vinod rebello
TRANSCRIPT
Who do you Trust?
The roles of certificates, certification
authorities and the IGTF in
Grid ComputingProf. Vinod RebelloInstituto de Computação
Universidade Federal FluminenseBrazil
The Americas Grid Policy Management Authority
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 2
A talk about PKI - Why me?
• User, resource provider and grid operator• Manager of the IGTF approved Brazilian and the
Latin American and Caribbean Catch-all Grid Certificate Authorities
• EELA-2 Task leader for Grid CAs and Security• Current Chair of the TAGPMA• Former Chair of the IGTF
There is are worlds outside of Grid Computing…• Chair of the Brazilian Educational PMA (ICPEDU)• Brazilian Federal PKI Service
And these worlds are colliding!
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 3
The Grid Computing Model
Grid/Cloud offering services
In this generic model, institutions and businesses own fewer of their own resources. Third parties provide facilities; users get access to services. Businesses themselves can also offer services over the Grid.
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 4
What is Grid Security?
• The Grid problem is to enable “coordinated resource sharing and problem solving in
dynamic, multi-institutional virtual organizations.”
From The Anatomy of the Grid
• So Grid Security is security to enable VOs.
• Security is about risk assessment, not building a perfect system
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 5
Essentials for Grid Security
• Access to shared services– cross-domain authentication, authorization, accounting,
billing– common generic protocols for collective services
• Support multi-user collaboration– may contain individuals acting alone – their home
organization administration need not necessarily know about all activities
– organized in ‘Virtual Organizations’
• Enable ‘easy’ single sign-on for the user– the best security is hidden from the user as much as
possible
• And leave the resource owner always in control
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 6
Characteristics of Grid Security
• Current grid security is largely user centric– different roles for the same person in the home
institution and in the Virtual Organization (VO)
• There is no a priori trust relationship between members or member organizations– VO lifetime can vary from hours to decades– VO not necessarily persistent (both long- and short-
lived)– people and resources are members of many VOs
• … but a relationship is required– as a basis for authorising access– for traceability and liability, incident handling, and
accounting
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 7
Role of Computer Security
• Identification & Authentication (I&A)– Provide a way of identifying entities, and controlling this
identity
• Confidentiality: protection against data disclosure to unauthorized persons
• Integrity: protection against data modification
• Availability: protection against data disponibility
• Non-repudiability– Bind an entity to its actions
• Authorisation– Identity combined with an access policy to grant rights to
perform some action
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 8
Security Building Blocks
• Encryption provides
– confidentiality, can provide authentication and integrity protection
• Checksums/hash algorithms provide
– integrity protection, can provide authentication
• Digital signatures provide
– authentication, integrity protection, and non-repudiation
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 9
Asymmetric Cryptography
• Use non-reversible functions and a key pair– What one key encrypts, the other decrypts
• Keep one key private– Only you can decrypt
• Let the other be public– Everyone can encrypt
• Security relies on– F-1 not being found
Hello$w!4& F(x)
priv
Hello $w!4&F(x)
pub
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 10
Assymetric Key Pairs
• Every user splits a key pair into a private and a public key.
priv
The public key is known by everybody.
The private key should not be known by anyone else.It may be protected by hardware.
pub
Vinod Rebello – [email protected] 11
ServerClient I’m Fred
ch=rand();
Same as ch?
1423
AxW8
Hi Fred
decrypt(AxW8);pub of Fred
encrypt(1423)priv
Server needsto keep track
of Fred’spublic key
Authentication
Challenge - Response
Vinod Rebello – [email protected] 12
Creating a Digital Signature
• The digital signature locks the document to the signer
• Easily verifyable for everyone in possession of the public key (next slide)
OriginalDocument
Digestfunction hash
OriginalDocument
hashSHA-1MD5
priv
Vinod Rebello – [email protected] 13
Verifying a Digital Signature
• A verified signature proves that– The corresponding private key was used to sign the
document– The document has not been altered
OriginalDocument
Digestfunction hash
OriginalDocument
= ?hash hash
pub
hash
Vinod Rebello – [email protected] 14
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
• Correct mapping is crucial
• Ensure the integrity of themapping by applying a digitalsignature to it: a certificate
-> identity
Distributing the Public Key
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 15
X.509 Public Key Certificate
• A standardised way to associate a public key with an entity
• A digitally signed identity document– Can identify people, computers, services, …
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
(Extension data: what type of vehicles the person is
authorized to drive)
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 16
Signing a certificate
• Normal digital signature procedure• Non-sensitive information
– Contains public data – is verified with public data
Digestfunction hash
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
issuer’s private key
priv
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 17
Verifying a certificate
• Signature• Time• Revocation
Digestfunction hash
hash = ?
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
VersionSerial numberIssuer identity Validity periodUser identityPublic keyExtension fields
issuer’s public key
pub
But who should sign the certificate?
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 18
Certification Authority
• The role of the CA is manage the certificate life cycle: create, store, renew, revoke
User data
Public key
CA signature
User certificate
User data
Public key
CA
TrustedThird Party
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 19
Certification Process
1. Subscriber requests Certificate2. RM posts signing request notice3. The RA for the Subscriber retrieves
request4. The RA agent reviews request with
Grid project5. The agent updates/approves/rejects
request6. Approved Certificate Request is sent
to CM
Subscriber
1
2
Registration Authority
(RA) Agent
34
7
8
9
7. CM issues certificate8. RM sends Email notice to
Subscriber 9. Subscriber picks up new
certificate
2Sponsor
ProjectDBMS
4
5
6
Certificate Manager (CM)
(Certificate Signing Engine)
Registration Manager (RM) CA 4
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 20
Certificates
• CA is the only entity able to create/modify the certificate– the CA has to be trusted
• Certificates enable:– Clients to authenticate servers– Servers to authenticate clients– Public key exchange without Public Key Server
• No disclosure of private/secret keys.
• Special features:– chains of CAs, to distribute the task of issuing certificates– Certificate Revocation List, to disable certificates
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 21
Authentication
• … the server now only needs to keep track of its trust anchors (CA certificates)
CA repository
ServerClient Hello
ch=rand();1423
Hi Fred
cert.getPubKey();decrypt(AxW8);
encrypt(1423)priv AxW8
pub
Fred
Same as ch?cert.validate() ?cert.getName();
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 22
Trusting the CA
• Nothing hinders you from setting up your own CA and issuing certificates– Getting others to trust you is the hard problem!
• Trust anchors– the CAs that we more or less trust unconditionally
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 23
Establishing Trust
• The dynamic cross-organizational resource sharing gives us a problem– No initial trust, different policies, different
mechanisms– no central point of
control in Grids
• We have to provide tools to make this as painless as possible
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 24
Solving the Trust Problem
• Trusted Third Parties– Independent identity assessment providers– The most commonly used today
• Federations– Organizations trust each other to identify their own
users – Finite “membership” constellations
• Web of Trust– Users trust each other to identify others – Less control, scalability arguable
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 25
International Grid Trust Fed.
• Commissioned: Mar 2003 (Tokyo) - Chartered: October 5th, 2005 at GGF 16 (Chicago)
• Federation of European, Asian, and Western Hemisphere Policy Management Authorities– Focused on Identity management and authentication for
Grids• Establishment of top level CA registries and related
services– Root CA certificates, CA repositories and CRL publishing
points.– Uses TERENA TACAR (TERENA Academic CA Repository)
• Standards– Certificate policies, Certification profiles, Accreditation– Open Grid Forum publishes standards and community
best practices.
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 26
Building the Federation
• Providers and Relying Parties together shape the common minimum requirements– Several profiles for different identity management models
• different technologies– Authorities testify to compliance with profile guidelines– Peer-review process within the federation to (re) evaluate
members on entry & periodically– Reduce effort on the relying parties
• single document to review and assess for all Authorities• collective acceptance of all accredited authorities
– Reduce cost on the authorities• but participation in the federation comes with a price
• … the ultimate decision always remains with the RP
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 27
Model for Grid Authentication
• A Federation of many independent CAs– Policy coordination based on common minimum requirements
(not ‘policy harmonisation’)– Acceptable for major relying parties in Grid Infrastructures
• No strict hierarchy with a single top– spread liability and enable failure containment (better
resilience)– maximum leverage of national efforts
CA 1CA 2
CA 3
CA ncharter
guidelines
acceptanceprocess
relying party 1
relying party m
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 28
The Regional PMAs
The Americas Grid PMA
Asia Pacific Grid PMA
European Grid PMA
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 29
EUGridPMA
• www.eugridpma.org• Member organizations/countries:
– Canonical list: http://www.eugridpma.org/members/index.php
– Membership includes many European national and regional (eg Nordunet, Baltic Grid) Grid projects; Canarie (Canada); DOEGrids and FNAL (US); significant relying parties such as LHC, OSG;
• Features:– ~50 members: most from EU, some from closely
affiliated countries, Middle east and Africa– Chaired by David Groep (NIKHEF)– Completed 14th Face-to-face meeting– The senior partner – “Classic” X.509 Grid Authentication Profile
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 30
APGridPMA
• www.apgridpma.org• Member organizations/countries:
– Canonical list: https://www.apgrid.org/CA/CertificateAuthorities.html
• Features:– 18 members from the Asia-Pacific Region,
chaired by Yoshio Tanaka (AIST) and Jenny Chin (ASGC),
– 10 Production CAs are in operation
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 31
TAGPMA
• www.tagpma.org• The newest PMA, first Face-to-Face meeting in Rio
de Janeiro, March 2006.• Member organizations/countries:
– Canonical list: http://www.tagpma.org/members
• Features:– 21 members: CA, US, Mexico and Latin America– Chaired previously by Darcy Quesnel (CANARIE)
and currently by Vinod Rebello (UFF) and Jim Marstellar (PSC)
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 32
TAGPMA Membership
CANARIE – Canada DOEGrids (ESNet) – USA EELA – InternationalFermi National Accelerator Laboratory - USAHEBCA/USHER/Dartmouth College – USAIBDS (ANSP) - BrazilLCG – InternationalNCSA – USANERSC – USAOpen Science Grid – InternationalPurdue University – USA REUNA – ChileSan Diego Supercomputer Center – USA TACC – USATeraGrid – USA Texas High Energy Grid – USAUniversity of Virginia – USA UFF – BrazilULA – Venezuela UNAM – Mexico UNLP – Argentina
IGTF Accredited CA OperatorsCA Accreditation in progressInterested in accreditationRelying Party
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 33
IGTF Common Policy
EUGridPMA• CA E1
• CA E2
• …
APGridPMA• CA A1
• …
TAGPMA• CA T1
• …
IGTF Federation Document
Common Authentication Profiles
Classic(EUGridPMA)
SLCS(TAGPMA)
trustrelations Subject
NamespaceAssignment
DistributionNaming
Conventions
worldwide relying parties see a uniform IGTF “mesh”
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 34
Policies and Practices
• Certificate Policy and Certification Practice Statement (CP/CPS)
• RFC 3647 formatted document that describes policies and procedures followed by the PKI and responsibilities of the parties involved
• Rules for how a CA operates and how users are vetted when registering for certificates– Certificate Policy (CP): requirements for granting
and managing PKI credentials– Certification Practices Statement (CPS): actual
steps an institution takes to implement CP• Information not only for Relying Parties but also
users!
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 35
TAGPMA CA Accreditation
• Initial Consultation & Review with Mentor• Submit CP/CPS for review• Present proposal at Face-to-Face meeting• Once CP/CPS approved then subject to an
Operational Review/Audit• Include CA root certificate in the IGTF distribution
and repository
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 36
What Are Grid PKIs For?
• Exist to serve the grid community in terms of authentication– X.509 certificates are an essential component of
Grid security mechanisms– Authentication supports diverse authorization
methods (including ongoing research)– X.509 Certification Authorities provide a focal point
for policy and key lifecycle management – IGTF and regional PMAs provide coordination and
interoperability standards for Grid PKIs
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 37
Fostering NGIs in LA?
• Fostering National Grid Initiatives to meet the demands of Latin America– Not just computer science, nor is it just e-science,
its e-verything!– Learn from but not necessarily copy other NGIs
• Sustainability– Maintenance support for large scale, production
class infrastructures– Tools to improve accessibility– More users– Integrate Grid PKI with other broader scoped PKIs
• UFF BrGrid CA will be an integral part of the Brazilian Educational and Research PKI (ICPEDU).
UNLP Grid Open Day 5th November 2008 Vinod Rebello – [email protected] 38
Acknowledgements
Various slides from• Michael Helm, ESnet/LBL• David Groep, NIKHEF• Darcy Quesnel, CANARIE• Mehran Ahsant, KTH
• Argentinean National Grid CA – UNLP Grid CA http://www.pkigrid.unlp.edu.ar
• Questions?• Contact information – [email protected]