lecture 2: security rachana ananthakrishnan argonne national lab
TRANSCRIPT
![Page 1: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/1.jpg)
Lecture 2: Security
Rachana Ananthakrishnan
Argonne National Lab
![Page 2: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/2.jpg)
Typical Grid Scenario
Users
Resources
![Page 3: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/3.jpg)
Identity
![Page 4: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/4.jpg)
Authentication
![Page 5: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/5.jpg)
Identity & Authentication
Each entity should have an identity Authenticate: Establish identity Is the entity who he claims he is ? Examples:
Driving License Username/password
Stops masquerading imposters
![Page 6: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/6.jpg)
Privacy
Medical Record
Patient no: 3456
![Page 7: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/7.jpg)
Integrity
Run myHome/whoami
Run myHome/rm –f *
![Page 8: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/8.jpg)
Message Protection
Sending message securely Integrity
Detect whether message has been tampered Privacy
No one other than sender and receiver should be able to read message
Authentication and Integrity
![Page 9: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/9.jpg)
Authorization
![Page 10: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/10.jpg)
Authorization establishes rights to do actions What can a particular identity do?
Examples: Are you allowed to be on this flight ? Unix read/write/execute permissions
Must authenticate first
![Page 11: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/11.jpg)
Varied Credentials
![Page 12: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/12.jpg)
Authenticate Once
![Page 13: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/13.jpg)
Delegation
![Page 14: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/14.jpg)
Single Sign-On is important for complex applications that need to use Grid resources Enables easy coordination of varied resources Enables automation of process Allows remote processes and resources to act on
user’s behalf Authentication and Delegation
![Page 15: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/15.jpg)
Solutions
![Page 16: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/16.jpg)
Secure Message Solution
Encryption and Signature
(Cryptography)
![Page 17: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/17.jpg)
Cryptographic Keys, the building block of cryptography, are collections of bits The more bits that you
have, the stronger is the key
0 1 0 1 0 0 1 1 1 0
1 0 1 1 1 1 0 1 1 1
![Page 18: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/18.jpg)
Encryption takes data and a key, feeds it into a function and gets encrypted data out Encrypted data is, in
principal, unreadable unless decrypted
EncryptionFunction
<data>
![Page 19: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/19.jpg)
Decryption feeds encrypted data & a key into a function and gets the original data Encryption and
decryption functions are linked
DecryptionFunction
<data>
![Page 20: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/20.jpg)
In Symmetric Encryption, the encryption and decryption functions use the same key
Decrypt
Encrypt
<data>
<data>
![Page 21: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/21.jpg)
In Asymmetric Encryption, encryption & decryption use a key pair
Keys are mathematically linked
![Page 22: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/22.jpg)
When data is encrypted with one key, the other key must be used to decrypt the data
And vice versa
Encrypt
Decrypt
Decrypt
Encrypt
asymmetric
<data> <data>
<data> <data>asymmetric
![Page 23: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/23.jpg)
With asymmetric encryption each user can be assigned a pair of private and public keys
Private key is known only to owner
Public key is given away to the world
![Page 24: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/24.jpg)
Anything encrypted with the public key can only be decrypted with the private key And vice versa Since the private key is
known only to the owner, this is very powerful.
Message Privacy!
Encrypt
Decrypt
![Page 25: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/25.jpg)
Digital Signatures let you verify aspects of the data Who created a hunk of
data That the data has not
been tampered with
![Page 26: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/26.jpg)
Digital Signatures are encrypted hashes of the data Digital signatures are
generated by Creating hash of the data encrypting the hash with my
private key
This signature can be decrypted only by my public key
Hash
Encrypt
![Page 27: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/27.jpg)
Recipients use the Digital Signature to verify the integrity of the data Recipient of data and signature:
Compute hash of data Decrypt signature to get hash Compare hash to see if they match
ComputeHash
=?Decrypt
![Page 28: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/28.jpg)
Digital Signature
Message
Message
Compute
HashDecrypt
!=
Recipient
Sender
![Page 29: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/29.jpg)
Since I’m the only one with private key, you know I signed the hash and the data But, how do you know
that you have my correct public key?
?
![Page 30: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/30.jpg)
Entity Identity Solution
Public Key Infrastructure
![Page 31: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/31.jpg)
Public Key Infrastructure (PKI) shows that a given public key belongs to a given user PKI builds off of asymmetric
encryption: Each entity has two keys: public
and private The private key is known only to
the entity
The public key is given to the world, encapsulated in a X.509 certificate
Owner
![Page 32: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/32.jpg)
An X.509 certificate binds a public key to a name It includes:
name public key other things
bundled together and signed by a trusted party (Issuer)
NameIssuerPublic KeyValiditySignature
![Page 33: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/33.jpg)
John Doe755 E. WoodlawnUrbana IL 61801
BD 08-06-65Male 6’0” 200lbsGRN Eyes
State ofIllinois
Seal
Certificates are similar to passports or driver’s licenses
NameIssuerPublic KeyValiditySignature Valid Till: 01-02-2008
![Page 34: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/34.jpg)
By checking the signature, you can see if a public key belongs to a given user
NameIssuerPublic KeyValiditySignature
Hash
=?Decrypt
Public Key fromIssuer
![Page 35: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/35.jpg)
Certification Authorities (CAs) sign certificates CAs are small set of
trusted entities
Issuer?
NameValidityPublic Key
![Page 36: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/36.jpg)
Certification Authorities exist only to sign user certificates The CA signs it’s own
certificate which is distributed in a trusted manner
Name: CAIssuer: CACA’s Public KeyValidityCA’s Signature
![Page 37: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/37.jpg)
The public key from the CA certificate can then be used to verify issued certificates
NameIssuerValidityPublic KeySignature
Hash
=?Decrypt
Name: CAIssuer: CACA’s Public KeyValidityCA’s Signature
![Page 38: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/38.jpg)
Each CA has a Certificate Policy (CP) The Certificate Policy states:
To whom the CA will issue certificates How the CA identifies people to whom it will issue
certificates Lenient CAs don’t pose security threat because
resources determine the CAs they trust.
![Page 39: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/39.jpg)
To request a certificate, a user starts by generating a key pair
![Page 40: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/40.jpg)
The user signs their own public key to form what is called a Certificate Request Email/Web upload
Sign
CertificateRequest
Public Key
![Page 41: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/41.jpg)
The user takes the certificate to a Registration Authority (RA) Vetting of user’s identity Often the RA coexists
with the CA and is not apparent to the user
CertificateRequest
Public KeyID
![Page 42: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/42.jpg)
The CA takes the identity from the RA and the public key from the certificate request It creates, signs and
issues a certificate for the user
CertificateRequest
Public Key
NameIssuerValidityPublic KeySignature
Name
![Page 43: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/43.jpg)
Authentication Solution
Secure Socket Layer
![Page 44: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/44.jpg)
Secure Socket Layer (SSL)
Protocol above a standard TCP/IP socket to provide security in the forms of: Authentication Message protection
Privacy Integrity
![Page 45: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/45.jpg)
SSL Authentication
Both sides have certificate and private key
Start by exchanging X.509 certificates
![Page 46: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/46.jpg)
SSL Authentication
Each side then sends over a challenge
Challenge is signed with private key and sent back over
Sign
Sign
![Page 47: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/47.jpg)
SSL Authentication
Each side then verifies certificate using PKI Validates challenge
signature using certificate
If everything checks then the identity from the certificate can be trusted
CA
Check Certificate
Check Signature
![Page 48: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/48.jpg)
SSL Handshake
Creating session key: Both sides agree on
some algorithm to generate keys.
One side sends over some random data encrypted with other side’s public key
The other side decrypts it with its private key
Encrypt
Decrypt
![Page 49: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/49.jpg)
SSL Handshake (2)
Both sides use agreed algorithm to generate session key from the random data.
Now all messages between the two sides are protected using session key
Agreed Algorithm
Agreed Algorithm
![Page 50: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/50.jpg)
SSL Message Protection
Session key Symmetric Signature and Encryption Short-lived
Example: Web servers Globus Toolkit services
Encrypt Sign
Message
![Page 51: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/51.jpg)
Solution Single Sign-on
Grid Security Infrastructure
Delegation
Varied Resources
Authenticate
Once
![Page 52: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/52.jpg)
Grid Security Infrastructure (GSI) allows users & apps to securely access resources A set of tools, libraries and protocols used in
Globus Based on PKI Uses SSL for authentication and message
protection Adds features needed for Single-Sign on
Proxy Credentials Delegation
![Page 53: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/53.jpg)
In GSI, each user has a set of credentials they use to prove their identity on the grid Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass
phrase Good for security, inconvenient for repeated usage
![Page 54: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/54.jpg)
GSI: Single Sign-on
To support single sign-on GSI adds the following functionality to SSL: Proxy credentials Credential delegation
Support for long running processes: Allow easy repeated access to credentials Limit risk of misuse on theft Allow process to perform jobs for user
![Page 55: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/55.jpg)
GSI Proxy credentials are short-lived credentials created by user Short term binding of user’s identity to alternate
private key Same effective identity as certificate Stored unencrypted for easy repeated access Short lifetime in case of theft
![Page 56: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/56.jpg)
GSI delegation allows another entity to run using your credentials You must authenticate before using delegation Attempt to ensure that entity can run as you
only for limited time for specific purpose
![Page 57: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/57.jpg)
Example of GSI Delegation
User “Green” wants to delegate to User “Orange”1. Orange generates public/private key
2. Orange keeps private key and never sends it on wire
3. A certificate request with public key is generated and sent to Green
4. Green signs that as a certificate and returns it Orange has a delegated proxy from Green.
Signature chain: Orange’s delegated proxy Green’s proxy Green’s
certificate CA
![Page 58: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/58.jpg)
Authorization Solution
GSI Authorization
![Page 59: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/59.jpg)
Authorization
Types Server side authorization Client side authorization
Examples Self authorization Identity authorization
Chaining authorization schemes Client must be User Green and have a candle stick and
be in the library!
![Page 60: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/60.jpg)
Gridmap is a list of mappings from allowed DNs to user name"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc"/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde
Commonly used in Globus for server side ACL + some attribute Controlled by administrator Open read access
![Page 61: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/61.jpg)
Summary
Identity Authentication Message integrity Message Privacy Single Sign On
Proxy Certificates Delegation
Authorization
![Page 62: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/62.jpg)
MyProxy
Developed at NCSA Credential Repository with different access
mechanism (e.g username/pass phrase) Can act as a credential translator from
username/pass phrase to GSI Online CA Supports various authentication schemes
Passphrase, Certificate, Kerberos
![Page 63: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/63.jpg)
MyProxy: Use Cases
Credential need not be stored in every machine Used by services that can only handle username
and pass phrases to authenticate to Grid. E.g. web portals
Handles credential renewal for long-running tasks Can delegate to other services
![Page 64: Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab](https://reader038.vdocuments.net/reader038/viewer/2022110320/56649cc95503460f9499131d/html5/thumbnails/64.jpg)
Lab Session
Focus on tools Certificates Proxies Gridmap Authorization Delegation MyProxy