\documentclass[english,serif,mathserif,xcolor=pdftex,dvipsnames,table]{beamer} \usepackage[utf8]{inputenc} %\usepackage[T1]{fontenc} \usepackage{babel} \usepackage{fixltx2e} \usepackage{graphicx} \usepackage{colortbl}% %\newcommand{\cellcolor}[2]{\multicolumn{1}{>{\columncolor{#1}}c}{#2}} \usepackage{listings}% \lstloadlanguages{sh}% \lstset{ language=sh,% % --- basic appearance --- basicstyle=\ttfamily,% %columns=fullflexible,% best results for proportional fonts commentstyle=\small,% keywordstyle=\bfseries,% or \normalfont %identifierstyle=\itshape,% %procnamestyle=\bfseries\slshape, %\scshape,% %procnamekeys={def},% % --- escaping and special displays --- escapechar=@,% text between "@" will be rendered as normal TeX %moredelim=[il][\small\itshape]{\#},% ditto for text beween "#" and end-of-line texcl,% mathescape=false,% %literate={*{=}{{$\gets$ }}1 {==}{{$=$ }}1 {<=}{{$\leq$ }}1 {>=}{{$\geq$ }}1 {!=}{{$\neq$ }}1},% % --- display --- %showspaces=false,% %showstringspaces=false,% %xleftmargin=2em,% % --- line numbers --- %numbers=left,% %numberstyle=\tiny,% %stepnumber=1,% %firstnumber=1% }% \lstMakeShortInline{@}% \usepackage{longtable} \usepackage{multirow} \usepackage{float} \usepackage{wrapfig} \usepackage{soul} \usepackage{textcomp} \usepackage{tikz}% \usetikzlibrary{arrows,shapes}% % For every picture that defines or uses external nodes, you'll have to % apply the 'remember picture' style. To avoid some typing, we'll apply % the style to all pictures. \tikzstyle{every picture}+=[remember picture]% \usepackage{marvosym} \usepackage{wasysym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{hyperref} \usepackage{url} \tolerance=1000 \providecommand{\alert}[1]{\textbf{#1}} \usetheme{uzhneu-en-informal} \title{Grid Security Infrastructure} \author[R. Murri]{% \textbf{Riccardo Murri} \\ Grid Computing Competence Center, \\ Organisch-Chemisches Institut, \\ University of Zurich } \date{Oct.~12,~2011} \subject{Large Scale Computing Infrastructure (UZH MINF4526)} %% Use `\largeskip` to get a larger vertical white space between two %% lines/paragraphs: \newcommand{\largeskip}{\vspace{1em}} \def\+{\largeskip} \setlength{\parsep}{1.0em} \begin{document} % title page \maketitle %\begin{frame}\frametitle{Outline} % \tableofcontents % % You might wish to add the option [pausesections] %\end{frame} \section{Security in general} \begin{frame}\frametitle{Facets of security} \begin{description}[Non-repudiation] \item [Authentication] prove the identity of an entity {\footnotesize (user, host, service, etc.)} \item [Authorization] an entity can do only what it is allowed to \item [Confidentiality] a third party cannot understand the communication \item [Integrity] data is not modified during communication \item [Non-repudiation] it can be verified that the sender and receiver were, in fact, the parties who claimed to send or receive the message \end{description} Most network security is built on \hyperlink{sec:public-key}{Public-key cryptography.} \end{frame} \begin{frame}\frametitle{Security in the Grid} \begin{itemize} \item \textbf{Authentication} Users/hosts/services need to \emph{identify} themselves to build trust relations \begin{itemize} \item Users do not know where their jobs will be executed \item Resource providers do not know the users that will be using them \end{itemize} \item \textbf{Authorization} Restrictions may be imposed on the actions allowed to an entity \begin{itemize} \item a normal user may only run software \item an administrator may also install new software \end{itemize} \item \textbf{Confidentiality, Integrity, Non-repudiation} Requisites of secure computer network communication \end{itemize} \end{frame} \section{Public-key cryptography} \label{sec:public-key} \begin{frame}\frametitle{Public-key cryptography} \begin{quote}\parindent=0pt\noindent Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key --- \href{http://en.wikipedia.org/wiki/Public-key_cryptography}{Wikipedia} \end{quote} Public and private keys are a pair of transformations $(P, P^{-1})$, one inverse to the other, such that: \begin{itemize} \item it is computationally \emph{hard} to find $P^{-1}$, given $P$. \item it is computationally \emph{easy} to generate the pair $(P, P^{-1})$ \end{itemize} Public-key cryptography can be used to ensure \emph{Confidentiality}, \emph{Integrity} and \emph{Non-repudiation}. \end{frame} \begin{frame}\frametitle{Confidentiality} Alice wants to send message $M$ to Bob \begin{enumerate} \item Alice encodes $M$ with Bob's \emph{public} key $B$, forming $B(M)$ \item Alice sends the encrypted message $B(M)$ over the net \item Bob decodes the received message with the \emph{private} key: $B^{-1}(B(M)) = M$ \end{enumerate} No one can decode the encrypted message $B(M)$ without knowing Bob's private key $B^{-1}$. \begin{table} \centering \begin{tabular}{lcc} & Public key & Private key \\ \hline Alice & $A$ & $A^{-1}$ \\ Bob & $B$ & $B^{-1}$ \end{tabular} \end{table} \end{frame} \begin{frame}\frametitle{Verification of origin} Bob wants to be sure that a message has really been sent by Alice \begin{enumerate} \item Alice encodes $M$ with her \emph{private} key $A^{-1}$. \item Alice sends encyphered message $A^{-1}(M)$ to Bob \item Bob decodes $A^{-1}(M)$ with Alice's \emph{public} key: $A(A^{-1}(M)) = M$ \end{enumerate} This schema ensures \emph{non-repudiation}: Alice cannot claim $A^{-1}(M)$ does not come from her (only Alice knows $A^{-1}$) \begin{table} \centering \begin{tabular}{lcc} & Public key & Private key \\ \hline Alice & $A$ & $A^{-1}$ \\ Bob & $B$ & $B^{-1}$ \end{tabular} \end{table} \end{frame} \begin{frame}[fragile] \frametitle{Cryptographic hash functions} A \emph{cryptographic hash function} is a map $H$ into a fixed finite set (e.g., $\{0, \ldots, 2^N\}$) which is: \begin{enumerate} \item \emph{Preimage resistant}: given $h$ it should be hard to find any $m$ such that $h = H(m)$. \item \emph{Second preimage resistant}: given an input $m_1$, it should be hard to find another input, $m_2$ (not equal to $m_1$) such that $H(m_1) = H(m_2)$. \item \emph{Collision-resistant}: it should be hard to find two different messages $m_1$ and $m_2$ such that $H(m_1) = H(m_2)$. \item \emph{Efficiently computable} \end{enumerate} \+ {\footnotesize For more information, see: \url{http://valerieaurora.org/hash.html}} \end{frame} \begin{frame}\frametitle{Digital signature} \begin{enumerate} \item Alice calculates hash $h$ of message $m$ \item Alice sends $(m, A^{-1}(h))$ to Bob \item Bob verifies that the hash part $A^{-1}(h)$ is authentic by decyphering it with Alice's public key $A$ \item Bob verifies the message integrity by comparing the hash of the received message to the locally-computed hash of message $m$ \end{enumerate} This schema ensures \begin{itemize} \item \emph{integrity}: if a cryptographically secure hash is used, an attacker cannot alter \emph{both} message and signed hash. \item \emph{non-repudiation}: origin can be verified \end{itemize} \end{frame} \begin{frame}\frametitle{What is still to be solved?} \begin{itemize} \item Who guarantees that Alice's public key is really Alice's public key and not someone else's? \emph{(Authentication)} \item Who guarantees that Alice's private key is known to Alice \emph{only}? \end{itemize} \end{frame} \section{X.509 Public Key Infrastructure} \label{sec:pki} \begin{frame}\frametitle{X.509 certificates and Certification Authorities} A \emph{digital certificate} associates a user's identity with a public key. A third party (\emph{Certification Authority}) guarantees that the contents of a digital certificate are correct. \begin{itemize} \item CAs \emph{sign} digital certificates, to guarantee they are valid; \item all parties that know the CA public key can verify the signature. \end{itemize} To be useful for digital signature and all other crytographic purposes, certificates are generated together with a \emph{private} key. \begin{itemize} \item but the CA will \emph{not} sign nor \textit{know} the private key \item private key is \emph{protected} with a passphrase \end{itemize} Also hosts, services, etc.\ can be certified. \end{frame} \begin{frame}\frametitle{Certificate chains} A CA has its own certificate, signed by another CA \begin{itemize} \item the verification of a user certificate requires verification of all the steps in the chain \item tree of CAs, end-entities (users, host, etc.) are leaves \end{itemize} A CA can self-sign its certificate \begin{itemize} \item this is called a ``root CA'' \item Root CA certificates are usually distributed with software (web browsers, MUAs, etc.) \item widespread adoption is currently the sole barrier against root CA forging \item The collection of ``Grid'' root CAs is maintained by \href{http://www.igtf.net/}{the International Grid Trust Federation (IGTF)} \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{What's in a X.509 certificate?} \def\gobblespaces#1#2#3#4{}% \newcommand{\highlight}[4][\relax]{\alt<#2>{% \vspace{-6ex}% \begin{block}{#4}% \normalsize#1\gobblespaces#3% \end{block}% \vspace{-3ex}% }% {#3}} \begin{semiverbatim}\tiny \highlight{1}{bash\$ \emph{openssl x509 -text -in ~/.globus/usercert.pem}}{Type this to display info on your Grid certificate} Certificate: Data: Version: 3 (0x2) \highlight[\bfseries]{2}{ Serial Number: 73:5f:b8:49:00:00:00:00:10:62}{A serial number, unique within certificates signed from the same CA} Signature Algorithm: sha1WithRSAEncryption \highlight[\tiny\bfseries]{3}{ C=CH, O=Switch - Teleinformatikdienste fuer Lehre und Forschung, CN=SWITCHslcs CA}{Issuer DN: identity of the signing CA} \highlight[\bfseries]{4}{ Validity Not Before: Oct 6 17:31:47 2011 GMT Not After : Oct 18 07:28:26 2011 GMT}{Time validity interval} \highlight[\tiny\bfseries]{5}{ Subject: DC=ch, DC=switch, DC=slcs, O=Universitaet Zuerich, CN=Riccardo Murri 94ADB37F}{Subject DN} \highlight[\scriptsize\bfseries]{6}{ Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bd:18:e6:93:9a:b1:4f:41:f7:ef:8c:60:fc:be: \ldots}{Owner's public key (binary data)} \ldots \highlight[\scriptsize\bfseries]{7}{ X509v3 extensions: X509v3 Certificate Policies: Policy: 2.16.756.1.2.6.4.1.1 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication \ldots}{Additional information on key usage} \highlight[\scriptsize\bfseries]{8}{ Signature Algorithm: sha1WithRSAEncryption 8c:bd:d2:8f:b9:60:96:19:3b:4c:9d:18:91:55:74:ee:98:69: \ldots}{Digital signature from the CA (binary data)} \end{semiverbatim} \end{frame} \begin{frame}[label=slcs] \frametitle{Short-Lived Credential Service} Web service to create an X.509 user certificate, valid for 11 days. \begin{itemize} \item A \emph{new} certificate at each successful invocation \item \emph{Same} subject DN every time \item Command-line client (Java-based) available in gLite 3.x \end{itemize} \+ {\em Uses AAI/Shibboleth authentication.} \+ SWITCH SLCS CA is already in the IGTF bundle \begin{itemize} \item SLCS certificates can be used for normal Grid operations \end{itemize} \+ {\em Already in use in SMSCG, the Swiss national Grid infrastructure.} \end{frame} \begin{frame}\frametitle{Certificate revocation} CAs publish \emph{Certificate Revocation Lists} (CRL). \begin{itemize} \item List certificates that should no longer be considered valid, even if still in their validity time \begin{itemize} \item Private key compromised \item User/host lost requisites for certification \item etc. \end{itemize} \item new versions published at \emph{fixed} intervals \item download from the web \end{itemize} OCSP: \emph{Online Certificate Status Protocol} \begin{itemize} \item not everybody is using this \end{itemize} \end{frame} \section{Authentication} \begin{frame}\frametitle{Grid Security Infrastructure} \begin{itemize} \item GSI is based on an \hyperlink{sec:pki}{X.509 PKI} \item Every user and service involved in the Grid has an X.509 certificate \item Each site chooses which CAs to trust \item Each Grid transaction is mutually authenticated: each party must trust the other parties' CA \end{itemize} \end{frame} \subsection{User authentication with GSI} \begin{frame} \frametitle{User Authentication with GSI} Requisites: \begin{itemize} \item Single Sign-on: no need to type private key passphrase again and again \item Delegation: jobs and other agents need to act on behalf of the user (with optional restrictions in functionalities) \end{itemize} Problems: \begin{itemize} \item private key is password-protected \item should not send private key or password over the net \end{itemize} \end{frame} \begin{frame}\frametitle{Proxy certificates} Extensions of X.509 digital certificates, defined in RFC~3820. \begin{itemize} \item user's private key is used to sign a (proxy) digital certificate, composed of a new public/private key pair \item the private key in the proxy is \emph{not} passphrase-protected \item proxy lifetime limited (usually 12 hours) --- minimizes risk of ``compromised credentials'' \end{itemize} The proxy certificates may be sent over the net, with no risk of compromising the user's credentials. \end{frame} \section{Authorization} \begin{frame} \frametitle{What about authorization?} \begin{description}[Data Management] \item [Job execution] \begin{itemize} \item Access policy is implemented through job queues \item Basic grid usage: \emph{submit} and \emph{cancel} jobs in a queue \item \emph{Binary} policy: you either \emph{can} access a queue or you \emph{cannot} \end{itemize} \item [Data management] \begin{itemize} \item Hierarchical structure of filesystem \item Mixture of operations: read, write, delete, rename, \ldots \end{itemize} % \item [Two solutions] % \begin{itemize} % \item Globus/GridFTP user mapping model % \item DPM/LFC user mapping model % \end{itemize} \end{description} \end{frame} \begin{frame} \frametitle{No single authorization framework} General principle: the {\em local site admin decides} who can do what! \+ Usual authorization mechanism: \begin{enumerate} \item Grid user is mapped to local Linux user based on: \begin{itemize} \item Identity (i.e., the certificate subject DN) \item Additional attributes (VOMS FQANs, see next slide) \end{itemize} \item Grid user can perform on local Linux host all operations that the local Linux user s/he is mapped to can perform. \end{enumerate} \+ \small Alternate authorization scheme: \begin{itemize} \item use \emph{virtual} instead of \emph{real} local users \item server must implement authorization mechanisms on its own \item still, authorization decision is based on DN and FQANs. \end{itemize} \hyperlink{sec:auth}{\beamergotobutton{More on authorization schemes}} \end{frame} \subsection{VOMS} \begin{frame} \frametitle{What is VOMS?} VOMS embeds additional information on group membership and capabilities (FQANs) in a proxy certificate. \begin{itemize} \item VOMS attributes are embedded in a \emph{extension} section of the proxy: a VOMS-enabled proxy is a standard proxy to non-VOMS software \item User mapping done on group, role or capability --- not on identity alone \item Attributes are digitally signed by the server granting them \end{itemize} \end{frame} \begin{frame} \frametitle{VOMS Attributes} A VOMS proxy lists a sequence of attributes. Each attribute \emph{(FQAN)} consists of a quadruple: \begin{description}[Capability] \item[VO] \emph{Virtual Organization} name \item[Group] groups are organized in a tree-like hierarchical structure \item[Role] the set of roles has no hierarchical structure \item[Capability] VO-specific information (free text) \end{description} For instance: \begin{center} $\underbrace{% \overbrace{% \texttt{/smscg}}% \sp{\textsf{VO}}% \texttt{/test}% }\sb{\textsf{group}}% \underbrace{\texttt{/Role=sw-manager}}% \sb{\textsf{role}}% \underbrace{\texttt{/Capability=NULL}}% \sb{\textsf{capability}}$% \end{center} \end{frame} % \begin{frame} % \frametitle{The VOMS server} % A server managing the Grid user to VOMS attributes mapping. % \begin{itemize} % \item one server per VO % \item server returns list of attributes a Grid user has access to % \item will digitally sign each attribute to ensure validity % \item client must know server identity beforehand to be able to % verify signature % \end{itemize} % \end{frame} \begin{frame}[fragile] \frametitle{What's in a VOMS proxy?} \newcommand{\highlight}[4][\relax]{\alt<#2>{% \vspace{-6ex}% \begin{block}{#4}% \normalsize \bfseries #1#3% \end{block}% \vspace{-3ex}% }% {\scriptsize #3}} \begin{semiverbatim}\tiny \highlight{1}{bash\$ \emph{voms-proxy-info --all}}{Type this to display informations on your VOMS proxy} \highlight[\tiny]{2}{subject : /DC=ch/DC=switch/DC=slcs/O=Universitaet Zuerich/CN=Riccardo Murri 94ADB37F/CN=609768500}{The \emph{proxy} certificate subject DN} \highlight[\scriptsize]{3}{issuer : /DC=ch/DC=switch/DC=slcs/O=Universitaet Zuerich/CN=Riccardo Murri 94ADB37F}{\emph{Issuing} certificate subject DN} \highlight[\scriptsize]{4}{identity : /DC=ch/DC=switch/DC=slcs/O=Universitaet Zuerich/CN=Riccardo Murri 94ADB37F}{\emph{Your} certificate subject DN} type : RFC compliant proxy strength : 1024 bits \highlight{5}{path : /tmp/x509up_u1001}{The Linux file where the proxy is stored} \highlight{6}{timeleft : 6::22:03}{Time remaining until proxy expires} \highlight{7}{=== VO smscg extension information ===}{Additional VOMS information} VO : smscg subject : /DC=ch/DC=switch/DC=slcs/O=Universitaet Zuerich/CN=Riccardo Murri 94ADB37F issuer : /DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Zuerich/L=Zuerich/O=SWITCH/CN=voms.smscg.ch \highlight{8}{attribute: /smscg/Role=NULL/Capability=NULL}{FQAN \#1} \highlight{9}{attribute : /smscg/test/Role=NULL/Capability=NULL}{FQAN \#2} \highlight{10}{timeleft : 6:22:04}{Attribute lifetime. \emph{(Note: can be different from proxy lifetime!)}} \end{semiverbatim} \end{frame} \section{References} \begin{frame} \frametitle{References: Public-Key Cryptography} \begin{itemize} \item Introduction to Public-Key Cryptography: \url{https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography} \item A lecture on public-key cryptography, netowrk communication and the RSA algorithm (by Th.~Jonasson): \url{www.eit.lth.se/fileadmin/eit/courses/edi051//lecture13-14_slides.pdf} \item An overview of the RSA algorithm, its applications and giving example with pencil-and-paper and sample implementations: \url{http://www.di-mgt.com.au/rsa_alg.html} \end{itemize} \end{frame} \begin{frame} \frametitle{References: Public Key Infrastructure} \begin{itemize} \item IETF Public Key Infrastructure Charter: \url{http://www.ietf.org/html.charters/pkix-charter.html} Complete index to PKI-related internet standards and draft standards. \item International Grid Trust Federation: \url{http://www.gridpma.org/} Manages and publishes profiles for Grid CAs, and links to public CA registries. \item Overview of GSI: \url{http://www.globus.org/security/overview.html} \item Proxy certificates / RFC 3820: \url{http://www.faqs.org/rfcs/rfc3820.html} \end{itemize} \end{frame} \begin{frame} \frametitle{References: Software} \begin{itemize} \item MyProxy: \url{http://myproxy.ncsa.uiuc.edu/} \item VOMS: \url{http://infnforge.cnaf.infn.it/docman/?group_id=7} \item DPM and LFC: \url{https://twiki.cern.ch/twiki/bin/view/LCG/DataManagementDocumentation} \item Other LCG-2 software: \url{https://twiki.cern.ch/twiki/bin/view/LCG/LCGSoftware} \item The LHC Computing Grid, \url{http://lcg.web.cern.ch/LCG/} \end{itemize} \end{frame} \section{Authorization schemes} \label{sec:auth} \begin{frame}\frametitle{\texttt{grid-mapfile}} Map a Grid identity (the subject of a user certificate) to a local Linux user. \+ Then the Grid user has the same access rights of the local account he is mapped to (file access, disk quotas, CPU limits, etc.) \+ The mapping is done via a \texttt{grid-mapfile}, which contains a sequence of lines of type: \begin{quote} \texttt{"}$\langle$certificate subject DN$\rangle$\texttt{"} $\langle$local user$\rangle$ \end{quote} \begin{center} \em Problem: is a local account needed for every Grid user? \end{center} \end{frame} \begin{frame}\frametitle{Pool accounts, I} Pool accounts are a sort of ``anonymous'' local account for Grid users. \begin{itemize} \item a set of accounts all belonging to one and the same local UNIX group (e.g., \texttt{egrid01}, \texttt{egrid02}, \ldots) \item a Grid user is mapped to the first ``free'' account in the pool \item after some time, the account is ``recycled'' and ready for assignment to another Grid user \item so you might be refused by a site if there's no more pool accounts free \end{itemize} \end{frame} \begin{frame} \frametitle{Pool accounts, II} Only the pool matters: the same Grid user is mapped possibly to a different account in the pool each time it accesses a local machine. \+ Security implications: \begin{itemize} \item flattening of a hierarchy of access rights --- all users in a VO acquire the same rights on the local machine \item cannot protect files per-user, only per-group: pool accounts can access each other's files \item need to be careful in account recycling \end{itemize} \end{frame} \begin{frame} \frametitle{GridFTP authorization scheme} GridFTP is the most common GSI-enabled server. \begin{itemize} \item exposes the local filesystem to the Grid \item maps Grid users to local users \item authorization is based on \emph{local user} access rights on the filesystem \begin{itemize} \item that is, it behaves just like the plain old FTP daemon \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{DPM/LFC authorization scheme} \begin{itemize} \item map user Grid identity (subject DN) to \emph{unique} virtual ``User ID'' (VUID) \begin{itemize} \item VUID bears no relation with the UNIX host UID \end{itemize} \item map each VOMS attribute to a \emph{unique} virtual ``Group ID'' (VGID) \begin{itemize} \item VGID bears no relation with the UNIX host GID \end{itemize} \item authorization is based on \href{https://uimon.cern.ch/twiki/bin/view/LCG/DataManagementDocumentation}{DPM/LFC} internal ACLs on data \begin{itemize} \item ACLs have POSIX-like semantics, but are not enforced on the filesystem \end{itemize} \item authorization info is private to \href{https://uimon.cern.ch/twiki/bin/view/LCG/DataManagementDocumentation}{DPM/LFC} \begin{itemize} \item so you need special versions of the GridFTP, RFIO, etc.\ daemons \end{itemize} \end{itemize} Drawbacks: \begin{itemize} \item how to share authorization data among different servers? \end{itemize} \end{frame} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% x-symbol-mode: nil %%% End: