Grid Security Tutorial 2006

INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

Grid Security Tutorial 2006David Groep

NIKHEF

Grid Security, Groningen Tutorial 2006 2


INFSO-RI-508833

Grid Security Tutorial

• You and the Grid– organising collaborations in virtual organisations– trust and your identity– cryptography and signing

• Getting access to resources– attribute-based authorization and VOMS– proxies, delegation, forwarding and renewal

• How it works in practice: grid security commands– getting your certificate– the GSI protocol– getting a voms-enabled proxy– what happens on the server side



INFSO-RI-508833

Virtual Organisations

What is a Virtual Organisation?

A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.

graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke



INFSO-RI-508833

VOs

Typical VO examples• Each of the VL-e application sub programmes• Collaborations like the LHC experiments, or LOFAR, or …• testing/deployment groups like “pvier”• …

• Users (you) are usually a member of more than one VO• Any “large” VO will have an internal structure,

with groups, subgroups, and various roles



INFSO-RI-508833

VOs and the infrastructure

• The word “VO” is used in many different ways• The EGEE infrastructure and the VL-e PoC

provide a “bus-like” interface for VOs, where VOs are essentially user communities



INFSO-RI-508833

VOs



INFSO-RI-508833

Trust relationships

• For the VO model to work, parties need to (minimally) trust each other in their VO interactions– the alternative would be that every user would have to register at

and every resource provider…

Org. Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

GSI

Org. CertificationAuthority

Sub-Domain B1

Authority

AuthZFederationService

VirtualOrganization

Domain

FederatedCertificationAuthorities

graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance



INFSO-RI-508833

VO federation needs

• Trust establishment within the VO is separated in:– user identity (the user’s passport)– group and roles within the VO (visa)

as these are different from a persons organisational role

graphic: OGSA Architecture 1.0, OGF GFD-I.030



INFSO-RI-508833

User Identity

• Users and resources are typically part of more than one VO, • but don’t want many passwords

• Users and resource get a single authentication token(identity certificate)– that works across virtual organisations– issued by a party trusted by all (“CA”), – recognised by many resource providers, users, and VOs– satisfy traceability and persistency requirement– in itself does not grant any access, but provides

a unique binding between an identifier and the subject

• This is called your (identity) certificate• It is a cryptographically protected statement by the CA• that you can use to prove your identity

in combination with a private key and its passphrase



INFSO-RI-508833

• Paul calculates the hashhash of the message

• Paul encrypts the hash using his privateprivate key: the encrypted hash is the digital signaturedigital signature.

• Paul sends the signed message to John.

• John calculates the hash of the message and verifiesverifies it with A, decyphered with Paul’s publicpublic key.

• If hashes equal: message wasn’t modified; Paul cannot repudiate it.

John

This is some

message

Digital Signature

Paul

This is some

message

Digital Signature

This is some

message

Digital Signature

Hash(A)

Paul keys

public private

Hash(B)

Hash(A)

= ?

Digital signatures at work

slide from EGEE NA3 Tutorial repository



INFSO-RI-508833

• Paul’s digital signature is safe if:1. Paul’s private key is not compromised

2. John knows Paul’s public key

• How can John be sure that Paul’s public key is really Paul’s public key and not someone else’s?– A third party guarantees the correspondence between public key

and owner’s identity.– Both A and B must trust this third party

Trusting the signature




INFSO-RI-508833

X.509 Certificates

• An X.509 Certificate contains:– owner’s public key;

– identity of the owner;

– info on the CA;

– time of validity;

– Serial number;

– digital signature of the CA

Public keyPublic key

Subject:Subject:C=CH, O=CERN, C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba OU=GRID, CN=Andrea Sciaba 89688968

Issuer: C=CH, O=CERN, Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CAOU=GRID, CN=CERN CA

Expiration date: Expiration date: Aug 26 08:08:14 Aug 26 08:08:14 2005 GMT2005 GMT

Serial number: 625 (0x271)Serial number: 625 (0x271)

CA Digital signatureCA Digital signature

• Authentication (proving your identity to another party) works the same way

• in that case the CA as signed a message that contains identifiers

• which is done in a specific standard format: X.509




INFSO-RI-508833

Public Key Infrastructures

• every user/host/service has an X.509 certificate;• certificates are signed by trusted (by the local sites) CA’s;• every Grid transaction is mutually authenticated:

1. John sends his certificate;2. Paul verifies signature in John’s certificate;3. Paul sends to John a challenge string;4. John encrypts the challenge string with his private key;5. John sends encrypted challenge to Paul6. Paul uses John’s public key to decrypt the challenge.7. Paul compares the decrypted string with the original

challenge8. If they match, Paul verified John’s identity and John can

not repudiate it.

JohnJohn PaulPaulJohn’s certificateJohn’s certificate

Verify CA signatureVerify CA signature

Random phraseRandom phrase

Encrypt with J.’ s private keyEncrypt with J.’ s private key

Encrypted phraseEncrypted phrase

Decrypt with J.’ s public keyDecrypt with J.’ s public key

Compare with original phraseCompare with original phrase

Based on X.509 PKI:

VERY IMPORTANTVERY IMPORTANT

Private keysPrivate keys must be stored only:

in protectedprotected places

ANDAND

in encryptedencrypted form




INFSO-RI-508833

Trusted third parties

• All research grid infrastructures share the same base set of trusted third parties (‘CAs’)

• There is typically one in each country• The credentials they issue are comparable in quality



INFSO-RI-508833

Requirements for (inter)national trust

• Identity vetting procedures– Based on (national) photo ID’s– Face-to-face verification of applicants

via a network of Registration Authorities– possible to trace the user in case of unlawful misconduct– Secure binding between the request and the identity vetting– Periodic renewal (once every year)

• Secure operation– off-line signing key or HSM-backed on-line secured systems

• Response to incidents– Timely revocation of compromised certificates

new models and guidelines are being agreed on right now, but are not yet available.



INFSO-RI-508833

VO affiliation

• Per-VO Authorisations (“visa”)– granted to a person or service by a virtual organisation– based on the ‘passport’ name– acknowledged by the resource owners – providers can still ban individual users,

and decide which privileges are granted to which VO attributes

• In your case, these ‘visa’ are called VOMS credentials• It is a cryptographically protected statement by the VO• which is bound (by the VO) to your subject name

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

Pinco’sVO

attributes



INFSO-RI-508833

Single sign-on and delegation

• To authenticate with your certificate directly you would have to type a passphrase every time

• Also you need a way to send you VOMS credentials across

• In the Grid Security Infrastructure today, this is solved by ‘proxy certificates’– a temporary key pair– in a temporary certificate signed by your ‘long term’ private key– valid for a limited time (default: 12 hours)– and itself not protected by a passphrase



INFSO-RI-508833

grid-proxy-init

• User enters pass phrase, which is used to decrypt private key.

• Private key is used to sign a proxy certificate with its own, new public/private key pair.– User’s private key not exposed after proxy has been signed

User certificate file

Private Key(Encrypted)Pass

Phrase

User Proxycertificate file

• Proxy placed in /tmp– the private key of the Proxy is not encrypted:– stored in local file: must be readable only by the owner;– proxy lifetime is short (typically 12 h) to minimize security risks.

• NOTE: No network traffic!slide from EGEE NA3 Tutorial repository



INFSO-RI-508833

Delegation and limited proxy

• Delegation = remote creation of a (second level) proxy credential– New key pair generated remotely on server– Client signs proxy cert and returns it– for GT2 services it is built into the protocol,

for GT4 WS use the delegation service (gLite: it’s implicit in the service)• Allows remote process to authenticate on behalf of the user

– Remote process “impersonates” the user• The client can elect to delegate a “limited proxy”

– Each service decides whether it will allow authentication with a limited proxy

– Job manager service requires a full proxy– GridFTP server allows either full or limited proxy to be used




INFSO-RI-508833

Proxy again …

• grid-proxy-init ≡ “login to the Grid”• To “logout” you have to destroy your proxy:

– grid-proxy-destroy

– This does NOT destroy any proxies that were delegated from this proxy.

– You cannot revoke a remote proxy– Usually create proxies with short lifetimes

• To gather information about your proxy: – grid-proxy-info

– Options for printing proxy information-subject -issuer-type -timeleft-strength -help




INFSO-RI-508833

Embedding your VOMS credentials

• The proxy can also be used as a container for other stuff– the standard SSL protocol has no other way of adding stuff to

the secure session– but a ‘plain’ grid proxy does not indicate which VO you belong to– the VOMS credential is embedded as an extension in the proxy

Query

Authentication

Request

AuthDB

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo-cert

VOMSpseudo-cert

[davidg@tbn01 davidg]$ voms-proxy-info -all…Type : proxyBits : 512Valid From : Jun 2 06:22:02 2004 GMTValidity left : Jun 2 18:27:02 2004 GMTVO : wpsixHolder Subject: /O=dutchgrid…/O=nikhef/CN=David Groep…Issuer Subject:/C=FR/O=CNRS/OU=UREC/ CN=vo-iteam.datagrid.cnrs.fr…Valid from : Jun 2 06:26:09 2004 GMTValid to : Jun 2 18:26:09 2004 GMTAttribute : /wpsix/Role=NULL/Capability=NULL



INFSO-RI-508833

Getting a VOMS proxy

• VOMS credential consists of a list of attributes• short for Fully Qualified Attribute Name, is what VOMS uses to express

membership and other authorization info• Groups membership, roles and capabilities may be expressed in a

format that bounds them together<group>/Role=[<role>][/Capability=<capability>]

[glite-tutor] /home/giorgio > voms-proxy-init --voms gilda

Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/[email protected] GRID pass phrase: ******

Your proxy is valid until Mon Jan 30 23:35:51 2006Creating temporary proxy.................................Done

Contacting voms.ct.infn.it:15001 [/C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/[email protected]] "gilda"

Creating proxy ...................................... DoneYour proxy is valid until Mon Jan 30 23:35:51 2006




INFSO-RI-508833

Long term proxies

• Proxy has limited lifetime (default is 12 h)– Bad idea to have longer proxy

• However, a grid task might need to use a proxy for a much longer time – Grid jobs in HEP Data Challenges on LCG last up to 2 days

• myproxy server:– Allows to create and store a long term proxy certificate:– myproxy-init -s <host_name>

-s: <host_name> specifies the hostname of the myproxy server

– myproxy-info Get information about stored long living proxy

– myproxy-get-delegation Get a new proxy from the MyProxy server

– myproxy-destroy– Chech out the myproxy-xxx - - help option

• A dedicated service on the RB can renew automatically the proxy• File transfer services in gLite validates user request and eventually renew

proxies– contacting myproxy server




INFSO-RI-508833

Grid authentication with MyProxy

UI

LocalWS

MyProxyServer

Web Portal(UI)

myproxy-init

any grid service

myproxy-get-delegation

outputthe Grid

execution

WEB Browser


INFSO-RI-508833


www.eu-egee.org

But what do I have to do?

A Grid Security walk-through



INFSO-RI-508833

A walk-through

CA

VO

user service



INFSO-RI-508833

Certificate request

CA

VO

user service

cert-request

grid-cert-request

once every year



INFSO-RI-508833

Contacting the CA

• Each CA has different policies and practices

• Generate a cryptographic key pair– using a script like grid-cert-request– with your web browser– using a Java Applet

• Appear in-person to the Registration Authority (RA)• RA approves your request• CA signs the approved request and sends you the cert

– via mail: copy to your home directory– via the web: download into your browser and export to disk

• All use a network of RAs close to you



INFSO-RI-508833

DutchGrid CA

http://ca.dutchgrid.nl/http://ca.dutchgrid.nl/



INFSO-RI-508833

Making the request (DutchGrid CA)

triode:davidg:1004$ sh makerequest.shGenerating user request and private key in /tmpDo NOT delete the private key in this directoryNOTICE: you are about to create the cryptographic key pair you need in your certificate. The private key is highly confidential information! Do not share it with anyone and do not send it by mail to the Certification Authority Your private key is stored in a file named ‘userkey.pem'

Using configuration from /tmp/certreq15061.cnfGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to '/tmp/userkey.pem'-----Mailing [CA:medium] certificate request to the DutchGrid CA…In the authentication process by the CA, you may be asked toprovide a proof-of-possession of the keypair you submitted. Thismay involve you providing part of your public keydata displayedbelow:

BA806384C5FDBA0CB079049AF252BF8532014E9A13DB6E9FF9259ED67D10E07B3B76376723D3FB17D25770629EFA3CE6F27533E468CFD9D2CBBD861ADBDF6677EE203B8133B77EC6F7FC74904A055D54BCD613BB753A9BCF81AF3B400CB43C917C29E41C4354AE452166B19D84B03C132971D7A951140D077BB0D0022F7AE065

*** Fill in the registration form now, and go to your RA.

Proof of Possession Challenge

run request script



INFSO-RI-508833

Your request

• openssl req –in ~/.globus/user_request.pem –text Data:

Version: 0 (0x0)

Subject: O=Grid, O=CERN, OU=cern.ch, CN=Akos Frohner User information

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit): Public key

00:ba:ae:e2:9a:98:be:94:f5:f5:9e:e7:f7:06:58: [...]

Exponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption Signature on the public

29:87:63:40:65:af:1b:39:e9:71:b9:3f:70:80:0c:27:71:0e: [...] key and user information

-----BEGIN CERTIFICATE REQUEST----- PEM encoded request

MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC [...]

-----END CERTIFICATE REQUEST-----



INFSO-RI-508833

Private Key Details

• openssl rsa -in ~/.globus/userkey.pem –textEnter PEM pass phrase: ***************

Private-Key: (1024 bit)

modulus: [...]

publicExponent: ..... (0x......)

privateExponent: [...]

prime1: [...] private parameters

prime2: [...]

exponent1: [...]

exponent2: [...]

coefficient: [...]

writing RSA key

-----BEGIN RSA PRIVATE KEY----- PEM encoded private key

-----END RSA PRIVATE KEY-----



INFSO-RI-508833

Certificate signing

CA

VO

user service

cert-request

grid-cert-request

certificate

cert signing



INFSO-RI-508833

Importing your certificate in the browser

CA

VO

user service

cert.pkcs12convert

cert-request

grid-cert-request

certificate

cert signing



INFSO-RI-508833

Browser certificates

• Your our certificate must be in PKCS#12 formatopenssl pkcs12 –export \

–in ~/.globus/usercert.pem \–inkey ~/.globus/userkey.pem \–out user.p12 \–name ’Joe Smith’

• Use the “certificate store” of your browser– Windows: double-click on the “.p12” file– Explorer: Internet Options – tab: Content– Netscape 6: Preferences –

Privacy&Sec – Certificates, then use “Restore”

• And SET THE MASTER PASSWORD



INFSO-RI-508833

Usage Guidelines

CA

VO

user service

registrationcert.pkcs12

convert

cert-request

grid-cert-request

certificate

cert signing

Usage guidelines

Account Registration

once for the lifetime of the VO

(based on your DN)



INFSO-RI-508833

Registering with your VO

for LCG use:http://lcg-registrar.cern.ch/ Agree to VO AUP!Agree to VO AUP!

for ‘national’ VOs use:https://register.matrix.sara.nl/or https://mu4.matrix.sara.nl:8443/vomses



INFSO-RI-508833

Starting a session

CA

VO

user service

proxy-certvoms-proxy-init


convert

cert-request

grid-cert-request

certificate

cert signing

every 12/24 hours



INFSO-RI-508833

Configuration on the Server

CA

VOMS

user service



convert

cert-request

grid-cert-request

certificate

cert signing

host-cert

cert signing

host-request

grid-cert-request

ca-certificate

crl

cert/crl update

automatically updated every

night/week



INFSO-RI-508833

Using a Service

CA

VOMS

user service



convert

cert-request

grid-cert-request

certificate

cert signing

host-cert

cert signing

gridmapoptional:

mkgridmap

host/proxy certs and VOMS attributes exchanged

host-request

grid-cert-request

ca-certificate

crl

cert/crl update



INFSO-RI-508833

Summary

CA: authenticationVO: AUP, authorization and access

• new certificate: follow the web page instructions• send to the appropriate CA (e.g. [email protected])• save the answer

– ~/.globus/usercert.pem

• import in web browser (.p12) and register with VO

• new proxy certificate: voms-proxy-init –vo foobar– /tmp/x509up_u<uid>

• use the Grid



INFSO-RI-508833

Extra: certificate renewal

• Your certificate has a validity of 12 months, then you will have to renew– you get an email warning 4 weeks in advance (and at ~ 2 weeks)– download the script from the web site– run it on a unix system with OpenSSL installed (no macs!)

• The script generates a signed email message– send the signed message to [email protected] – do not modify the message in any way, preferably use

sendmail –t < newrequest.txtas the script tells you at the end

– your Registration Authority will be contacted for confirmation– after response from the RA, a new certificate is mailed to you

• When you get the new certificate, remember to also put the newkey.pem file in the proper place!



INFSO-RI-508833

Extra: managing a VOMS VO



INFSO-RI-508833

VOMS management through the web

• VOMS groups and roles can be managed by the VO-admin through the VOMS-Admin web interface

• Connect to https://mu4.matrix.sara.nl:8443/voms/voname



INFSO-RI-508833

extra: on the USB key

1. go to the CA web site at http://ca.dutchgrid.nl/

2. complete all web forms, and print out the paper

3. download the Unix shell script

4. run the makerequest.sh script, specifying where the keys should be created:

mkdir /mnt/flash/.globussh makerequest.sh /mnt/flash/.globus/

5. write down the proof-of-possession challenge on the paper

Back home

1. receive the mail from the CA

2. insert your USB flash drive again, and copy the mail to/mnt/flash/.globus/usercert.pem

3. make a symlink in your home directory on the UI:ln –s /mnt/flash/.globus $HOME/.globus

4. login to the grid with grid-proxy-init

Grid Security Tutorial 2006

Documents

Transcript of Grid Security Tutorial 2006