security
play

Security infrastructure, certificates and responsibilities Anand - PowerPoint PPT Presentation

Mar 24, 2023 •335 likes •714 views

OSG Summer Workshop Lubbock, 2011 Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG Security team Aug 10th, 2011 OSG Security 1 OSG Security OSG Security model A high level overview Aug 10th, 2011

  1. OSG Summer Workshop Lubbock, 2011 Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG Security team Aug 10th, 2011 OSG Security 1

  2. OSG Security OSG Security model A high level overview Aug 10th, 2011 OSG Security 2

  3. OSG Security model  Multiple administrative domains; each Site  Decides how to run its own resources  Decides which users to support  Federated trust  Too many users and too many sites to require each user to register at each site  Virtual Organizations (VOs) as a middle man  A VO trusts its own users  A Site trusts a VO Aug 10th, 2011 OSG Security 3

  4. Authentication structure  Users want a single sign-on to run on all sites  Remember, they are not registering with all the sites  Username+password cannot be used  That would require all sites to synchronize the password/shadow files -> not practical  Public Key Infrastructure (PKI) used instead  In particular X.509 certificates and proxies  Sites only need to know the “user name”  PKI takes care of the security aspect Aug 10th, 2011 OSG Security 4

  5. PKI – x.509 certificate  The user is issued a certificate, which is composed of 2 parts:  A public part, containing  The user name (also known as the DN )  Validity period  The public key  The signing chain (more on this later)  A private part (containing the private key)  The private part MUST be kept private  The public part can (and will) be sent around Aug 10th, 2011 OSG Security 5

  6. PKI – How it works?  User proves who he is by signing using the private key  The public key in the pub_cert allows for verification Hello Identify yourself! Sign XY#B. User Site I am <pub_cert>. The signature is <sign_with_priv> Welcome! Aug 10th, 2011 OSG Security 6

  7. PKI – What is a CA? Not all CAs Not all CAs are trusted! are trusted! A CA is someone who issues certificates  A trusted CA is someone who you trust to issue user  certificates only if they know that user  i.e. User X cannot get a certificate with username Y There are relatively few trusted CAs in existence   At least compared to the number of users  Pre-installing their public keys is thus manageable A CA can also revoke a user certificate  Self signed certs Self signed certs not issued not issued  By publishing its public key in by a trusted CA by a trusted CA a Certificate Revocation List (CRL)  Make sure you download the updated CRLs often! Aug 10th, 2011 OSG Security 7

  8. PKI – And what is a proxy?  You probably have heard about proxies  A proxy is just a new certificate derived from a user certificate  Possibly many CA times! User Cert  The signing chain contains the info to User Proxy safely climb back to ... the CA http://tools.ietf.org/html/rfc3820 User Proxy Aug 10th, 2011 OSG Security 8

  9. PKI – Why a proxy?  The user jobs may need to talk to a remote service when running on the worker nodes  But cannot access the user cert's private key!  A proxy is thus sent (delegated) with the job to the worker node  And the proxy contains a private key!  So the job can impersonate the user  Of course, delegating a private key is dangerous  Mitigated by the fact that proxy lifetime is short (much shorter than the user certificate one) Aug 10th, 2011 OSG Security 9

  10. PKI – Sites have certificates, too  Security only if mutual authentication  The Site trusts the User and the User trusts the Site  The Site must prove who he is to the User  Especially if a proxy is being delegated there!  All nodes with services at a Site thus need a host or service certificate  Similar to a user certificate, but issued by a CA for a specific DNS host (can only be used on that DNS address) Aug 10th, 2011 OSG Security 10

  11. Authorization  Just because someone can authenticate, does not mean a Site will authorize him/her to run on its resources  Authorization is a separate step  The Site may also want to give different privileges to different users  The user must be mapped to a local security domain  Certificate DN -> (typically) UNIX UID Aug 10th, 2011 OSG Security 11

  12. VO-based Authorization  As mentioned in the introduction, Sites trust VOs (not users directly)  Each VO will keep a list of trusted user DNs  Through a service called VOMS  OSG provides a list of trusted VOs and their VOMS servers  The Site needs to pick which VOs to support  Should always support the MIS VO (OSG operations)  Users authenticate with a VOMS-extended proxy (voms-proxy-init -voms ...) Aug 10th, 2011 OSG Security 12

  13. Mapping  OSG provides GUMS for mapping  Talks to VOMS servers to get the list of user DNs  Site admin must decide the mapping  Still VO based, possibly based on VO groups  Either pool (recommended) or group mappings  The admin must also create all the necessary UNIX accounts  Part of “administrative autonomy” principle Aug 10th, 2011 OSG Security 13

  14. OSG Security Getting a Certificate Aug 10th, 2011 OSG Security 14

  15. Which CAs do we use  DOEGrids CA  https://pki1.doegrids.org/ca/  CERN CA (Used by WLCG)  https://ca.cern.ch/ca/  Fermilab CA (Fermilab-based users)  Converts krb5 tickets into certificates  CAs accredited by IGTF (International Grid Trust Federation)  Many country typically have their own CA Aug 10th, 2011 OSG Security 15

  16. CAs supported as a OSG site  OSG provides a list of trusted CAs known to be used by OSG-affiliated VOs  Get them trough VDT http://software.grid.iu.edu/pacman/cadist/ca-certs-version  Sites choose which CAs to support  Typically most sites support OSG provided CAs  However they are free to add/remove CAs Aug 10th, 2011 OSG Security 16

  17. Requesting a certificate  Most likely you want to use DOEGrids  You can request them either trough the Web interface or https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/CertificateGetWeb trough the command line interface https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/CertificateGetCmd  Command line easier for bulk requests (e.g. for service certificates) Aug 10th, 2011 OSG Security 17

  18. Obtaining a personal certificate via browser  https://software.grid.iu.edu/cert/certreg.php Aug 10th, 2011 OSG Security 18

  19. Installing root CA in browser  Go to TACAR (TERENA Academic Certification Authority Repository)  https://www.tacar.org/  Certificates tab  Click install on which ever CAs you wish to install in your browser  Some browser keep browser specific CA repository (e.g. Firefox) while others rely on system wide repository  By installing a CA you are asking your browser to trust the certificates issued by that CA Aug 10th, 2011 OSG Security 19

  20. Locating root CA in your browser Aug 10th, 2011 OSG Security 20

  21. Applying for a personal certificate  Identity and Contact Information Aug 10th, 2011 OSG Security 21

  22. Applying for a personal certificate  Sponsor Information Aug 10th, 2011 OSG Security 22

  23. What happens next  Your request goes to the OSG RA and is directed to appropriate RA agents  RA agents are typically VO representatives  RA agent will contact the sponsor  Sponsor has to validate your request and identity  This means that sponsor needs to know before hand you are requesting a certificate  Getting a certificate can take days. So apply early Aug 10th, 2011 OSG Security 23

  24. What happens next  Once the certificate is issued you will receive an email from CA with instructions on how to download the certificate  NOTE: Your have to use the same browser & machine to retrieve the certificate that you used to submit the request. Aug 10th, 2011 OSG Security 24

  25. Getting into a VO  To use the OSG you need to be a member of a VO  Typically your user certificate needs to be registered into VO VOMS server  Indicates membership in the VO and affords you access to resources available to that VO  Registration procedure is VO specific  Please contact your VO Aug 10th, 2011 OSG Security 25

  26. Exporting your certificate from browser  Demo On Firefox Aug 10th, 2011 OSG Security 26

  27. Certificate format  Two formats  .p12–single file, contains both public and private part  .pem–two files, one for public (cert.pem) and one for private part (key.pem)  .p12 and key.pem must be private to the user  No group or world read permissions!  Can convert between them openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12 Aug 10th, 2011 OSG Security 27

  28. Renewing certificate  Renew your certificate before they expire  You can keep the same DN  You do not have to go through the approval process again  Use: https://software.grid.iu.edu/cert/certrenew.php  Aug 10th, 2011 OSG Security 28

  29. OSG Security Security responsibilities Aug 10th, 2011 OSG Security 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your

WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your

WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your testing/application Quality system compliance Regular check on the health of your load cell WHY DO LOAD CELL OUTPUTS CHANGE?

268 views • 15 slides
Decision Making Beyond Interval . . . Multi-Agent . . . under Beyond Optimization Even Further

Decision Making Beyond Interval . . . Multi-Agent . . . under Beyond Optimization Even Further

Decision Making: . . . The Notion of Utility From Utility to . . . Decision Making Beyond Interval . . . Multi-Agent . . . under Beyond Optimization Even Further Beyond . . . Interval Uncertainty Acknowledgments Home Page Vladik

769 views • 55 slides
Tax Cuts and Growth: Israel in the 2000s Zvi Hercowitz and Avihai Lifschitz Presentation at the

Tax Cuts and Growth: Israel in the 2000s Zvi Hercowitz and Avihai Lifschitz Presentation at the

Tax Cuts and Growth: Israel in the 2000s Zvi Hercowitz and Avihai Lifschitz Presentation at the Forum Sapir Conference December 2013 Zvi Hercowitz and Avihai Lifschitz () Tax Cuts and Growth: Israel in the 2000s December 2013 1 / 23

1.03k views • 67 slides
David Clarke and Model Predictive Control In celebration of David Clarkes contribution to MPC

David Clarke and Model Predictive Control In celebration of David Clarkes contribution to MPC

David Clarke and Model Predictive Control In celebration of David Clarkes contribution to MPC St Edmunds Hall, Oxford University, January 9, 2009 David Mayne Imperial College London IC p.1/30 David Congratulations on your many

445 views • 40 slides
Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1 CS 136, Fall 2014 Outline Properties of keys Key management Key servers Certificates Lecture 5 Page 2 CS 136, Fall 2014

1.02k views • 68 slides
Payment D39PZ: Procurement and Contracts 2 Lecture Plan 1. Payment principles 2. Payment under

Payment D39PZ: Procurement and Contracts 2 Lecture Plan 1. Payment principles 2. Payment under

...last week (or things you should now understand) the difference between a certificate and an instruction the difference between an instruction and a Variation the role of certificates in controlling money and time the

874 views • 59 slides
Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver,

Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver,

Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith Presented by Gabriel A. Weaver Dartmouth College Network services change and evolve.

463 views • 43 slides
EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO

EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO

11/7/2018 EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO REC LO S U RE PREV EN TIO N A D V O C A TES Aya na Robe rtson Me lissa Ysa g uirre Asso c ia te Dire c to r Se nio r Sta ff Atto rne

294 views • 15 slides

More recommend