Getting Started Guy Warner NeSC Training Team

1
Getting Started Guy WarnerNeSC Training Team
Induction to Grid Computing and the National Grid
Service 10th-11th March 2005
2
Acknowledgements
Some of the slides in this presentation are based
on / motivated by

• The presentation given by Carl Kesselman at the
  GGF Summer School 2004. This presentation may be
  found at
• http//www.dma.unina.it/murli/GridSummerSchool200
  4/curriculum.htm
• Lectures given by Richard Sinott and John Watt at
  the University of Glasgow. These lectures may be
  found at
• http//csperkins.org/teaching/2004-2005/gc5/
• The presentation given by Simone Campana of CERN
  at First Latinamerican Grid Workshop, Merida,
  Venezuela. This presentation may be found at
• http//agenda.cern.ch/fullAgenda.php?idaa044965

3
The Problem

• QuestionHow does a user securely access the
  Resource without having an account on the
  machines in between or even on the Resource?
• QuestionHow does the Resource know who a user
  is and that they are allowed access?

4
Overview
Security
Authentication
Grid SecurityInfrastructure
Encryption Data Integrity
Authorization
5
Approaches to Security 1
The Poor Security House
6
Approaches to Security 2
The Paranoid Security House
7
Approaches to Security 3
The Realistic Security House
8
Approaches to Grid Security

• The Poor Security Approach
• Use unencrypted communications.
• No or poor (easily guessed) identification means.
• Private identification (key) left in publicly
  available location.
• The Paranoid Security Approach
• Dont use any communications (no network at all).
• Dont leave computer unattended.
• The Realistic Security Approach
• Encrypt all sensitive communications
• Use difficult to break identification means.
• Keep identification secure at all times (e.g.
  encrypted on a memory stick).
• Only allow access to trusted users.

9
The Risks of Poor User Security

• Launch attacks to other sites
• Large distributed farms of machines, perfect for
  launching a Distributed Denial of Service attack.
• Illegal or inappropriate data distribution and
  access sensitive information
• Massive distributed storage capacity ideal for
  example, for swapping movies.
• Damage caused by viruses, worms etc.
• Highly connected infrastructure means worms
  spread faster than on the internet in general.

10
Authentication and Authorization
Mongolian Yak Inspector

• Authentication
• Are you who you claim to be?
• Authorisation
• Do you have access to the resource you are
  connecting to?

11
The Trust Model
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
12
Public Private Key
Alice
Bob
Life Savings
Life Savings
Life Savings
13
Public Key Infrastructure (PKI)

• PKI allows you to know that a given key belongs
  to a given user.
• PKI builds off of asymmetric encryption
• Each entity has two keys public and private.
• Data encrypted with one key can only be decrypted
  with other.
• The public key is public.
• The private key is known only to the entity.
• The public key is given to the world encapsulated
  in a X.509 certificate.

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
14
Certificates

• Similar to passport or drivers license Identity
  signed by a trusted party

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
15
Certificate Authorities

• A small set of trusted entities known as
  Certificate Authorities (CAs) are established to
  sign certificates
• A Certificate Authority is an entity that exists
  only to sign user certificates
• Users authenticate themselves to CA, for example
  by use of their Passport or Identity Card.
• The CA signs its own certificate which is
  distributed in a secure manner.

slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
16
Delegation and Certificates

• Delegation The act of giving an organization,
  person or service the right to act on your
  behalf.
• For example A user delegates their
  authentication to a service to allow programs to
  run on remote sites.

17
User Authorisation to Access Resource
slide based on presentation given by Carl
Kesselman at GGF Summer School 2004
18
User Responsibilities

• Keep your private key secure.
• Do not loan your certificate to anyone.
• Report to your local/regional contact if your
  certificate has been compromised.
• Do not launch a delegation service for longer
  than your current task needs.

If your certificate or delegated service is used
by someone other than you, it cannot be proven
that it was not you.
19
Summary
20
The Practical

• In your information pack is a sheet containing
  the details for logging on to your workstation
  and the passwords needed for logging on to your
  account on lab-07 the server to be used in this
  tutorial.
• Login to your workstation
• Use the putty program (on your desktop) to
  connect to lab-07
• Open a browser window to http//homepages.nesc.ac.
  uk/gcw/NGS/GSI.html
• Follow the instructions from there.