Скачать презентацию Authentication and Authorization in g Lite Daniel García

a09db35993d68efde27cf1a7a0e17583.ppt

• Количество слайдов: 31

Authentication and Authorization in g. Lite Daniel García Franco IRIS-CERT/Red. IRIS 13 th EELA Tutorial, Barcelona 14 -18 de April 2008

Overview • Glossary • Encryption § Symmetric algorithms § Asymmetric algorithms: PKI • Certificates § Digital Signatures § X 509 certificates • Grid Security § Proxy certificates § Command line interfaces • Virtual Organization § Concept of VO and authorization 2

Glossary • Principal § • Credentials § • Encrypt the message so that only the recipient can understand it Integrity § • Map an entity to some set of privileges Confidentiality § • Verify the identity of a principal Authorization § • Some data providing a proof of identity Authentication § • An entity: a user, a program, or a machine Ensure that the message has not been altered in the transmission Non-repudiation § Impossibility of denying the authenticity of a digital signature 3

Cryptography Is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. K 2 K 1 Pablo M Encryption C Decryption M Juan Symbology Plaintext: M Cyphertext: C Encryption with key K 1 : E K 1(M) = C Decryption with key K 2 : D K 2(C) = M Algorithms Symmetric: K 1 = K 2 Symmetric Asymmetric: K 1 ≠ K 2 Asymmetric 4

Symmetric Algorithms The same key is used for encryption and decryption Advantages: Fast Disadvantages: how to distribute the keys? Examples: DES 3 DES Rijndael (AES) Blowfish Kerberos María ciao Pedro 3\$r María ciao 3\$r ciao Pedro 3\$r ciao 5

Public key Algorithms Every user has two keys: one private and one public: it is “impossible” to derive the private key from the public one; a message encrypted by one key can be decrypted only by the other one. No exchange of secrets is necessary the sender cyphers using the public key of the receiver; the receiver decrypts using his private key; Examples: Diffie-Helmann (1977) RSA (1978) Pablo ciao Juan 3\$r Pablo ciao 3\$r ciao Juan cy 7 Pablo keys Juan keys public private ciao public private 6

Digital Signature Pablo calculates the hash of the message Pablo encrypts the hash using his private key: the encrypted hash is the digital signature Pablo sends the signed message to Juan calculates the hash of the message and verifies it with A, decyphered with Pablo’s public key. If hashes equal: message wasn’t modified; Pablo cannot repudiate it. Pablo This is some Hash(A) message Digital Signature This is some message Digital Signature Juan Pablo keys Hash(B) =? public private Hash(A) This is some message Digital Signature 7

Digital Certificates • Pablo’s digital signature is safe if: Pablo’s private key is not compromised 2. Juan knows Pablo’s public key • How can Juan be sure that Pablo’s public key is really Pablo’s public key and not someone else’s? § A third party guarantees the correspondence between public key and owner’s identity. § Both Pablo and Juan must trust this third party 1. 8

Certification Authority The “third party” is called Certification Authority (CA). • Issue Digital Certificates (containing ( public key and owner’s identity) for users, programs and machines (signed by the CA) • Check identity and the personal data of the requestor § Registration Authorities (RAs) do the actual validation 9

Classic profile of a CA • How to obtain a certificate: A certificate request is performed The certificate is issued by the CA The user identify is confirmed by the RA The certificate is used as a key to access the grid 10

X. 509 Certificates An X. 509 Certificate contains: owner’s public key; identity of the owner; info on the CA; time of validity; Structure of a X. 509 certificate Public key Subject: C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Serial number; Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA digital signature of the CA Expiration date: Aug 26 08: 14 2005 GMT Serial number: 625 (0 x 271) CA Digital signature 11

Renewal • The certificates maximum lifetime is 1 year + 1 month • The idea is that at the end of the year (12 th month) a new certificate is issued • Users should be warned about the coming expiration and the need to renew • Don’t revoke a certificate to issue a new one unless the certificate has been compromised or the user has ceased his activity which entitles him to have a certificate 12

Renewal • During a renewal it is not required to make the user to pass through the identification procedure: § § This is a big advantage for both the users and the RA However a maximum renewal number without identification is advisable (for instance: every two years the EE must pass through the identification again) • In order not to pass through the identification the renewal request must be signed with the user certificate, examples: § § Email signed with user certificate CA/RA Web interface that would identify the user certificate • If the user certificate expires before renewal the procedure for a new certificate must be followed 13

Request a Personal Certificate • If you are Italian go to: § https: //security. fi. infn. it/CA/en/RA/ • If you are Portuguese go to: § http: //ca. lip. pt/ • If you are Spanish go to: § http: //www. irisgrid. es/pki/ • If you are not any of the above go to: § http: //igc. services. cnrs. fr/GRIDFR/? lang=en&cmd=certificates&type=usercert • Status to be updated since there are now 4 Certification Authorities in the Latin America 14

Request a Certificate to the GRID-FR CA (http: //igc. services. cnrs. fr/GRIDFR/? lang=en&cmd=certificates&type=usercert) Working RA’s are: 1. ICN-UNAM 2. REUNA 3. UFF 4. UFRJ 5. ULA If you DO NOT belong to any of the EELA partners mentioned above, a new RA must be created in your site. This operation starts sending an email to Jorge Gomes ([email protected] pt) and asking him to create a new RA. 15

X. 509 Proxy Certificate • It would be dangerous to transfer your certificate through the Grid • Proxy Certificates § § signed by the normal end entity cert (or by another proxy). Support some important features Ø § Delegation Have a limited lifetime (minimized risk of “compromised credentials”) • Proxy certificates are created by the gridproxy-init command: % grid-proxy-init Enter PEM pass phrase: ****** § Options for grid-proxy-init: Ø Ø Ø -hours -bits -help 17

Grid-proxy-init User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. User’s private key not exposed after proxy has been signed User certificate file Pass Phrase Private Key (Encrypted) User Proxy certificate file Proxy stored in local file: must be readable only by the owner lifetime is short (typically 12 h) to minimize security risks. 18

Proxy again … • grid-proxy-init ≡ “login to the Grid” • To “logout” you have to destroy your proxy: § grid-proxy-destroy • To gather information about your proxy: § § grid-proxy-info Options for printing proxy information -subject -type -strength -issuer -timeleft -help 19

Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Client signs proxy cert and returns it Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user 20

Long Term Proxy • Proxy has limited lifetime (default is 12 h) § • However, a grid task might need to use a proxy for a much longer time § • Grid jobs in HEP Data Challenges on LCG last up to 2 days My. Proxy server: § § § • Bad idea to have longer proxy Allows to create and store a long term proxy certificate: myproxy-init -s Ø -s: specifies the hostname of the myproxy server myproxy-info Ø Get information about stored long living proxy myproxy-get-delegation Ø Get a new proxy from the My. Proxy server myproxy-destroy File transfer services in g. Lite validates user request and eventually renew proxies § contacting myproxy server 21

VOs and authorization • Grid users MUST belong to virtual organizations § § Sets of users belonging to a collaboration User must sign the usage guidelines for the VO • VOs maintain a list of their members on a LDAP Server § The list is downloaded by grid machines to map user certificate subjects to local “pool” accounts. . . "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461". dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968". cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE". alice. . . 22

EELA VO Usage Rules (http: //roc. eu-eela. org/eela_aup. php) 23

EELA VOMS (https: //voms. lip. pt: 8443/voms/EELA/) 24

EELA Registration (1/6) (https: //voms. lip. pt: 8443/voms/eela/webui/request/user/create) 25

EELA Registration (2/6) 26