Grid Security Tutorial 2006

1
Grid Security Tutorial 2006

• David Groep
• NIKHEF

2
Grid Security Tutorial

• You and the Grid
• organising collaborations in virtual
  organisations
• trust and your identity
• cryptography and signing
• Getting access to resources
• attribute-based authorization and VOMS
• proxies, delegation, forwarding and renewal
• How it works in practice grid security commands
• getting your certificate
• the GSI protocol
• getting a voms-enabled proxy
• what happens on the server side

3
Virtual Organisations

• What is a Virtual Organisation?
• A set of individuals or organisations, not under
  single hierarchical control, (temporarily)
  joining forces to solve a particular problem at
  hand, bringing to the collaboration a subset of
  their resources, sharing those at their
  discretion and each under their own conditions.

graphic from Anatomy of the Grid, Foster,
Kesselman and Tuecke
4
VOs

• Typical VO examples
• Each of the VL-e application sub programmes
• Collaborations like the LHC experiments, or
  LOFAR, or
• testing/deployment groups like pvier
• Users (you) are usually a member of more than one
  VO
• Any large VO will have an internal structure,
  with groups, subgroups, and various roles

5
VOs and the infrastructure

• The word VO is used in many different ways
• The EGEE infrastructure and the VL-e PoC provide
  a bus-like interface for VOs, where VOs are
  essentially user communities

6
VOs
7
Trust relationships

• For the VO model to work, parties need to
  (minimally) trust each other in their VO
  interactions
• the alternative would be that every user would
  have to register at and every resource provider

graphic from Frank Siebenlist, Argonne Natl.
Lab, Globus Alliance
8
VO federation needs

• Trust establishment within the VO is separated
  in
• user identity (the users passport)
• group and roles within the VO (visa)as these are
  different from a persons organisational role

graphic OGSA Architecture 1.0, OGF GFD-I.030
9
User Identity

• Users and resources are typically part of more
  than one VO,
• but dont want many passwords
• Users and resource get a single authentication
  token(identity certificate)
• that works across virtual organisations
• issued by a party trusted by all (CA),
• recognised by many resource providers, users, and
  VOs
• satisfy traceability and persistency requirement
• in itself does not grant any access, but provides
  a unique binding between an identifier and the
  subject
• This is called your (identity) certificate
• It is a cryptographically protected statement by
  the CA
• that you can use to prove your identity in
  combination with a private key and its passphrase

10
Digital signatures at work

• Paul calculates the hash of the message
• Paul encrypts the hash using his private key the
  encrypted hash is the digital signature.
• Paul sends the signed message to John.
• John calculates the hash of the message and
  verifies it with A, decyphered with Pauls public
  key.
• If hashes equal message wasnt modified Paul
  cannot
• repudiate it.

Paul
This is some message
Hash(A)
Digital Signature
John
Hash(B)
Hash(A)
slide from EGEE NA3 Tutorial repository
11
Trusting the signature

• Pauls digital signature is safe if
• Pauls private key is not compromised
• John knows Pauls public key
• How can John be sure that Pauls public key is
  really Pauls public key and not someone elses?
• A third party guarantees the correspondence
  between public key and owners identity.
• Both A and B must trust this third party

slide from EGEE NA3 Tutorial repository
12
X.509 Certificates

• Authentication (proving your identity to another
  party) works the same way
• in that case the CA as signed a message that
  contains identifiers
• which is done in a specific standard format X.509

• An X.509 Certificate contains
• owners public key
• identity of the owner
• info on the CA
• time of validity
• Serial number
• digital signature of the CA

slide from EGEE NA3 Tutorial repository
13
Public Key Infrastructures
Based on X.509 PKI
John
Paul

• every user/host/service has an X.509 certificate
• certificates are signed by trusted (by the local
  sites) CAs
• every Grid transaction is mutually authenticated
• John sends his certificate
• Paul verifies signature in Johns certificate
• Paul sends to John a challenge string
• John encrypts the challenge string with his
  private key
• John sends encrypted challenge to Paul
• Paul uses Johns public key to decrypt the
  challenge.
• Paul compares the decrypted string with the
  original challenge
• If they match, Paul verified Johns identity and
  John can not repudiate it.

VERY IMPORTANT Private keys must be stored
only in protected places AND in encrypted form
slide from EGEE NA3 Tutorial repository
14
Trusted third parties

• All research grid infrastructures share the same
  base set of trusted third parties (CAs)
• There is typically one in each country
• The credentials they issue are comparable in
  quality

15
Requirements for (inter)national trust

• Identity vetting procedures
• Based on (national) photo IDs
• Face-to-face verification of applicants via a
  network of Registration Authorities
• possible to trace the user in case of unlawful
  misconduct
• Secure binding between the request and the
  identity vetting
• Periodic renewal (once every year)
• Secure operation
• off-line signing key or HSM-backed on-line
  secured systems
• Response to incidents
• Timely revocation of compromised certificates
• new models and guidelines are being agreed on
  right now, but are not yet available.

16
VO affiliation

• Per-VO Authorisations (visa)
• granted to a person or service by a virtual
  organisation
• based on the passport name
• acknowledged by the resource owners
• providers can still ban individual users, and
  decide which privileges are granted to which VO
  attributes
• In your case, these visa are called VOMS
  credentials
• It is a cryptographically protected statement by
  the VO
• which is bound (by the VO) to your subject name

17
Single sign-on and delegation

• To authenticate with your certificate directly
  you would have to type a passphrase every time
• Also you need a way to send you VOMS credentials
  across
• In the Grid Security Infrastructure today, this
  is solved by proxy certificates
• a temporary key pair
• in a temporary certificate signed by your long
  term private key
• valid for a limited time (default 12 hours)
• and itself not protected by a passphrase

18
grid-proxy-init

• User enters pass phrase, which is used to decrypt
  private key.
• Private key is used to sign a proxy certificate
  with its own, new public/private key pair.
• Users private key not exposed after proxy has
  been signed

• Proxy placed in /tmp
• the private key of the Proxy is not encrypted
• stored in local file must be readable only by
  the owner
• proxy lifetime is short (typically 12 h) to
  minimize security risks.
• NOTE No network traffic!

slide from EGEE NA3 Tutorial repository
19
Delegation and limited proxy

• Delegation remote creation of a (second level)
  proxy credential
• New key pair generated remotely on server
• Client signs proxy cert and returns it
• for GT2 services it is built into the protocol,
  for GT4 WS use the delegation service (gLite
  its implicit in the service)
• Allows remote process to authenticate on behalf
  of the user
• Remote process impersonates the user
• The client can elect to delegate a limited
  proxy
• Each service decides whether it will allow
  authentication with a limited proxy
• Job manager service requires a full proxy
• GridFTP server allows either full or limited
  proxy to be used

slide from EGEE NA3 Tutorial repository
20
Proxy again

• grid-proxy-init login to the Grid
• To logout you have to destroy your proxy
• grid-proxy-destroy
• This does NOT destroy any proxies that were
  delegated from this proxy.
• You cannot revoke a remote proxy
• Usually create proxies with short lifetimes
• To gather information about your proxy
• grid-proxy-info
• Options for printing proxy information-subject
  -issuer-type -timeleft-strength -help
  

slide from EGEE NA3 Tutorial repository
21
Embedding your VOMS credentials

• The proxy can also be used as a container for
  other stuff
• the standard SSL protocol has no other way of
  adding stuff to the secure session
• but a plain grid proxy does not indicate which
  VO you belong to
• the VOMS credential is embedded as an extension
  in the proxy

davidg_at_tbn01 davidg voms-proxy-info
-all Type proxy Bits
512 Valid From Jun 2 062202 2004
GMT Validity left Jun 2 182702 2004 GMT VO
wpsix Holder Subject
/Odutchgrid/Onikhef/CNDavid Groep Issuer
Subject/CFR/OCNRS/OUUREC/
CNvo-iteam.datagrid.cnrs.fr Valid from
Jun 2 062609 2004 GMT Valid to Jun 2
182609 2004 GMT Attribute
/wpsix/RoleNULL/CapabilityNULL
22
Getting a VOMS proxy

• VOMS credential consists of a list of attributes
• short for Fully Qualified Attribute Name, is what
  VOMS uses to express membership and other
  authorization info
• Groups membership, roles and capabilities may be
  expressed in a format that bounds them
  together ltgroupgt/Roleltrolegt/Capabilityltcapab
  ilitygt

glite-tutor /home/giorgio gt voms-proxy-init
--voms gilda Your identity /CIT/OGILDA/OUPers
onal Certificate/LINFN/CNEmidio
Giorgio/Emailemidio.giorgio_at_ct.infn.it Enter
GRID pass phrase Your proxy is valid
until Mon Jan 30 233551 2006 Creating temporary
proxy.................................Done Contac
ting voms.ct.infn.it15001 /CIT/OGILDA/OUHost
/LINFN Catania/CNvoms.ct.infn.it/Emailemidio.gi
orgio_at_ct.infn.it "gilda" Creating proxy
...................................... Done Your
proxy is valid until Mon Jan 30 233551 2006
slide from EGEE NA3 Tutorial repository
23
Long term proxies

• Proxy has limited lifetime (default is 12 h)
• Bad idea to have longer proxy
• However, a grid task might need to use a proxy
  for a much longer time
• Grid jobs in HEP Data Challenges on LCG last up
  to 2 days
• myproxy server
• Allows to create and store a long term proxy
  certificate
• myproxy-init -s lthost_namegt
• -s lthost_namegt specifies the hostname of the
  myproxy server
• myproxy-info
• Get information about stored long living proxy
• myproxy-get-delegation
• Get a new proxy from the MyProxy server
• myproxy-destroy
• Chech out the myproxy-xxx - - help option
• A dedicated service on the RB can renew
  automatically the proxy
• File transfer services in gLite validates user
  request and eventually renew proxies
• contacting myproxy server

slide from EGEE NA3 Tutorial repository
24
Grid authentication with MyProxy
slide from EGEE NA3 Tutorial repository
25
But what do I have to do?

• A Grid Security walk-through

26
A walk-through
27
Certificate request
once every year
28
Contacting the CA

• Each CA has different policies and practices
• Generate a cryptographic key pair
• using a script like grid-cert-request
• with your web browser
• using a Java Applet
• Appear in-person to the Registration Authority
  (RA)
• RA approves your request
• CA signs the approved request and sends you the
  cert
• via mail copy to your home directory
• via the web download into your browser and
  export to disk
• All use a network of RAs close to you

29
DutchGrid CA
http//ca.dutchgrid.nl/
30
Making the request (DutchGrid CA)

• triodedavidg1004 sh makerequest.sh
• Generating user request and private key in /tmp
• Do NOT delete the private key in this directory
• NOTICE you are about to create the cryptographic
  key pair you need
• in your certificate. The private key is
  highly confidential
• information! Do not share it with anyone
  and do not send it
• by mail to the Certification Authority
• Your private key is stored in a file
  named userkey.pem'
• Using configuration from /tmp/certreq15061.cnf
• Generating a 1024 bit RSA private key
• .....
• ..................
• writing new private key to '/tmp/userkey.pem'
• -----
• Mailing CAmedium certificate request to the
  DutchGrid CA
• In the authentication process by the CA, you may
  be asked to
• provide a proof-of-possession of the keypair you
  submitted. This

run request script
Proof of Possession Challenge
31
Your request

• openssl req in /.globus/user_request.pem text
• Data
• Version 0 (0x0)
• Subject OGrid, OCERN, OUcern.ch,
  CNAkos Frohner User information
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (1024 bit)
• Modulus (1024 bit) Public key
• 00baaee29a98be94f5f5
  9ee7f70658 ...
• Exponent 65537 (0x10001)
• Signature Algorithm md5WithRSAEncryption Signatu
  re on the public
• 2987634065af1b39e971b93f7080
  0c27710e ... key and user information
• -----BEGIN CERTIFICATE REQUEST----- PEM encoded
  request
• MIIBhjCB8AIBADBHMQ0wCwYDVQQKEwRHcmlkMQ0wC ...
• -----END CERTIFICATE REQUEST-----

32
Private Key Details

• openssl rsa -in /.globus/userkey.pem text
• Enter PEM pass phrase
• Private-Key (1024 bit)
• modulus ...
• publicExponent ..... (0x......)
• privateExponent ...
• prime1 ... private parameters
• prime2 ...
• exponent1 ...
• exponent2 ...
• coefficient ...
• writing RSA key
• -----BEGIN RSA PRIVATE KEY----- PEM encoded
  private key
• -----END RSA PRIVATE KEY-----

33
Certificate signing
34
Importing your certificate in the browser
35
Browser certificates

• Your our certificate must be in PKCS12 format
• openssl pkcs12 export \
• in /.globus/usercert.pem \
• inkey /.globus/userkey.pem \
• out user.p12 \
• name Joe Smith
• Use the certificate store of your browser
• Windows double-click on the .p12 file
• Explorer Internet Options tab Content
• Netscape 6 Preferences PrivacySec
  Certificates, then use Restore
• And SET THE MASTER PASSWORD

36
Usage Guidelines
Account Registration
once for the lifetime of the VO (based on your
DN)
Usage guidelines
37
Registering with your VO
for national VOs usehttps//register.matrix.sa
ra.nl/or https//mu4.matrix.sara.nl8443/vomses
for LCG usehttp//lcg-registrar.cern.ch/
Agree to VO AUP!
38
Starting a session
every 12/24 hours
39
Configuration on the Server
automatically updated every night/week
40
Using a Service
41
Summary

• CA authentication
• VO AUP, authorization and access
• new certificate follow the web page instructions
• send to the appropriate CA (e.g. ca_at_dutchgrid.nl)
• save the answer
• /.globus/usercert.pem
• import in web browser (.p12) and register with VO
• new proxy certificate voms-proxy-init vo foobar
• /tmp/x509up_ultuidgt
• use the Grid

• only once

• daily

42
Extra certificate renewal

• Your certificate has a validity of 12 months,
  then you will have to renew
• you get an email warning 4 weeks in advance (and
  at 2 weeks)
• download the script from the web site
• run it on a unix system with OpenSSL installed
  (no macs!)
• The script generates a signed email message
• send the signed message to ca_at_dutchgrid.nl
• do not modify the message in any way, preferably
  use sendmail t lt newrequest.txtas the script
  tells you at the end
• your Registration Authority will be contacted for
  confirmation
• after response from the RA, a new certificate is
  mailed to you
• When you get the new certificate, remember to
  also put the newkey.pem file in the proper place!

43
Extra managing a VOMS VO
44
VOMS management through the web

• VOMS groups and roles can be managed by the
  VO-admin through the VOMS-Admin web interface
• Connect to https//mu4.matrix.sara.nl8443/voms/vo
  name

45
extra on the USB key

• go to the CA web site at http//ca.dutchgrid.nl/
• complete all web forms, and print out the paper
• download the Unix shell script
• run the makerequest.sh script, specifying where
  the keys should be created mkdir
  /mnt/flash/.globus sh makerequest.sh
  /mnt/flash/.globus/
• write down the proof-of-possession challenge on
  the paper
• Back home
• receive the mail from the CA
• insert your USB flash drive again, and copy the
  mail to /mnt/flash/.globus/usercert.pem
• make a symlink in your home directory on the
  UI ln s /mnt/flash/.globus HOME/.globus
• login to the grid with grid-proxy-init