Share PowerPoint. Anywhere!

Part1 EGEE intro security

Featured Animated Featured Animated
Uploaded from authorPOINT
Download as Download Not Available PPT
Presentation Description

No description available

Comments Sign in to comment
Uploaded By:

Mark Inappropriate
 Add to your favorites
Embed URL Thumbnail


Customize embed|   WordPress Embed

Like authorSTREAM?


You can vote once a day till December
10th, Vote Now!
What's up on authorSTREAM?
Contribute a Slide
Views: 100
Like it  ( Likes) Dislike it  ( Dislikes)
Added: June 20, 2007 This presentation is Public
Presentation Category :Education
Tags Add Tags
Presentation StatisticsNew!
Views on authorSTREAM: 100
Presentation Transcript

http://egee.hu/grid05/index.php?m=3Introduction to EGEE and EGEE security : http://egee.hu/grid05/index.php?m=3 Introduction to EGEE and EGEE security


Introdution to EGEE andSecurity : Introdution to EGEE and Security EGEE is funded by the European Union under contract IST-2003-508833 Norbert Podhorszki MTA SZTAKI


Acknowledgement : Acknowledgement This tutorial is based on the work of many people: Fabrizio Gagliardi, Flavia Donno and Peter Kunszt (CERN) the EDG developer team the EDG training team the NeSC training team the SZTAKI training team


The Grid Vision : The Grid: networked data processing centres and 'middleware' software as the 'glue' of resources. The Grid Vision


What do we expect from the Grid? : What do we expect from the Grid? Access to a world-wide virtual computing laboratory with almost infinite resources Possibility to organize distributed scientific communities in VOs Transparent access to distributed data and easy workload management Easy to use application interfaces


CERN: Data intensive science in a large international facility : CERN: Data intensive science in a large international facility Mont Blanc (4810 m) The Large Hadron Collider (LHC) The most powerful instrument ever built to investigate elementary particles physics Data Challenge: 10 Petabytes/year of data !!! 20 million CDs each year! Simulation, reconstruction, analysis: LHC data handling requires computing power equivalent to ~100,000 of today's fastest PC processors! Downtown Geneva


The EGEE Project : The EGEE Project www.eu-egee.org EU funded project (04/2004 – 03/2006) EGEE offers the largest production grid facility in the world open to many applications (HEP, BioMedical, generic) Existing production service based on LCG (derived from EDG software of FP5) Next generation open source web-services middleware being re-engineered taking into account production/ deployment/ management needs Well-defined, distributed support structure to provide eInfrastructure that is available to many application domains


LCG-2/EGEE-0 Status April 2005 : LCG-2/EGEE-0 Status April 2005 Total: andgt; 100 Sites ~12000 CPUs 6.5 PByte Cyprus


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


User Interface : User Interface The initial point of access to the LCG-2 Grid is the User Interface This is a machine where LCG users have a personal account The user’s certificate is installed The UI is the gateway to Grid services It provides a Command Line Interface to perform the following basic Grid operations: list all the resources suitable to execute a given job; replicate and copy files; submit a job for execution on a Computing Element; show the status of one or more submitted jobs. retrieve the output of one or more finished jobs; cancel one or more jobs; One or more UIs are available at each site part of the LCG-2 Grid


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


Computing Element : CPU:PIV RAM:2GB OS:Linux … Grid Gate node gatekeeper infoService CPU:PIV RAM:2GB OS:Linux CPU:PIV RAM:2GB OS:Linux CPU:PIV RAM:2GB OS:Linux Batch server A CE consist of homogeneous worker nodes Computing Element: entry point into a queue of a batch system information associated with a computing element is limited only to information relevant to the queue Resource details relates to the system Computing Element


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


Storage Element (SE) : Storage Element (SE) A Storage Element (SE) provides uniform access and services to large storage spaces. Each site includes at least one SE They use two protocols: GSIFTP for file transfer Remote File Input/Output (RFIO) for file access Storage Resource Manager (SRM) needs to take into account Transparent access to files (migration to/from disk pool) Space reservation (on demand and advance) File status notification Life time management


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


Information System (IS) : Information System (IS) The Information System (IS) provides information about the LCG-2 Grid resources and their status The current IS is based on LDAP (Lightweight Directory Access Protocol): a directory service infrastructure which is a specialized database optimized for reading, browsing and searching information. the LDAP schema used in LCG-2 implements the GLUE (Grid Laboratory for a Uniform Environment) Schema


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


Data Management : Data Management In LCG, the data files are replicated: on a temporary basis, to many different sites depending on where the data is needed. The users or applications do not need to know where the data is located, they use logical files names the Data Management services are responsible for locating and accessing the data.


Replication Services: Basic Functionality : Storage Element Replication Services: Basic Functionality Replica Manager Replica Location Service Replica Metadata Catalog Storage Element Files have replicas stored at many Grid sites on Storage Elements. Each file has a unique Grid ID. Locations corresponding to the GUID are kept in the Replica Location Service. Users may assign aliases to the GUIDs. These are kept in the Replica Metadata Catalog. The Replica Manager provides atomicity for file operations, assuring consistency of SE and catalog contents.


Main Logical Machine Types (Services) in LCG-2 : Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)


Job Management : Job Management The user interacts with Grid via a Workload Management System (WMS) The Goal of WMS is the distributed scheduling and resource management in a Grid environment. What does it allow Grid users to do? To submit their jobs To execute them on the 'best resources' The WMS tries to optimize the usage of resources To get information about their status To retrieve their output


A Simple Configuration : A Simple Configuration User Interface Resource Broker Replica Catalog Information Service Storage Element 1 Storage Element 2 Computing Element 1 Computing Element 2 'CLOSE' 'CLOSE'


Slide23 : Security


Introduction to Security : Introduction to Security What aspects of security should we be concerned about? Authentication (Identification) Confidentiality (Privacy) Integrity (non-Tampering) Authorisation Also Accounting Delegation Non-Repudiation


How do I login on the Grid ? : How do I login on the Grid ? Distribution of resources: secure access is a basic requirement secure communication security across organisational boundaries single 'sign-on' for users of the Grid Two basic concepts: Authentication: Who am I? 'Equivalent' to a pass port, ID card etc. Authorisation: What can I do? Certain permissions, duties etc.


Encrypting for Confidentiality : Encrypting for Confidentiality Sending a message using asymmetric keys Encrypt message using Receiver’s public key Send encrypted message Receiver decrypts message using own private key Only someone with Receiver’s private key can decrypt message Sender space Receiver space Public space Hello World Receiver’s Public Key Public Key Private Key Receiver’s Public Key openssl hR3a rearj hR3a rearj hR3a rearj openssl Hello World 2 1 3


Signing for Authentication : Signing for Authentication Encrypt message with Sender’s private key Send encrypted message Message is readable by ANYONE with Sender’s public key Receiver decrypts message with Sender’s public key Receiver can be confident that only someone with Sender’s private key could have sent the message Sender space Receiver space Public space Hello World Sender’s Public Key openssl n52krj rer n52krj rer n52krj rer openssl Hello World Public Key Private Key Sender’s Public Key openssl Hello World 1 3 4 2


Problem of Authentication : Problem of Authentication What if the public key is stolen? Can the Receiver be sure that the Sender’s public key is really the Sender’s public key and not someone else’s? Sender space Receiver space Public space Hello World Attacker’s Public Key advertised as Sender’s Public Key openssl n52krj rer s76gthklds s76gthklds openssl You are a looser Public Key Private Key Sender’s Public Key openssl You are a looser 1 3 4 Attacker Public Key Private Key openssl You are a looser s76gthklds 1 2


Digital Certificates : How can B be sure that A’s public key is really A’s public key and not someone else’s? A third party guarantees the correspondence between public key and owner’s identity, by signing a document which contains the owner’s identity and his public key (Digital Certificate) Both A and B must trust this third party Two models: X.509: hierarchical organization; PGP: 'web of trust'. Digital Certificates


Certificate contents : Certificate contents The certificate that you present to others contains: Your distinguished name (DN) your identifier Your public key anyone can send a secret message to you The identity of the CA who issued the certificate just a name Its expiry date the certificate’s expiry date (usually issued for one year) Digital signature of the CA which issued it the certificate encrypted with the CA’s private key


Involved entities : Involved entities User Certificate Authority Public key Private key certificate Resource (site offering services)


Certificate Request : Certificate Request Private Key encrypted on local disk Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. Signed public key.


X.509 certificates and authentication : X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase


Certificate classification : Certificate classification User certificate issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc. Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch


Grid Security Infrastructure (GSI) : Grid Security Infrastructure (GSI) Globus ToolkitTM proposed and implements the Grid Security Infrastructure (GSI) Protocols and APIs to address Grid security needs GSI protocols extend standard public key protocols Standards: X.509 andamp; SSL/TLS Extensions: X.509 Proxy Certificates (single sign-on) andamp; Delegation Proxy Certificate: Short term, restricted certificate that is derived form a long-term X.509 certificate Signed by the normal end entity cert, or by another proxy Allows a process to act on behalf of a user Not encrypted and thus needs to be securely managed by file system


Delegation : Delegation Proxy creation can be recursive each time a new private key and new X.509 proxy certificate, signed by the original key Allows remote process to act on behalf of the user Avoids sending passwords or private keys across the network The proxy may be a 'Restricted Proxy': a proxy with a reduced set of privileges (e.g. cannot submit jobs).


Contribute to World Peace
  • Account

  • RSS

  • Browse

  • Help & Info

  • Why authorSTREAM
Catch the buzz on authorSTREAM | Teach and Learn Online in a Free Virtual Classroom on WiZiQ
Copyright © 2002-2008 authorSTREAM. All rights reserved.