Globus Toolkit Developer Tutorial: Security
Download
Report
Transcript Globus Toolkit Developer Tutorial: Security
Grid Security
Infrastructure
Globus Toolkit™ Developer Tutorial
The Globus Project™
Argonne National Laboratory
USC Information Sciences Institute
http://www.globus.org/
Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved.
This presentation is licensed for use under the terms of the Globus Toolkit Public License.
See http://www.globus.org/toolkit/download/license.html for the full text of this license.
Grid Security Infrastructure (GSI)
GSI is:
Proxies and delegation (GSI
Extensions) for secure single
Sign-on
Proxies and Delegation
PKI for
credentials
July 16, 2015
PKI
(CAs and
Certificates)
SSL/
TLS
Globus Toolkit™ Developer Tutorial: Security
SSL for
Authentication
And message
protection
2
Public Key Infrastructure (PKI)
PKI allows you to know
that a given public key
belongs to a given user
PKI builds off of
asymmetric encryption:
– Each entity has two
keys: public and private
– Data encrypted with one
key can only be
decrypted with other.
– The private key is known
only to the entity
The public key is given to
the world encapsulated
in a X.509 certificate
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
3
Public Key Infrastructure (PKI)
Overview
X.509 Certificates
Certificate Authorities
(CAs)
Certificate Policies
– Namespaces
Requesting a certificate
– Certificate Request
– Registration Authority
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
4
Certificates
A X.509 certificate
binds a public key to
a name
It includes a name
and a public key
(among other
things) bundled
together and signed
by a trusted party
(Issuer)
July 16, 2015
Name
Issuer
Public Key
Signature
Globus Toolkit™ Developer Tutorial: Security
5
Certificates
Similar to passport or driver’s license
Name
Issuer
Public Key
Signature
July 16, 2015
John Doe
755 E. Woodlawn
Urbana IL 61801
State of
Illinois
Seal
BD 08-06-65
Male 6’0” 200lbs
GRN Eyes
Globus Toolkit™ Developer Tutorial: Security
6
Certificates
By checking the signature, one can
determine that a public key belongs to a
given user.
Hash
Name
Issuer
Public Key
Signature
=?
Decrypt
Public Key from
Issuer
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
7
Certificate Authorities (CAs)
A small set of trusted
entities known as
Certificate Authorities
(CAs) are established to
sign certificates
A Certificate Authority is
an entity that exists only
to sign user certificates
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
The CA signs it’s own
certificate which is
distributed in a trusted
manner
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
8
Certificate Authorities (CAs)
The public key from the CA certificate can
then be used to verify other certificates
Name
Issuer
Public Key
Signature
Hash
Decrypt
=?
Name: CA
Issuer: CA
CA’s Public Key
CA’s Signature
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
9
Requesting a Certificate
To request a
certificate a user
starts by generating
a key pair
The private key is
stored encrypted
with a pass phrase
the user gives
The public key is put
into a certificate
request
Encrypted
On local
disk
Certificate
Request
Public Key
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
10
Certificate Issuance
The user then takes
the certificate to the
CA
The CA usually
includes a Registration
Authority (RA) which
verifies the request:
– The name is unique with
respect to the CA
– It is the real name of
the user
– Etc.
July 16, 2015
Certificate
Request
ID
Public Key
Globus Toolkit™ Developer Tutorial: Security
11
Certificate Issuance
The CA then signs
the certificate
request and issues a
certificate for the
user
Certificate
Request
Public Key
Sign
Name
Issuer
Public Key
Signature
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
12
Secure Socket Layer (SSL)
Also known as TLS (Transport Layer Security)
Uses certificates and TCP sockets to provide a
secured connection
– Authentication of one or both parties using the
certificates
– Message protection
> Confidentiality (encryption)
> Integrity
SSL/TLS
Certificates
July 16, 2015
TCP Sockets
Globus Toolkit™ Developer Tutorial: Security
13
Globus Security Review
GSI extends existing standard protocols & APIs
– Based on standards: SSL/TLS, X.509, GSS-API
– Extensions for single sign-on and delegation
The Globus Toolkit provides:
– Generic Security Services API (GSS-API) on GSI
protocols
> The GSS-API is the IETF standard for adding authentication,
delegation, message integrity, and message confidentiality to
applications.
– Various tools for credential management,
login/logout, etc.
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
14
Kerberos Security
Some Grids use a Kerberos GSS-API.
– As far as tools and APIs go, this is not visible.
(That’s the point of GSS-API!)
– However, it is NOT interoperable with GSI
based versions of the Globus Toolkit
– Various differences of Kerberos vs GSI:
> The security files created “under the covers” are different
> Different commands to login, logout, etc.
We will discuss security using GSI (PKI).
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
15
Obtaining a Certificate
The program grid-cert-request is used to
create a public/private key pair and unsigned
certificate in ~/.globus/:
– usercert_request.pem: Unsigned certificate file
– userkey.pem: Encrypted private key file
> Must be readable only by the owner
Mail usercert_request.pem to [email protected]
Receive a Globus-signed certificate
Place in ~/.globus/usercert.pem
Other organizations use different approaches
– NCSA, NPACI, NASA, etc. have their own CA
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
16
Your New Certificate
NTP is highly
Certificate:
recommended
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Globus, CN=Globus Certification Authority
Validity
Not Before: Apr 22 19:21:50 1998 GMT
Not After : Apr 22 19:21:50 1999 GMT
Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69:
<snip>
b4:e1:54:e7:87:57:b7:d0:61
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8:
<snip>
8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
17
Certificate and Key Data
Sample usercert.pem:
-----BEGIN CERTIFICATE----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY
<snip>
u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4
-----END CERTIFICATE-----
Sample userkey.pem:
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1
+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl
<snip>
et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=
-----END RSA PRIVATE KEY----July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
18
Certificate Information
To get cert information run grid-cert-info
% grid-cert-info -subject
/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster
Options for printing cert information
-all
-subject
-issuer
July 16, 2015
-startdate
-enddate
-help
Globus Toolkit™ Developer Tutorial: Security
19
“Logging on” to the Grid
To run programs, authenticate to Globus:
% grid-proxy-init
Enter PEM pass phrase: ******
Creates a temporary, local, short-lived proxy
credential for use by our computations
Options for grid-proxy-init:
-hours <lifetime of credential>
-bits <length of key>
-help
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
20
grid-proxy-init Details
grid-proxy-init creates the local proxy file.
User enters pass phrase, which is used to
decrypt private key.
Private key is used to sign a proxy
certificate with its own, new public/private
key pair.
– User’s private key not exposed after proxy
has been signed
Proxy placed in /tmp, read-only by user
NOTE: No network traffic!
grid-proxy-info displays proxy details
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
21
Grid Sign-On With
grid-proxy-init
User
certificate file
Pass
Phrase
July 16, 2015
Private Key
(Encrypted)
User Proxy
certificate file
Globus Toolkit™ Developer Tutorial: Security
22
Destroying Your Proxy (logout)
To destroy your local proxy that was created
by grid-proxy-init:
% grid-proxy-destroy
This does NOT destroy any proxies that were
delegated from this proxy.
– You cannot revoke a remote proxy
– Usually create proxies with short lifetimes
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
23
Proxy Information
To get proxy information run grid-proxy-info
% grid-proxy-info -subject
/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster
Options for printing proxy information
-subject
-type
-strength
-issuer
-timeleft
-help
Options for scripting proxy queries
-exists -hours <lifetime of credential>
-exists -bits <length of key>
– Returns 0 status for true, 1 for false:
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
24
Important Files
/etc/grid-security
– hostcert.pem: certificate used by the server in
mutual authentication
– hostkey.pem: private key corresponding to the
server’s certificate (read-only by root)
– grid-mapfile: maps grid subject names to local
user accounts (really part of gatekeeper)
/etc/grid-security/certificates
– CA certificates: certs that are trusted when
validating certs, and thus needn’t be verified
– ca-signing-policy.conf: defines the subject
names that can be signed by each CA
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
25
Important Files
$HOME/.globus
– usercert.pem: User’s certificate (subject
name, public key, CA signature)
– userkey.pem: User’s private key (encrypted
using the user’s pass phrase)
/tmp
– Proxy file(s): Temporary file(s) containing
unencrypted proxy private key and
certificate (readable only by user’s account)
> Same approach Kerberos uses for protecting tickets
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
26
Secure Services
On most unix machines, inetd listens for
incoming service connections and passes
connections to daemons for processing.
On Grid servers, the gatekeeper securely
performs the same function for many
services
– It handles mutual authentication using files
in /etc/grid-security
– It maps to local users via the gridmap file
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
27
Sample Gridmap File
Gridmap file maintained by Globus
administrator
Entry maps Grid-id into local user name(s)
# Distinguished name
Local
#
username
"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup”
rpg
"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost”
frost
"/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman”
u14543
"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster”
itf
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
28
Example
Secure Remote Startup
1. Exchange certificates,
authenticate, delegate
jobmanager
4.
2. Check gridmap file
3. Lookup service
map services
4. Run service program 2.
(e.g. jobmanager)
cert
3.
1.
key
July 16, 2015
client
cert
key
gatekeeper
Globus Toolkit™ Developer Tutorial: Security
29
Simple job submission
globus-job-run provides a simple RSH
compatible interface
% grid-proxy-init
Enter PEM pass phrase: *****
% globus-job-run host program [args]
Job submission will be covered in more
detail later
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
30
Delegation
Delegation = remote creation of a (second
level) proxy credential
– New key pair generated remotely on server
– Proxy cert and public key sent to client
– Clients signs proxy cert and returns it
– Server (usually) puts proxy in /tmp
Allows remote process to authenticate on
behalf of the user
– Remote process “impersonates” the user
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
31
Limited Proxy
During delegation, the client can elect to
delegate only a “limited proxy”, rather than
a “full” proxy
– GRAM (job submission) client does this
Each service decides whether it will allow
authentication with a limited proxy
– Job manager service requires a full proxy
– GridFTP server allows either full or limited
proxy to be used
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
32
Restricted Proxies
A generalization of the simple limited proxies
– Desirable to have fine-grained restrictions
– Reduces exposure from compromised proxies
Embed restriction policy in proxy cert
– Policy is evaluated by resource upon proxy use
– Reduces rights available to the proxy to a
subset of those held by the user
> A proxy no longer grants full impersonation rights
– Extensible to support any policy language
Will be in future version > GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
33
Exercise
Sign-On & Remote Process Creation
Use grid-cert-info to examine your cert:
% grid-cert-info -all
Use grid-proxy-init to create a proxy
certificate:
% grid-proxy-init
Enter PEM pass phrase:
......................................+++++
.....+++++
Use grid-proxy-info to query proxy:
% grid-proxy-info -subject
Use globus-job-run to start remote programs:
% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
34
Generic Security Service API
The GSS-API is the IETF draft standard for
adding authentication, delegation, message
integrity, and message confidentiality to apps
– For secure communication between two parties
over a reliable channel (e.g. TCP)
GSS-API separates security from communication,
which allows security to be easily added to
existing communication code.
– Filters on each end of the communications link
GSS-API Extensions defined in GGF draft
Globus Toolkit components all use GSS-API
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
35
gss_acquire_cred()
Loads security credentials into program
User proxy certificate and private key are
loaded at this point
gss_release_cred()
Removes security credentials into program
User proxy certificate and private key remain on disk for later
use
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
36
gss_inquire_cred()
Extract information (e.g. the subject
name) from a credential
gss_inquire_cred_by_oid()
Extract information associated with a OID from a credential
(e.g. information in certificate extensions)
Will be in future version > GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
37
gss_export_cred()
Export a credential either to a opaque
buffer or to a file
New in GT 2.0
gss_import_cred()
Import a credential in either one of the formats used by
gss_export_cred
New in GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
38
gss_init_sec_context()
gss_accept_sec_context()
Establish a security context between two
processes
– Tokens are fed into and out of these routine
– Application can pass tokens between
processes in any way desired
– One side calls init, the other accept
while (!done)
while (!done)
gss_init_sec_context(
in_t, &out_t, &done);
if (out_t) send(out_t);
if (!done) receive(&in_t);
July 16, 2015
receive(&in_t);
gss_accept_sec_context(
in_t, &out_t, &done);
if (out_t) send(out_t);
Globus Toolkit™ Developer Tutorial: Security
39
gss_delete_sec_context()
Discard a security context
gss_context_time()
Determine how long a context will remain valid
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
40
gss_inquire_context()
Extract information (e.g. the target subject
name) from a security context
gss_inquire_sec_context_by_oid()
Extract information associated with a OID from a security
context (e.g. information in certificate extensions)
Will be in future version > GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
41
gss_export_context()
Export a security context to a opaque
buffer
gss_import_context()
Import a opaque buffer containing a security context exported
by gss_export_context
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
42
gss_set_sec_context_option()
Set options on a security context prior to
establishing it
Will be in future version > GT 2.0
gss_wrap_size_limit()
Returns the maximum token size gss_wrap can deal with
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
43
gss_wrap()
gss_unwrap()
gss_wrap()
– consumes an user input buffer
– performs cryptographic checksum and/or
encryption on it
– produces a token, which application sends
gss_unwrap()
– consumes a token produced by gss_wrap()
– decrypts and/or verifies the checksum
– produces a user output buffer
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
44
gss_get_mic()
gss_verify_mic()
gss_get_mic()
– Produces a cryptographic checksum on a
user input buffer
gss_verify_mic()
– Verifies a cryptographic checksum on a user
buffer
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
45
gss_import_name()
Import a subject name into GSS
gss_export_name()
Export a GSS name into a buffer
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
46
gss_display_name()
Convert GSS name to text
gss_compare_name()
Compare two GSS names
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
47
gss_release_name()
Discard a GSS name
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
48
gss_add_oid_set_member()
Add a OID to a OID set
gss_test_oid_set_member()
Checks whether a OID is in a OID set
gss_create_empty_oid_set()
Creates a empty OID set
gss_release_oid_set()
Discard a OID set
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
49
gss_indicate_mech()
Determine available underlying security
mechanisms
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
50
gss_release_buffer()
Discard a GSS buffer
gss_release_buffer_set()
Discard a GSS buffer set
Will be in future version > GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
51
gss_init_delegation()
gss_accept_delegation()
Delegate a credential and optionally add
restrictions to the delegated credential
– One side calls init, the other accept
> Can be in either direction, relative to
gss_{init,accept}_sec_context()
– Tokens are fed into and come out of these
routines
> Similar use to gss_{init,accept}_sec_context()
– It is up to the application to pass the tokens
from one function to the other
– Will be in future version > GT 2.0
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
52
GSSAPI exercises
Go to the “gssapi” subdirectory
Documentation
– http://www.globus.org/security
Follow instructions in the file README
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
53
What’s Wrong with GSS-API
The GSS-API works, but it is not pretty!
– GSS-API accomplishes its goal of providing
an API that is independent of any specific
security implementation, or communication
mechanism
– Same application can use either Globus
Toolkit GSS-API or Kerberos 5 GSS-API with
almost no change
– It has rich feature support
– But it is not easy to use
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
54
globus_gss_assist
The globus_gss_assist module is a Globus
Toolkit specific wrapper around GSS-API
which makes it easier to use
– Hides some of the gross details of GSS-API
– Conforms to Globus Toolkit conventions
– Still maintains separation from
communication method
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
55
globus_io and security
For even easier security integration with
socket code, use the globus_io module
– Simple to add authentication and
authorization to TCP socket code
– But looses separation of security from
communication method
Will be discussed more later...
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
56
Authorization
GSI handles authentication, but
authorization is a separate issue
Authorization issues:
– Management of authorization on a multiorganization grid is still an interesting
problem.
– The grid-mapfile doesn’t scale well, and
works only at the resource level, not the
collective level.
– Large communities that share resources
exacerbates authorization issues, which has
led us to CAS…
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
57
Security Summary
Programs for credential management
– grid-cert-info, grid-proxy-init, grid-proxydestroy, grid-proxy-info
GSS-API: The Globus Toolkit Grid Security
Infrastructure (GSI) uses this API, which
allows programs to easily add security
globus_gss_assist: This is a simple
wrapper around GSS-API, making it easier
to use
July 16, 2015
Globus Toolkit™ Developer Tutorial: Security
58