Professional Documents
Culture Documents
Reading: Grid Book, Chapter 16: Security, Accounting and Assurance By Clifford Neuman
Security Issues
Traditional systems: l Protect a system from its users l Protect data of one user from compromise In Grid systems: l Protect applications and data from system where computation executes l Stronger authentication needed (for users and code) l Protect local execution from remote systems l Different admin domains/security policies
Organization
l
Authentication
qPassword-based qKerberos authentication qSSL authentication qCertification authorities
l l
Organization (cont.)
l
Authentication
l
Process of verifying identity of a participant to an operation or request Principal: entity whose identity is verified
qlocal user OR user logged into remote system
Traditional systems: authenticate client to protect server Grid systems: mutual authentication required
qEnsure that resources and data not provided by an attacker
l l l
Well-suited to frequent authentication Centrally administered Requires trusted, on-line certification authority: Key Distribution Center (KDC)
Each client and server register their keys in advance with Kerberos authentication server Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server Kerberos server sends session key to client as well as a ticket that contains clients name and session key, all encrypted with servers key
2.
3.
4.
Client caches encrypted session key and ticket, which are valid for some period
q Reduces number of authentication requests to server
6.
7. 8.
9.
Client forwards ticket to service provider AND sends server a timestamp encrypted using the session key Server decrypts ticket and extracts session key Server uses session key to decrypt timestamp and checks that timestamp is recent If client needs to authenticate server, server encrypts the timestamp with the session key and sends it back to client
Widely-deployed: every web browser! Client authenticates identity of the server Send a session key from client to server to set up an encrypted communication Server has a certificate that contains its public key If client has a certificate, can authenticate itself to the server
4.
5. 6.
7. 8. 9.
Client web browser with SSL contacts web server with SSL Server sends public-key certificate to client Client uses public key of a trusted Certificate Authority (CA) to verify servers certificate is valid Client verifies that hostname embedded in certificate is hostname of intended server Client extracts servers public key from certificate Client uses servers public key to encrypt a session key for a symmetric cryptosystem Client sends encrypted session key to server Server uses its private key to decrypt session key Client and server communicate using symmetric cryptosystem with session key
l l
Certification mechanism provides binding between encryption key and authenticated identity Certification authority (CA) is a third party that certifies or validates the binding CA issues a certificate and signs it Certificate is a data object that contains:
qDistinguished name of a principal qIn asymmetric cryptographic systems: the public key of the principal qOptional attributes: authorizations, group memeberships, email addresses, alternate names
Certification (cont.)
l
Hierarchy of CAs: each CA certified by higher-level CA except for root CA(s) Applications and servers must know public key of trusted root CAs
Provides assurance that a particular message, data item or executable originated with a particular principal
qDetermines whether program was modified or sent by attacker
Delegation of Identity
l
Process that grants one principal the authority to act as another individual Assume anothers identity to perform certain functions E.g., in Globus: use the gridmap file on a particular resource to map authenticated user onto anothers account, with corresponding privileges
Reminder: Organization
l
Authentication
qPassword-based qKerberos authentication qSSL authentication qCertification authorities
l l
Authorization
l
Process that determines whether a particular operation is allowed Traditionally: based on authenticated identity of requester and local information
q Access Control Lists (ACLs)
Distributed Authorization
l l
E.g., Distributed Computing Environment Systems still being developed Distributed maintenance of authorization information:
q Group membership q Access control lists
Need to verify the authenticity of authorization (and assurance) information One approach: Embed these attributes in certificates
q Signed by trusted third-party q Privilege attribute certificates
Restricted proxy: authorization certificate that grants authority to perform operation on behalf of grantor
qRestricted for access to particular objects qOnly when specified restrictions are satisfied
l l
Alternative: separate authorization server Party providing a service checks with server whether a named principal is authorized
Delegation of Authority
l
l l
User or process that is authorized to perform an operation can grant authroity to perform the operation to another process More restricted than identity delegation In Grids:
qUsed for tasks that run remotely on grid that must read or write data stored across the network qE.g., resource manager allocates a node to a job and delegates to jobs initator authority to use that node
Cryptography
qEncryption: scrambles data in a way that varies based on a secret encryption key qDecryption: unscramble data using corresponding decryption key qCiphertext: scrambled data qPlaintext: original or unscrambled data
Symmetric Cryptosystems
l
l l l
Examples:DES (data encryption standard), triple-DES, idea, blowfish, RC4, RC5 Uses same key for encryption & decryption Both parties must share same key With static keys:
qUser needs different key for every other user or service provider qService provider maintains key for every user
Or, use mutually-trusted intermediary to generate and distribute session key to both parties
qE.g., Kerberos Key Distribution Center
Each client and server register their keys with Kerberos authentication server in advance Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server Kerberos server sends session key to client as well as a ticket that contains clients name and session key, all encrypted with servers key
2.
3.
4.
Client caches encrypted session key and ticket, which are valid for some period
q Reduces number of authentication requests to server
6.
7. 8.
9.
Client forwards ticket to service provider AND sends server a timestamp encrypted using the session key Server decrypts ticket and extracts session key Server uses session key to decrypt timestamp, checks that it is recent If client needs to authenticate server, server encrypts the timestamp with the session key and sends to client
Asymmetric Cryptography
l l
Also Public Key cryptography (PKI) E.g., RSA or DSA (digital signature algorithm) Uses a pair of keys for encryption and decryption
q Knowledge of one key does not reveal the other
l l
Public key: published and available to anyone Private key: secret, known to only one party Advantage: can disseminate public key freely Disadvantage: significantly worse performance than symmetric encryption
q Because of performance, rarely used in isolation q Used in combination with symmetric encryption
l l
2.
3.
4.
5.
Sender generates a symmetric session key and an associated checksum Sender encrypts key and checksum using recipients public key and sends them to recipient Recipient decrypts key and checksum using its private key Recipient verifies checksum is correct and extracts session key Communication proceeds using symmetric encryption with the session key
Pay asymmetric performance penalty at startup but not on every block transferred Relies on each party knowing public keys or relying on trusted third party (CA) to verify public keys Otherwise, attacker could replace public key with different public key that has a private key known by attacker
Provides integrity, authentication and confidentiality for email and data files Sender:
qComputes a message digest (similar to a checksum) qEncrypts original message using symmetric cryptography with a message key qEncrypts the message digest with asymmetric cryptography using the private key of the sender
Provides a digital signature (integrity)
qEncrypts the message key with asymmetric cryptography using recipients public key
Recipient:
qDecrypts message digest using public key of sender qDecrypts message key using its own private key qUses message key to decrypt original message qVerifies the correctness of message using digest
Digital Signatures
l
Reminder: Organization
l
Does candidate service provider meet these requirements? Form of authorization (accreditation) used to validate service provider Grid example: check assurance credentials when selecting nodes for computation:
q Do they meet performance, reliability, or security requirements?
l l
Means of tracking, limiting or charging for consumption of resources Critical for fair allocation of resources Tied in with authorization In the grid: accounting is critical
q Need a means of payment
Correctly charge user at time a resource is consumed
Transport layer protection for confidentiality and integrity When communication established between two network hosts:
qUse key distribution to exchange key for symmetric encryption
Key distribution may use Kerberos, PKI, Keys are associated with hosts, not with applications or users
Use transport-layer confidentiality and integrity Share physical infrastructure of internet Communication only between participating nodes Protected from disclosure to/modification by nodes that are not participants Used when impractical to integrate security at application layer Since they operate at tranport layer, cannot:
q Authenticate end users q Understand application-level objects that need protection q Support security policies that distinguish users & application objects
Need to integrate IPSec and VPN technologies at network boundaries with firewalls
q Messages on internal network remain unprotected q Encrypt/decrypt messages as they leave/enter VPN at the firewall
Generic Security Services Application Programming Interface Facilitates integration of security at application layer Applications make calls to authentication, confidentiality and integrity services
qCalls are independent of underlying security services