INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

Getting Started

Guy WarnerNeSC Training Team

Induction to Grid Computing and the National Grid Service

10th-11th March 2005

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 2

Enabling Grids for E-sciencE

INFSO-RI-508833

Acknowledgements

Some of the slides in this presentation are based on / motivated by:

• The presentation given by Carl Kesselman at the GGF Summer School 2004. This presentation may be found at– http://www.dma.unina.it/~murli/GridSummerSchool2004/

curriculum.htm

• Lectures given by Richard Sinott and John Watt at the University of Glasgow. These lectures may be found at– http://csperkins.org/teaching/2004-2005/gc5/

• The presentation given by Simone Campana of CERN at First Latinamerican Grid Workshop, Merida, Venezuela. This presentation may be found at– http://agenda.cern.ch/fullAgenda.php?ida=a044965

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 3

Enabling Grids for E-sciencE

INFSO-RI-508833

The Problem

• Question:How does a user securely access the Resource without having an account on the machines in between or even on the Resource?

• Question:How does the Resource know who a user is and that they are allowed access?

User Resource

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 4

Enabling Grids for E-sciencE

INFSO-RI-508833

Overview

Grid SecurityInfrastructure

Authentication

Encryption & Data Integrity

Authorization

Security

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 5

Enabling Grids for E-sciencE

INFSO-RI-508833

Approaches to Security: 1

The Poor Security House

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 6

Enabling Grids for E-sciencE

INFSO-RI-508833

Approaches to Security: 2

The Paranoid Security House

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 7

Enabling Grids for E-sciencE

INFSO-RI-508833

Approaches to Security: 3

The Realistic Security House

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 8

Enabling Grids for E-sciencE

INFSO-RI-508833

Approaches to Grid Security

• The Poor Security Approach:– Use unencrypted communications.– No or poor (easily guessed) identification means.– Private identification (key) left in publicly available location.

• The Paranoid Security Approach:– Don’t use any communications (no network at all).– Don’t leave computer unattended.

• The Realistic Security Approach:– Encrypt all sensitive communications– Use difficult to break identification means.– Keep identification secure at all times (e.g. encrypted on a

memory stick).– Only allow access to trusted users.

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 9

Enabling Grids for E-sciencE

INFSO-RI-508833

The Risks of Poor User Security

• Launch attacks to other sites– Large distributed farms of machines, perfect for launching a

Distributed Denial of Service attack.

• Illegal or inappropriate data distribution and access sensitive information– Massive distributed storage capacity ideal for example, for

swapping movies.

• Damage caused by viruses, worms etc.– Highly connected infrastructure means worms spread faster than

on the internet in general.

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 10

Enabling Grids for E-sciencE

INFSO-RI-508833

Authentication and Authorization

• Authentication– Are you who you claim to be?

• Authorisation– Do you have access to the resource you are connecting to?

John Doe755 E. WoodlawnUrbana IL 61801

0598234

Jane

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 11

Enabling Grids for E-sciencE

INFSO-RI-508833

The Trust Model

Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

GSI

CertificationAuthority

Sub-Domain B1

Authority

FederationService

VirtualOrganization

Domain

No Cross-

Domain Trust

slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 12

Enabling Grids for E-sciencE

INFSO-RI-508833

INS

EC

UR

E

SE

CU

RE

SE

CU

RE

Public Private Key

Life Savings

Alice Bob

Life Savings

Life Savings

Private Key Message Public Key

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 14

Enabling Grids for E-sciencE

INFSO-RI-508833

Certificates

• Similar to passport or driver’s license: Identity signed by a trusted party

NameIssuerPublic KeySignature

slide based on presentation given by Carl Kesselman at GGF Summer School 2004

John Doe755 E. WoodlawnUrbana IL 61801

BD 08-06-35Male 6’0” 200lbsGRN Eyes

State ofIllinois

Seal

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 15

Enabling Grids for E-sciencE

INFSO-RI-508833

Certificate Authorities

• A small set of trusted entities known as Certificate Authorities (CAs) are established to sign certificates

• A Certificate Authority is an entity that exists only to sign user certificates

• Users authenticate themselves to CA, for example by use of their Passport or Identity Card.

• The CA signs it’s own certificate which is distributed in a secure manner.

Name: CAIssuer: CACA’s Public KeyCA’s Signature

slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 16

Enabling Grids for E-sciencE

INFSO-RI-508833

Delegation and Certificates

Delegation : The act of giving an organization, person or service the right to act on your behalf.

• For example: A user delegates their authentication to a service to allow programs to run on remote sites.

Stage1:

Low Frequency

Stage2:

Medium Frequency

Stage3:

High Frequency

ServiceCA

Certificate

Signs

own

User

Certificatesigns

Proxy

Certificate signs

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 17

Enabling Grids for E-sciencE

INFSO-RI-508833

User Authorisation to Access Resource

slide based on presentation given by Carl Kesselman at GGF Summer School 2004

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 18

Enabling Grids for E-sciencE

INFSO-RI-508833

User Responsibilities

• Keep your private key secure.• Do not loan your certificate to anyone.• Report to your local/regional contact if your certificate

has been compromised.• Do not launch a delegation service for longer than your

current task needs.

If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you.

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 19

Enabling Grids for E-sciencE

INFSO-RI-508833

Summary

via Certificates and Delegated Services Authentication

Authorisationdelegated to VO.

Resource

User

Induction to Grid Computing and the National Grid Service, NeSC, 10th-11th March 2005 20

Enabling Grids for E-sciencE

INFSO-RI-508833

The Practical

• In your information pack is a sheet containing the details for logging on to your workstation and the passwords needed for logging on to your account on lab-07 – the server to be used in this tutorial.

• Login to your workstation• Use the putty program (on your desktop) to connect to

lab-07• Open a browser window to

http://homepages.nesc.ac.uk/~gcw/NGS/GSI.html • Follow the instructions from there.