• No results found

Cloud Computing. Lecture 5 Grid Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Computing. Lecture 5 Grid Security"

Copied!
29
0
0

Loading.... (view fulltext now)

Download now ( 29 Page )

Full text

(1)

Cloud Computing

Lecture 5

Grid Security

2014-2015

(2)

Up until now…

• Introduction.

• Definition of Cloud Computing.

• Grid Computing:

• Schedulers

(3)

Summary

• Grid Security

• TLS

• WS-Security

• Proxy certificates

• MyProxy

(4)
(5)

Grid Security: Problems

• Valuable resources solving sensitive problems.

• Federation of organizations.

• Multiple security domains.

• Need for transparency.

• Both client-server and server-server

interactions.

• Service composition.

• Variety of policies.

(6)

Ideal Solution!

• Single sign-on.

• Even if you’re running a task that:

• Requires secure communication.

• Uses several services:

• Multiple authentication?

• On different organizations:

(7)

Segurança

Execução

Monit.

Base

Dados

GT4 Tools

GridWay

GridFTP

Reliable

File

Transfer

GRAM

MDS4

CAS

Data

Rep

Delegation

Location

Replica

Java

Runtime

C

Runtime

Python

Runtime

GSI-OpenSSH

MyProxy

Globus

Toolkit

Security

Execution

Monitoring

(8)

Let’s recap some security concepts!

• Identity/Certification:

• Who is this person?

• Who is assuring that this identity matches a real person?

• Authentication:

• Is this person who she says she is?

• Authorization:

• Is this person allowed to do what she is requesting?

• Integrity:

• Has the message I’m receiving been tampered with?

• Confidentiality:

(9)

GSI: Globus Security Infrastructure

• It doesn’t solve the trust issue but gets everyone

using the same protocols and understanding each

others certificates:

(10)

Secure Web Services

<S:Envelope>

<S:Header>

...

<Security

S:actor="...“ S:mustUnderstand="...">

...

</Security>

...

</S:Header>

<S:Body>…

</S:Body>

</S:Envelope>

(11)

TLS: Transport Layer Security

• Transport level encryption protocol.

• Steps:

1. Algorithm negotiation.

2. Key exchange.

3. Symmetric encryption.

• Supported Algorithms:

• Key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK.

• Authentication: RSA, DSA, ECDSA.

• Symmetric key: RC4, Triple DES, AES, IDEA, DES.

• Hashing: HMAC-MD5, HMAC-SHA.

(12)
(13)

Identity: X.509 Certificates

Certificate: Data:

Version: 1 (0x0)

Serial Number: 7829 (0x1e95)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division,

CN=Thawte Server CA/[email protected] Validity

Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT

Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,

OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info:

Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)

Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption

93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f

• Most common

certificate format:

• Contains:

• Person’s

identification.

• Identification of a

certification

authority (CA).

• Person’s public key.

• CA digital signature.

• Requires trusting the

CA and knowledge of

it’s public key.

• Dominant mechanism

in the grid community.

(14)

WS-Security

• Ensures integrity, authentication and

confidentiality.

• Digital signature and encryption key

specification using WS.

• Works at application level.

• Specifies the SOAP message headers and the

variants of the different fields.

(15)

UsernameToken Example

<wsse:Security>

<wsse:UsernameToken>

<wsse:Username>Zoe

</wsse:Username>

<wsse:Password>ILoveDogs

</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

(16)

BinarySecurityToken Example

<wsse:BinarySecurityToken

xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/

04/secext"

Id="myToken" ValueType="wsse:X509v3"

EncodingType="wsse:Base64Binary">

MIIEZzCCA9CgAwIBAgIQEmtJZc0...

</wsse:BinarySecurityToken>

(17)

Delegation

• What if a service needs to call another one?

We need Delegation!!

• Solves the multiple login problem.

• User signed proxies.

• Private key not encrypted in the local file system.

• Time-limited (12h).

• When you log out, the stored proxies are not

eliminated.

(18)

Single Sign-on and Delegation

• To authenticate with your certificate directly you

would have to type a passphrase every time.

• Also you need a way to send your credentials across.

• In the Grid Security Infrastructure today, this is solved

by ‘proxy certificates’:

• a temporary key pair.

• in a temporary certificate signed by your ‘long term’

private key.

• valid for a limited time (default: 12 hours).

• and itself not protected by a passphrase.

(19)

Proxy Certificate Generation

• B needs A's credentials to make a request to C. B, therefore, needs

a proxy certificate signed by A:

• B generates a public/private key pair for the proxy certificate.

• B uses the key pair to generate a certificate request, which will

be sent to A using a secure channel. This certificate request

includes the proxy's public key, but not the private key.

• Organization A will use its private key to digitally sign the

certificate request.

• A sends the signed certificate back to B using a secure channel.

• B can now use the proxy certificate to act on A's behalf.

• Note: proxy's private key and A’s private key are never

transmitted between A and B.

(20)

Proxy Initiation in Globus

• User enters pass phrase, which is used to decrypt private key.

• Private key is used to sign a proxy certificate with its own, new

public/private key pair:

• User’s private key not exposed after proxy has been signed.

User

certificate file

Private Key

(Encrypted)

Pass

Phrase

User Proxy

certificate file

• Proxy placed in /tmp

• the private key of the Proxy is not encrypted:

• stored in local file: must be readable only by the owner;

(21)

MyProxy

• What if I’m executing a long-running task?

• What if my grid (not very well integrated) requires

several certificates.

• MyProxy:

• Stores long-lasting certificates (private keys are

encrypted).

• Generates short term certificates from the login

(unencrypted private keys).

• Interacts with certification authorities to acquire

certificates.

(22)

Client

MyProxy

Server

keypair

MyProxy Put

certificate

private key

certificate request

proxy certificate chain

username

password policy

private key

cert chain

(23)

Client

MyProxy

Server

Grid

Service

private key

MyProxy Get

certificate request

proxy certificate chain

username

password

private key

cert chain

TLS handshake

X.509

cert chain

(24)

Password-based Renewal

MyProxy

Condor-G

GRAM Gatekeeper

Client

proxy

job

password

password

proxy

job

Job

proxy

password

proxy

proxy

proxy

proxy

proxy

proxy

proxy

proxy

proxy

(25)

Authorization and Trust in VOs:

Community Authorization Service

• WS require authorization.

• There are several interface mechanisms

between X.509 and policy repositories.

• What if we want to integrate the repository in

the grid’s virtual organizations?

• CAS is a centralized repository that relates

agents, resources and actions.

(26)

CAS Administration Services

• Enrolling and Unenrolling Objects

• Enrolling and Unenrolling Service Type

• Maintaining Service Types

• Maintaining User Groups

• Maintaining Object Groups

• Maintaining Permissions

(27)

A Typical CAS Request

CAS Server

What rights does

the community

grant to this user?

Client

Resource Server

Do the proxy restrictions

authorize this request?

CAS-maintained

community policy

database

User proxy

Community proxy

Community proxy

Local policy

information

Proxy restrictions

Proxy restrictions

Is this request authorized

for the community?

(28)

Signed Authorization Assertions

Subject: /O=Grid/CN=Laura

Valid: 3/25/03 11:00 – 3/26/03 11:00

AuthorizationAssertion (non-critical

extension):

Target Subject:

/O=Grid/CN=Laura

Valid:

3/25/03 13:00 –15:00

These actions are allowed:

Read gridftp://myhost/mydir/*

Signature (of assertion, by the

VO

CAS server

)

Signature (of all above, by the user)

It is only valid

when used along

with the target

user’s

authentication

credentials.

The authorization

assertion is signed

by the VO’s CAS

server. It

delegates a subset

of the

VO

’s rights

to a

user

, during a

(29)

Next time…

References

Download now ( PDF - 29 Page - 231.76 KB )

Related documents

The Archons. Hidden Rulers Through the Ages

P.R. - They sometimes feed on people's life forces to the point where it is difficult for the abductee to walk because the feeding process leaves the abductee in a weakened

Economic growth and human development in South Asia: Experiences of selected countries

The high degree of education deprivation among the poor and vulnerable strata of population in the South Asian countries is mainly attributed to two factors: extreme income

Comprehensive study on machinability of sustainable and conventional fibre reinforced polymer composites

Hence, this paper presents a comprehensive investigation on the machinability effects of drilling parameters (feed rate, cutting speed and thrust force), drill diameters and

Concurrent Parasitism Alters Thermoregulation in Honey Bee (Hymenoptera: Apidae) Winter Clusters

The small hive beetle, Aethina tumida Murray (Coleoptera: Nitidulidae), and the ectoparasitic mite Varroa destructor Anderson &amp; Trueman are honey bee parasites and both

Efficacy of subpleural continuous infusion of local anesthetics after thoracoscopic pulmonary resection for primary lung cancer compared to intravenous patient-controlled analgesia

Background: This study compared the efficacy and side effects of intravenous patient-controlled analgesia (IV-PCA) with those of a subpleural continuous infusion of local

Ericsson Important Optimization Parameters

usedFreqThresh2dRscp: Threshold for event 2d (the estimated quality of the currently used WCDMA RAN frequency is below a certain threshold) based on RSCP

Competence versus mastery: The time course for developing proficiency in video-assisted thoracoscopic lobectomy

Learning curves were evaluated for operative time, blood loss, and postoperative length of stay by assessing elements of proficiency: efficiency (defined as decreasing values for