Title: Getting Started Guy Warner NeSC Training Team
1Getting Started Guy WarnerNeSC Training Team
Induction to Grid Computing and the National Grid
Service 10th-11th March 2005
2Acknowledgements
Some of the slides in this presentation are based
on / motivated by
- The presentation given by Carl Kesselman at the
GGF Summer School 2004. This presentation may be
found at - http//www.dma.unina.it/murli/GridSummerSchool200
4/curriculum.htm - Lectures given by Richard Sinott and John Watt at
the University of Glasgow. These lectures may be
found at - http//csperkins.org/teaching/2004-2005/gc5/
- The presentation given by Simone Campana of CERN
at First Latinamerican Grid Workshop, Merida,
Venezuela. This presentation may be found at - http//agenda.cern.ch/fullAgenda.php?idaa044965
3The Problem
- QuestionHow does a user securely access the
Resource without having an account on the
machines in between or even on the Resource? - QuestionHow does the Resource know who a user
is and that they are allowed access?
4Overview
Security
Authentication
Grid SecurityInfrastructure
Encryption Data Integrity
Authorization
5Approaches to Security 1
The Poor Security House
6Approaches to Security 2
The Paranoid Security House
7Approaches to Security 3
The Realistic Security House
8Approaches to Grid Security
- The Poor Security Approach
- Use unencrypted communications.
- No or poor (easily guessed) identification means.
- Private identification (key) left in publicly
available location. - The Paranoid Security Approach
- Dont use any communications (no network at all).
- Dont leave computer unattended.
- The Realistic Security Approach
- Encrypt all sensitive communications
- Use difficult to break identification means.
- Keep identification secure at all times (e.g.
encrypted on a memory stick). - Only allow access to trusted users.
9The Risks of Poor User Security
- Launch attacks to other sites
- Large distributed farms of machines, perfect for
launching a Distributed Denial of Service attack. - Illegal or inappropriate data distribution and
access sensitive information - Massive distributed storage capacity ideal for
example, for swapping movies. - Damage caused by viruses, worms etc.
- Highly connected infrastructure means worms
spread faster than on the internet in general.
10Authentication and Authorization
Mongolian Yak Inspector
- Authentication
- Are you who you claim to be?
- Authorisation
- Do you have access to the resource you are
connecting to?
11The Trust Model
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
12Public Private Key
Alice
Bob
Life Savings
Life Savings
Life Savings
13Public Key Infrastructure (PKI)
- PKI allows you to know that a given key belongs
to a given user. - PKI builds off of asymmetric encryption
- Each entity has two keys public and private.
- Data encrypted with one key can only be decrypted
with other. - The public key is public.
- The private key is known only to the entity.
- The public key is given to the world encapsulated
in a X.509 certificate.
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
14Certificates
- Similar to passport or drivers license Identity
signed by a trusted party
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
15Certificate Authorities
- A small set of trusted entities known as
Certificate Authorities (CAs) are established to
sign certificates - A Certificate Authority is an entity that exists
only to sign user certificates - Users authenticate themselves to CA, for example
by use of their Passport or Identity Card. - The CA signs its own certificate which is
distributed in a secure manner.
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
16Delegation and Certificates
- Delegation The act of giving an organization,
person or service the right to act on your
behalf. - For example A user delegates their
authentication to a service to allow programs to
run on remote sites.
17User Authorisation to Access Resource
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
18User Responsibilities
- Keep your private key secure.
- Do not loan your certificate to anyone.
- Report to your local/regional contact if your
certificate has been compromised. - Do not launch a delegation service for longer
than your current task needs.
If your certificate or delegated service is used
by someone other than you, it cannot be proven
that it was not you.
19Summary
20The Practical
- In your information pack is a sheet containing
the details for logging on to your workstation
and the passwords needed for logging on to your
account on lab-07 the server to be used in this
tutorial. - Login to your workstation
- Use the putty program (on your desktop) to
connect to lab-07 - Open a browser window to http//homepages.nesc.ac.
uk/gcw/NGS/GSI.html - Follow the instructions from there.