert-request

certificate

cert signing

host-request

grid-cert-request

once in every year


Signing the Certificate

CA

VO

user service



convert

cert-request

grid-cert-request

certificate

cert signing

host-cert

cert signing

host-request

grid-cert-request


ca-certificate

crl

cert/crl update

Configuration on the Server

CA

VO

user service



convert

cert-request

grid-cert-request

certificate

cert signing

host-cert

cert signing

host-request

grid-cert-request

In EDG: automatically updated every

night/week


Service

You must have the trusted CA certificates in files and the VO-LDAP server(s) URL configured.

Registering a trusted CA /etc/grid-security/certificates: hashed cert, crl and url

Generating a gridmap file: mkgridmap /etc/grid-security/gridmap: DN -> userid/gid mapping

See Authorisation

Generating host/service certificate: grid-cert-request –host (see user certificates for the whole process)

info


Service: CA Certificates

ls /etc/grid-security/certificates0ed6468a.0 c35c1972.0 d64ccb53.0

0ed6468a.crl_url c35c1972.crl_url d64ccb53.crl_url

0ed6468a.r0 c35c1972.r0 d64ccb53.r0

0ed6468a.signing_policy c35c1972.signing_policy d64ccb53.signing_policy

16da7552.0 cf4ba8c8.0 df312a4e.0

16da7552.crl_url cf4ba8c8.crl_url df312a4e.crl_url

16da7552.r0 cf4ba8c8.r0 df312a4e.r0

16da7552.signing_policy cf4ba8c8.signing_policy df312a4e.signing_policy

In General:

*.0 … CA certificate

*.r0 … Certificate Revocation List (CRL)

example


Service: a certificate

cat c35c1972.signing_policy

# EACL CERN CA

access_id_CA X509 '/C=CH/O=CERN/CN=CERN CA'

pos_rights globus CA:sign

cond_subjects globus '"/C=ch/O=CERN/*" "/C=CH/O=CERN/*" "/O=Grid/O=CERN/*" "/O=CERN/O=Grid/"'

openssl x509 -in c35c1972.0 –text Issuer: C=CH, O=CERN, CN=CERN CA [...] the issuer and the subject are the same

Subject: C=CH, O=CERN, CN=CERN CA [...] self signed certificate

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE [...] it may be used to sign other certificates

Netscape Cert Type:

SSL CA, S/MIME CA, Object Signing CA it is a CA certificate

example


Certificate Revocation List (CRL)

openssl crl -in c35c1972.r0 –text

Certificate Revocation List (CRL):

Version 1 (0x0)


Issuer: /C=CH/O=CERN/CN=CERN CA the issuer is the CA itself

Last Update: Jul 1 17:53:17 2002 GMT

Next Update: Aug 5 17:53:17 2002 GMT next update: shall be checked

Revoked Certificates:

Serial Number: 5A the revoced certificate’s number

Revocation Date: May 24 16:45:52 2002 GMT

Signature Algorithm: md5WithRSAEncryption Signature – as usual

example


Grid-mapfile

cat /etc/grid-security/gridmap

"/O=Grid/O=Globus/OU=cern.ch/CN=Geza Odor" odor

"/O=Grid/O=CERN/OU=cern.ch/CN=Pietro Paolo Martucci" pietro

"/C=IT/O=INFN/L=Bologna/CN=Franco Semeria/[email protected]" aliprod

"/C=IT/O=INFN/L=Bologna/CN=Marisa Luvisetto/[email protected]" aliprod

"/O=Grid/O=CERN/OU=cern.ch/CN=Bob Jones" jones

"/O=Grid/O=CERN/OU=cern.ch/CN=Brian Tierney" btierney

"/O=Grid/O=CERN/OU=cern.ch/CN=Tofigh Azemoon" azemoon

"/C=FR/O=CNRS/OU=LPC/CN=Yannick Legre/[email protected]" yannick

example


Abbreviations CA – Certificate Authority

CP – Certificate Policy

CPS – Certificate Practice Statement

CRL – Certificate Revocation List

GSI – Grid Security Infrastructure

GSS – Generic Security Service

PKI – Public Key Infrastructure

SSL – Secure Socket Layer

TLS – Transport Layer Security

VO – Virtual Organization

VOMS - Virtual Organization Membership Service


Conclusion Security is important for Grid middleware:

In particular in commercial use

Security solutions need to be integrated from the very beginning

Grid security relies on PKI Requires: authentication & authorisation

Basic entities: Users – CA (Certificate Authorities) – Resource Providers

“We had a security concept from the very beginning but decided to deal with security later”

The EMBRACE project is funded by the European Commission within its FP6 Programme, under the thematic area "Life sciences, genomics and biotechnology for health,"contract number LHSG-CT-2004-

512092.

Thanks to Andrea Sciaba’ (CERN) for reusing some of his slides

Grid Security

Documents

security standards

common security standard

grid requirements

grid community

grid servicesabove standards

informationin grid computing

secure access

key secret