Vinod Rebello

Who do you Trust?

The roles of certificates, certification

authorities and the IGTF in

Grid ComputingProf. Vinod RebelloInstituto de Computação

Universidade Federal FluminenseBrazil

[email protected]

The Americas Grid Policy Management Authority

mailto:[email protected]

UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 2

A talk about PKI - Why me?

• User, resource provider and grid operator• Manager of the IGTF approved Brazilian and the

Latin American and Caribbean Catch-all Grid Certificate Authorities

• EELA-2 Task leader for Grid CAs and Security• Current Chair of the TAGPMA• Former Chair of the IGTF

There is are worlds outside of Grid Computing…• Chair of the Brazilian Educational PMA (ICPEDU)• Brazilian Federal PKI Service

And these worlds are colliding!


The Grid Computing Model

Grid/Cloud offering services

In this generic model, institutions and businesses own fewer of their own resources. Third parties provide facilities; users get access to services. Businesses themselves can also offer services over the Grid.


What is Grid Security?

• The Grid problem is to enable “coordinated resource sharing and problem solving in

dynamic, multi-institutional virtual organizations.”

From The Anatomy of the Grid

• So Grid Security is security to enable VOs.

• Security is about risk assessment, not building a perfect system


Essentials for Grid Security

• Access to shared services– cross-domain authentication, authorization, accounting,

billing– common generic protocols for collective services

• Support multi-user collaboration– may contain individuals acting alone – their home

organization administration need not necessarily know about all activities

– organized in ‘Virtual Organizations’

• Enable ‘easy’ single sign-on for the user– the best security is hidden from the user as much as

possible

• And leave the resource owner always in control


Characteristics of Grid Security

• Current grid security is largely user centric– different roles for the same person in the home

institution and in the Virtual Organization (VO)

• There is no a priori trust relationship between members or member organizations– VO lifetime can vary from hours to decades– VO not necessarily persistent (both long- and short-

lived)– people and resources are members of many VOs

• … but a relationship is required– as a basis for authorising access– for traceability and liability, incident handling, and

accounting


Role of Computer Security

• Identification & Authentication (I&A)– Provide a way of identifying entities, and controlling this

identity

• Confidentiality: protection against data disclosure to unauthorized persons

• Integrity: protection against data modification

• Availability: protection against data disponibility

• Non-repudiability– Bind an entity to its actions

• Authorisation– Identity combined with an access policy to grant rights to

perform some action


Security Building Blocks

• Encryption provides

– confidentiality, can provide authentication and integrity protection

• Checksums/hash algorithms provide

– integrity protection, can provide authentication

• Digital signatures provide

– authentication, integrity protection, and non-repudiation


Asymmetric Cryptography

• Use non-reversible functions and a key pair– What one key encrypts, the other decrypts

• Keep one key private– Only you can decrypt

• Let the other be public– Everyone can encrypt

• Security relies on– F-1 not being found

Hello$w!4& F(x)

priv

Hello $w!4&F(x)

pub


Assymetric Key Pairs

• Every user splits a key pair into a private and a public key.

priv

The public key is known by everybody.

The private key should not be known by anyone else.It may be protected by hardware.

pub

Vinod Rebello – [email protected] 11

ServerClient I’m Fred

ch=rand();

Same as ch?

1423

AxW8

Hi Fred

decrypt(AxW8);pub of Fred

encrypt(1423)priv

Server needsto keep track

of Fred’spublic key

Authentication

Challenge - Response


Creating a Digital Signature

• The digital signature locks the document to the signer

• Easily verifyable for everyone in possession of the public key (next slide)

OriginalDocument

Digestfunction hash

OriginalDocument

hashSHA-1MD5

priv


Verifying a Digital Signature

• A verified signature proves that– The corresponding private key was used to sign the

document– The document has not been altered

OriginalDocument

Digestfunction hash

OriginalDocument

= ?hash hash

pub

hash


VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields

• Correct mapping is crucial

• Ensure the integrity of themapping by applying a digitalsignature to it: a certificate

-> identity

Distributing the Public Key


X.509 Public Key Certificate

• A standardised way to associate a public key with an entity

• A digitally signed identity document– Can identify people, computers, services, …


(Extension data: what type of vehicles the person is

authorized to drive)


Signing a certificate

• Normal digital signature procedure• Non-sensitive information

– Contains public data – is verified with public data

Digestfunction hash



issuer’s private key

priv


Verifying a certificate

• Signature• Time• Revocation

Digestfunction hash

hash = ?



issuer’s public key

pub

But who should sign the certificate?


Certification Authority

• The role of the CA is manage the certificate life cycle: create, store, renew, revoke

User data

Public key

CA signature

User certificate

User data

Public key

CA

TrustedThird Party


Certification Process

1. Subscriber requests Certificate2. RM posts signing request notice3. The RA for the Subscriber retrieves

request4. The RA agent reviews request with

Grid project5. The agent updates/approves/rejects

request6. Approved Certificate Request is sent

to CM

Subscriber

1

2

Registration Authority

(RA) Agent

34

7

8

9

7. CM issues certificate8. RM sends Email notice to

Subscriber 9. Subscriber picks up new

certificate

2Sponsor

ProjectDBMS

4

5

6

Certificate Manager (CM)

(Certificate Signing Engine)

Registration Manager (RM) CA 4


Certificates

• CA is the only entity able to create/modify the certificate– the CA has to be trusted

• Certificates enable:– Clients to authenticate servers– Servers to authenticate clients– Public key exchange without Public Key Server

• No disclosure of private/secret keys.

• Special features:– chains of CAs, to distribute the task of issuing certificates– Certificate Revocation List, to disable certificates


Authentication

• … the server now only needs to keep track of its trust anchors (CA certificates)

CA repository

ServerClient Hello

ch=rand();1423

Hi Fred

cert.getPubKey();decrypt(AxW8);

encrypt(1423)priv AxW8

pub

Fred

Same as ch?cert.validate() ?cert.getName();


Trusting the CA

• Nothing hinders you from setting up your own CA and issuing certificates– Getting others to trust you is the hard problem!

• Trust anchors– the CAs that we more or less trust unconditionally


Establishing Trust

• The dynamic cross-organizational resource sharing gives us a problem– No initial trust, different policies, different

mechanisms– no central point of

control in Grids

• We have to provide tools to make this as painless as possible


Solving the Trust Problem

• Trusted Third Parties– Independent identity assessment providers– The most commonly used today

• Federations– Organizations trust each other to identify their own

users – Finite “membership” constellations

• Web of Trust– Users trust each other to identify others – Less control, scalability arguable


International Grid Trust Fed.

• Commissioned: Mar 2003 (Tokyo) - Chartered: October 5th, 2005 at GGF 16 (Chicago)

• Federation of European, Asian, and Western Hemisphere Policy Management Authorities– Focused on Identity management and authentication for

Grids• Establishment of top level CA registries and related

services– Root CA certificates, CA repositories and CRL publishing

points.– Uses TERENA TACAR (TERENA Academic CA Repository)

• Standards– Certificate policies, Certification profiles, Accreditation– Open Grid Forum publishes standards and community

best practices.


Building the Federation

• Providers and Relying Parties together shape the common minimum requirements– Several profiles for different identity management models

• different technologies– Authorities testify to compliance with profile guidelines– Peer-review process within the federation to (re) evaluate

members on entry & periodically– Reduce effort on the relying parties

• single document to review and assess for all Authorities• collective acceptance of all accredited authorities

– Reduce cost on the authorities• but participation in the federation comes with a price

• … the ultimate decision always remains with the RP


Model for Grid Authentication

• A Federation of many independent CAs– Policy coordination based on common minimum requirements

(not ‘policy harmonisation’)– Acceptable for major relying parties in Grid Infrastructures

• No strict hierarchy with a single top– spread liability and enable failure containment (better

resilience)– maximum leverage of national efforts

CA 1CA 2

CA 3

CA ncharter

guidelines

acceptanceprocess

relying party 1

relying party m


The Regional PMAs

The Americas Grid PMA

Asia Pacific Grid PMA

European Grid PMA


EUGridPMA

• www.eugridpma.org• Member organizations/countries:

– Canonical list: http://www.eugridpma.org/members/index.php

– Membership includes many European national and regional (eg Nordunet, Baltic Grid) Grid projects; Canarie (Canada); DOEGrids and FNAL (US); significant relying parties such as LHC, OSG;

• Features:– ~50 members: most from EU, some from closely

affiliated countries, Middle east and Africa– Chaired by David Groep (NIKHEF)– Completed 14th Face-to-face meeting– The senior partner – “Classic” X.509 Grid Authentication Profile


APGridPMA

• www.apgridpma.org• Member organizations/countries:

– Canonical list: https://www.apgrid.org/CA/CertificateAuthorities.html

• Features:– 18 members from the Asia-Pacific Region,

chaired by Yoshio Tanaka (AIST) and Jenny Chin (ASGC),

– 10 Production CAs are in operation


TAGPMA

• www.tagpma.org• The newest PMA, first Face-to-Face meeting in Rio

de Janeiro, March 2006.• Member organizations/countries:

– Canonical list: http://www.tagpma.org/members

• Features:– 21 members: CA, US, Mexico and Latin America– Chaired previously by Darcy Quesnel (CANARIE)

and currently by Vinod Rebello (UFF) and Jim Marstellar (PSC)


TAGPMA Membership

CANARIE – Canada DOEGrids (ESNet) – USA EELA – InternationalFermi National Accelerator Laboratory - USAHEBCA/USHER/Dartmouth College – USAIBDS (ANSP) - BrazilLCG – InternationalNCSA – USANERSC – USAOpen Science Grid – InternationalPurdue University – USA REUNA – ChileSan Diego Supercomputer Center – USA TACC – USATeraGrid – USA Texas High Energy Grid – USAUniversity of Virginia – USA UFF – BrazilULA – Venezuela UNAM – Mexico UNLP – Argentina

IGTF Accredited CA OperatorsCA Accreditation in progressInterested in accreditationRelying Party


IGTF Common Policy

EUGridPMA• CA E1

• CA E2

• …

APGridPMA• CA A1

• …

TAGPMA• CA T1

• …

IGTF Federation Document

Common Authentication Profiles

Classic(EUGridPMA)

SLCS(TAGPMA)

trustrelations Subject

NamespaceAssignment

DistributionNaming

Conventions

worldwide relying parties see a uniform IGTF “mesh”


Policies and Practices

• Certificate Policy and Certification Practice Statement (CP/CPS)

• RFC 3647 formatted document that describes policies and procedures followed by the PKI and responsibilities of the parties involved

• Rules for how a CA operates and how users are vetted when registering for certificates– Certificate Policy (CP): requirements for granting

and managing PKI credentials– Certification Practices Statement (CPS): actual

steps an institution takes to implement CP• Information not only for Relying Parties but also

users!


TAGPMA CA Accreditation

• Initial Consultation & Review with Mentor• Submit CP/CPS for review• Present proposal at Face-to-Face meeting• Once CP/CPS approved then subject to an

Operational Review/Audit• Include CA root certificate in the IGTF distribution

and repository


What Are Grid PKIs For?

• Exist to serve the grid community in terms of authentication– X.509 certificates are an essential component of

Grid security mechanisms– Authentication supports diverse authorization

methods (including ongoing research)– X.509 Certification Authorities provide a focal point

for policy and key lifecycle management – IGTF and regional PMAs provide coordination and

interoperability standards for Grid PKIs


Fostering NGIs in LA?

• Fostering National Grid Initiatives to meet the demands of Latin America– Not just computer science, nor is it just e-science,

its e-verything!– Learn from but not necessarily copy other NGIs

• Sustainability– Maintenance support for large scale, production

class infrastructures– Tools to improve accessibility– More users– Integrate Grid PKI with other broader scoped PKIs

• UFF BrGrid CA will be an integral part of the Brazilian Educational and Research PKI (ICPEDU).


Acknowledgements

Various slides from• Michael Helm, ESnet/LBL• David Groep, NIKHEF• Darcy Quesnel, CANARIE• Mehran Ahsant, KTH

• Argentinean National Grid CA – UNLP Grid CA http://www.pkigrid.unlp.edu.ar

• Questions?• Contact information – [email protected]

Vinod Rebello

Technology

public key certificate

grid security access

grid problem

grid cas

corresponding private

signed identity document

grid computing chair

identity confidentiality