Brief Introduction to Certificates for Accessing the NWGRID

1
Brief Introduction to Certificates for Accessing
the NW-GRID

• John Kewley
• Grid Technology Group
• E-Science Centre
• CCLRC Daresbury Laboratory
• j.kewley_at_dl.ac.uk

2
Talk outline

• Security Basics
• Certificates
• Requirements for accessing the NW-GRID
• Registering for NW-GRID

3
Security Issues

• How does the expensive Grid resource "account"
  for its use? Are these users who they claim to
  be?
• How does a user utilise a resource on a remote
  machine when he may not have an account on any
  intervening ones?
• How can you trust the remote machine to "behave"
  with your data?

4
Security Basics

• Authentication
• Who you are, Identity
• Non-repudiation
• Authorisation
• What you are allowed to do, Capability
• Which resources you can use
• Confidentiality (encryption)
• Integrity (untampered, lossless)

5
Tools of the trade

• Encryption
• Secret symmetric key both parties need to
  share the key
• DES, RC4
• Comparatively efficient
• Public/private key asymmetric - 2 keys
  mathematically related
• RSA, DSA
• Slower
• Oneway hash / message digest
• MD5, SHA-1
• fast

6
Gbbyf bs gur genqr

• Rapelcgvba
• Frpergt flzzrgevp xrl obgu cnegvrf arrq gb
  funer gur xrl
• QRF, EP4
• Pbzcnengviryl rssvpvrag
• Choyvp/cevingr xrl nflzzrgevp - 2 xrlf
  zngurzngvpnyyl eryngrq
• EFN, QFN
• Fybjre
• Barjnl unfu / zrffntr qvtrfg
• ZQ5, FUN-1
• Snfg

7
Tools of the trade

• Encryption
• Secret symmetric key both parties need to
  share the key
• DES, RC4
• Comparatively efficient
• Public/private key asymmetric - 2 keys
  mathematically related
• RSA, DSA
• Slower
• Oneway hash / message digest
• MD5, SHA-1
• fast

8
Public/Private keys

• Asymmetric encryption comprises a key pair one
  private and one public
• it is impossible to derive the private key from
  the public one
• a message encrypted by one key can be decrypted
  only by its partner
• Public keys can be freely exchanged / distributed
• The sender encrypts using his private key
• The receiver decrypts using sender's public key

9
Certificates

• A statement from a trusted 3rd party (the
  Certification Authority), that your public key
  (and hence your private key) is associated with
  your identity
• A certificate can only be verified if you have
  the public key of the party who signed it

10
X.509 Certificates
Public key

• An X.509 Certificate contains
• owners public key
• identity of the owner
• info on the CA
• validity
• Serial number
• digital signature from the CA

SubjectCCH, OCERN, OUGRID, CNAndrea Sciaba
8968 Issuer CCH, OCERN, OUGRID, CNCERN
CA Expiration date Aug 26 080814 2005
GMT Serial number 625 (0x271)
CA Digital signature
11
Certificate Request
User generatespublic/privatekey pair in browser.
CA root certificate
CA signature links identity and public key in
certificate. CA informs user.
CertRequest Public Key
User sends public key to CA and shows RA proof of
identity.
Certification Authority
Cert
Private Key encrypted on local disk
12
Certificate installation

• Download certificate into your browser
• Export certificate as .p12 (on Linux) or .pfx (on
  Windows) format and move to the Grid client
  machine (Linux for now)
• Convert certificate to correct format using
  openssl, change file permissions and install into
  correct directory (or by using the Growl script
  mk-cert)

13
Use of mk-cert

• openssl pkcs12 in \
• mykey.p12 \
• -clcerts nokeys \
• -out usercert.pem
• ltPass1gt
• ltPass2gt
• ltPass2gt confirm
• openssl pkcs12 in \
• mykey.p12 nocerts \
• -out userkey.pem
• ltPass1gt
• chmod 444 usercert.pem
• chmod 400 userkey.pem
• mv userkey.pem /.globus
• mv usercert.pem /.globus
• chmod 700 /.globus

• mk-cert mykey.p12
• ltPass1gt
• ltPass2gt

14
Proxy Certificates

• To support delegation A delegates to B the right
  to act on behalf of A
• proxy certificates extend X.509 certificates
• Short-lived certificates signed by the users
  certificate or a proxy
• Reduces security risk, enables delegation

15
Use of MyProxy Server
Client
Growl Server
JK
365d
growl-login
JK
12h
myproxy-logon
JK
MyProxy Server
7d
16
Registering to use NW-GRID

• There is a web registration form for NW-GRID.
  Once approved, this will
• assign you a common username (e.g. nwdljk)
• register the Distinguished Name (DN) from your
  certificate with the NW-GRID machines
• /CUK/OeScience/OUCLRC/LDL/CNjohn kewley
• open NW-GRID firewalls so your client machine(s)
  can access the Grid resources.
• http//www.nw-grid.ac.uk/?qnwguser/regForm

17
Requirements for accessing the Grid

• To access the Grid, you will need
• An e-science certificate, from a trusted
  certification authority, in an appropriate format
• The Distinguished Name (DN) from your certificate
  registered with the Grid resource you intend to
  use
• Client-side middleware on the accessing computer
  (unless you intend using only browser/portal
  technology)
• No firewalls "in the way" between your client and
  the grid resource

18
Some useful links

• NW-GRID
• http//www.nw-grid.ac.uk/
• GROWL
• http//www.growl.org.uk/
• NGS CA Web site
• https//ca.grid-support.ac.uk/
• STFC e-Science Centre
• http//www.e-science.stfc.ac.uk/