Transcript ppt

Overview of Security
Standards in the Grid
CSE 225
High Performance
and
Computational Grids
Spring 2000
Prepared By
[email protected]
Objectives:
• Gain familiarity with computer and network security
standards.
• Gain understanding of security requirements in Grid
environments.
• Gain understanding of some standards based
security technologies present in Grid environments.
• Learn about various Grid security models and system
approaches to security.
• Learn about some test bed implementations of
security enabled Grid projects.
Technology
Standards
Security
Requirements
Authentication
Authorization
Assurance
Accounting
Audit
Integrity
Confidentiality
SSH
PGP
SSL
X.509
PKI
Kerberos
DCE
IPSec
VPN
From Grid U's policy perspective, what are the security
requirements of Condor, Legion, Globus, and the commodity
Internet?
Sun
Sun
SD
SD
SD
Sun
Sun
SPARCclassic
SPARCclassic
Sun
SPARCcluster 1
Sun
Sun
microsystem
Sun
Sun
Sun E10K
Sun
Sun
SPARCclassic
Sun
Sun
microsystem
Sun E10K
SPARCclassic
Sun
Sun
SPARCclassic
SPARCclassic
Condor Flock U
Legion U
Virtual U
Globus U
UNIVERSITY
UNIVERSITY
UNIVERSITY
vBns
UNIVERSITY
Calren
198.32.248.0
Abilene
Commodity
Internet
UNIVERSITY
Grid U
Sun
Sun
Sun
SPARCclassic
Sun
SPARCclassic
SD
SD
Sun
Sun
SD
Sun
Sun
SPARCclassic
Sun
SPARCclassic
SPARCcluster 1
Sun
microsystem
Sun
microsystem
Sun
Sun
Sun E10K
Sun
SPARCclassic
Sun
SPARCclassic
Sun E10K
Security Domains
• Intradomain - internal to a given location or single
organization. Contained security boundary.
• Interdomain - encompasses two or more locations or
organizations. Agreed on security boundaries and
protocols between organizations.
Security - The Protection of Assets
• Prevention: take measure that protect your assets
from damage
• Detection: take measures that allow you to detect
when an asset has been damaged, and who caused
the damage.
• Reaction: take measures that allow you to recover
your assets or recover from damage to your assets.
Computer Security
• Confidentiality: prevention of unauthorized
disclosure of information.
• Integrity: prevention of unauthorized withholding of
information.
• Availability: prevention of unauthorized withholding
of information or resources.
Network Security (1)
•
•
•
•
•
Trusted Networks
Identification and Authentication
Discretionary Access Control
Labels and Mandatory Access Control
Audit
Technology - Cryptography
•
•
•
•
•
•
DES (Data Encryption Standard)
DSA (Digital Signature Algorithm)
RSA (Rivest, Shamir, and Adelman)
Blowfish
IDEA (International Data Encryption Algorithm)
AES (Advanced Encryption Standard)
Technology - SSH (1)
• SSH is a packet-based binary protocol that
implements a transport layer security mechanism.
• Encompasses authentication, key exchange,
encryption, and integrity.
• TCP/IP is used as the transport usually
• Basically an end to end encrypted tunnel
• SSH logins the most prevalent between domains.
Technology - SSH (2)
Technology - PGP
•
•
•
•
Pretty Good Privacy
Public Domain
Popular for email and email of files
PGP user builds key ring of all public keys he has
been given.
• When message of file received from contact, can
decrypt if key is on key ring
Shortcomings of PGP in
distributed systems
•
Reasonable basis for key management among friends, but once it
passes the bounds of direct friends, the credibility becomes strained.
•
Example
– Carol’s key is P1 signed with P2
– Alice’s key is P2 signed with P4
– Carol’s key is P1 signed with P5
• What is the last certificate said Carol’s key is P3 signed with P5?
Kerberos (1)
• Supports authentication in distributed systems.
• Used for authentication between intelligent
processes, client to server tasks or workstation to
other hosts.
• Basis of Kerberos is central server that provides
authenticated tokens, called tickets.
Kerberos (2)
Initiating Kerberos Session
User
U
Ticket
Granting
Server
Encrypted under password
1
U's
Idenity
Session Key
Sg
Ticket Tg
2
2
Kerberos
Server
Session
Key Sg
Encrytped Under KS-TGS
Key
Kerberos (3)
Obtaining a ticket to access file
1
Request to
access File F
Ticket
Granting
Server
User
U
2
Ticket to File
Server to Access
File F +Sf
Encrypted Under TGS-F Key +
Sf
Kerberos (4)
Strengths
•
•
•
•
•
No password communicated on the network.
Cryptographic protection against spoofing.
Limited period of validity
Time stamps to prevent replay attacks
Mutual authentication
Kerberos (5)
Shortcomings in distributed systems
• Requires continuous availability of a trusted ticket
granting service.
• Authenticity of servers requires a trusted relationship
between the ticket granting server and every server.
• Requires timely transactions.
• Subverted workstation can save and later replay user
passwords.
• Does not scale well.
Public Key Infrastructure (1)
• PKI: consists of software and procedures put in place
by an organization
• Supports the use of Public Keys for authentication
and identifying users, services, and confirming digital
signatures.
• Public keys usually conform to the X.509 standard for
certificates, and usually are based on the RSA
public/private key encryption algorithm
Public Key Infrastructure (2)
Goals
• Application enabler
• Secure Sign-On
– Secure “Single” Sign Security
• End-User Transparency
• Comprehensive Security
Public Key Infrastructure (3)
Components and Services
•
•
•
•
•
•
•
•
•
•
Certification Authority
Certificate repository
Certificate Revocation
Key backup and recovery
Automatic key update
Key history management
Cross-certification
Support for non-repudiation
Time stamping
Client software
Public Key Infrastructure (4)
Current Standards Activities
•
•
•
•
•
•
•
X.509
PKIX
X.500
LDAP
S/MIME
IPsec
TLS
Section Break
• Security in Legion and Globus
Security in Legion (1)
Design Principals
• 1- As in the Hippocratic Oath, do no harm!
• 2- Caveat emptor - let the buyer beware.
• 3- Small is beautiful.
Security in Legion
Standards
• X.509 ?
• Keberos ?
Security in Legion
Legion Security Model
Security in Legion (2)
Basic Concepts
• Every object provides certain known member
functions - MayI, CanI, Iam, and Delegate. (Can be
defaulted to NIL.)
• Two objects associated with each operation: a
responsible agent (RA) and a calling agent (CA)
• Every invocation of member function is performed in
the context of a certificate which contains the Legion
Object ID. Certificate digitally signed by maker
Security in Legion
Security in Legion
•
•
•
•
•
•
Legion users responsible for own security.
Object might trust that the CA is correct.
Policies defined by objects themselves.
Every class defines a special member function, MayI.
MayI defines the security objects for a class.
Every member function invocation permitted only if
MayI sanctions it.
Security in Legion
Automatic invocation of outgoing calls
Security in Legion
• Authentication aided by use of Legion certificates based on public-key cryptography by default. Must
know private key to authenticate.
• MayI functions can code their own authentication
protocols
• Every Legion object required to supply special
member function Iam for authentication purposes.
Security in Legion
• Login establishes user identity and creates
responsibility agent for user.
• Login is building block for authentication and
delegation.
• Object can delegate new certificate to delegate
rights.
• Delegation policy defined by object.
Security in Legion
Future Work
• Legion does not specify any particular encryption.
Future standardization?
• Legion eschews distinguished trusted objects centralized key management server
• Composition of a security policy
Security in Globus (1)
Standards
• Standards subscribed to:
– Generic Security Services (GSS) RFC 2078
– Secure Socket Layer (SSL)
• [SSleay]
– Public Key Cryptography based on X.509
certificates
– Kerberos
Security in Globus (2)
Security in Globus (3)
Security Requirements
•
•
•
•
•
•
•
Single sign-on
Protection of credentials
Interoperability with local security solutions
Exportability
Uniform credentials/certification infrastructure
Support for secure group communication
Support for multiple implementations
Layered Architecture
Applications
High-level Services and Tools
GlobusView
DUROC
Nexus
Gloperf
MPI
MPI-IO
CC++
Testbed Status
Nimrod/G
globusrun
Core Services
Metacomputing
Directory
Service
Condor
MPI
LSF
Easy
NQE
Globus
Security
Interface
Local
Services
GRAM
Heartbeat
Monitor
AIX
GASS
TCP
UDP
Irix
Solaris
Security in Globus (4)
• assumes grid consists of multiple trust domains
• assumes resource pool and user population are large
and dynamic
• interoperate with local security solutions - local
security policies differ
• authentication exportable - cannot directly or
indirectly require use of bulk privacy
Security in Globus (5)
• uniform credentials/certification - a user will be
associated differently with site it has access to
single logon - number of processes used in a
computation will be dynamic access control
Security in Globus (8)
Security in Globus (6)
Grid Security Infrastructure
• GSI provides authentication and data integrity (data
signing, not encryption) services for Unix and
Windows client/server programs
• Can utilize an X.509 PKI
• GSI library is layered on top of the SSLeay
• Performs the X.509 certificate handling and SSL
protocol.
User
Assignment of
credentials to
“user proxies”
User Proxy
Globus
Credential
GRAM
Process
GSI
Process
Kerberos
Single sign-on
via “grid-id”
Site 2
Site 1
Ticket
CREDENTIAL
Authenticated
interprocess
communication
Mutual
user-resource
authentication
Process
GRAM
Process
GSI
GSSAPI:
multiple
Public Key low-level
mechanisms
Certificate
Process
Process
Mapping
to local ids
Security in Globus (7)
Technology
Standards
SSH
PGP
SSL
X.509
PKI
Kerberos
DCE
IPSec
VPN
Security
Requirements
Authentication
Authorization
x
Assurance
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Accounting
x
x
Audit
x
x
Integrity
x
x
x
x
x
x
Confidentiality x
x
x
x
x
x
x
Summary
•
•
•
•
Computer security is machine access centric
Network security is network access centric
Grid security is application centric
Inter-domain communications based upon common
security standards such as PKI.
• Metacomputing approach that embrace security
standards will be more widely adopted.
Sources:
Clifford Neuma n
Sec urity, Ac c ounting , Assura nc e
Cha p ter 16
The Grid : Bluep rint for a Future Com p uting Infra struc ture
R. Butler, D. Eng ert, I. Foster, C. Kesselm a n, S. Tuec ke, J. Volm er, V. Welc h
Desig n a nd Dep loym ent of a Na tiona l-Sc a le Authentic a tion Infra struc ture
http :/ / w w w .g lob us.org / d oc umenta tion/ inc om ing / g si-d ep loy.p d f
PKI/ GSI: NPACI's Pub lic Key Infra struc ture/ Grid Sec urity Infra struc ture
An interview w ith SDSC's Wa yne Sc hroed er
NPACI Online
Volum e IV Issue 5 - Ma rc h 8, 2000
http :/ / w w w .np a c i.ed u/ online/ v4.5/ p ki-g si.htm l
I. Foster, C. Kesselm a n, G. Tsud ik, S. Tuec ke
A Sec urity Arc hitec ture for Comp uta tiona l Grid s
1) ftp :/ / ftp .g lob us.org / p ub / g lob us/ p a p ers/ sec urity.p d f
Comp uter Sec urity Ba sic s
Deb ora h Russell a nd G.T Ga ng emi Sr.
Sec urity in Comp uting
Cha rles P. Pfleeg er
Netw ork Sec urity
Cha rlie Ka ufma n, Ra d ia Perlma n, Mike Sp ec iner
Comp uter Sec urity
Dieter Gollma nn
Und ersta nd ing Pub lic -Key Infra struc ture
Conc ep ts, Sta nd a rd s, a nd Dep loyment Consid era tions
Ca rlisle Ad a ms
Steve Lloyd
Glob us Sec urity Infra struc ture (GSI)
http :/ / w w w .g lob us.org / sec urity/
A Sec urity Arc hitec ture for Comp uta tiona l Grid s
I. Foster, C. Kesselma n, G. Tsud ik, S. Tuec ke, Proc . 5th ACM Conferenc e on
Comp uter a nd Communic a tions Sec urity Conferenc e
ftp :/ / ftp .g lob us.org / p ub / g lob us/ p a p ers/ sec urity.p d f
GSSAPI SSLEAY for Glob us Sec urity
Presenta tion b y Doug la s Eng ert
http :/ / w w w .g lob us.org / p resenta tions/ g ssa p i/ sld 001.htm
A New Mod el for Sec urity for Meta systems
Steve J. Cha p in, Chenxi Wa ng , Willia m A. Wulf, Fritz Kna b e, a nd And rew
Grimsha w
Leg ion System Ad ministra tor Ma nua l 1.6
1) http :/ / w w w .c s.virg inia .ed u/ ~leg ion/ d oc umenta tion/ sysa d min_1.6.p d f