2. Agenda
• Quick Refresher on PKI
• Grid portal integration
• Example: grid approach
– Cross-certification and PKI Bridges
– National PKI context
3. Two Types of Cryptography
• Symmetric key cryptography
– A pre-shared secret is used to encrypt the data
– Some examples: DES, 3-DES, RC4, etc
• Public key cryptography
– A pair of mathematically related keys are generated
• One of the keys, the Public Key, is freely distributed
• The other key, the Private Key, is kept confidential
– Given one of the keys, it is computationally very hard
to compute the other
4. Public Key Cryptography
– Data encrypted using the public key can only
be decrypted by the person with the private
key
Example: Bob sends secret data to Alice
1. Bob obtains a
1. Alice receives
copy of Alice’s
the data
public key
2. Alice decrypts
2. Bob encrypts
the data using
the data using
the private
the public key
key that only
and sends it
she possesses
to Alice
5. A Digital Certificate is:
– An object that binds a user’s
identity to their public key
– An object signed by a Certification
Authority (CA)
– An object containing some
attributes about the person who
owns the certificate
– An object containing some
information about the CA
• Useful for relying party to
understand campus identity policy
– Often published in a campus
directory if support for encryption
is anticipated
6. Digital Certificates and Security
• Login id and password never flow over the
network
• Strong cryptography – what does flow over
the network is very safe
• Enables mutual authentication
• Defeats a variety of man in the middle attacks
• No (practical) brute-force attacks
• Is often easier to use than login/password
7. DRM Security
• The ASCI DRM environment uses a Kerberos implementation of the
GSS-API.
– As far as tools and APIs go, this is not visible. (That’s the point of GSS-
API!)
– However, it is NOT interoperable with GSI based versions of the
Globus Toolkit
– Various differences of Kerberos vs GSI:
• The security files created “under the covers” in the system and the services are
different.
• Different commands to login, logout, etc.
• Treatment
– We will discuss security using GSI (PKI).
– Pat will talk later about how the Kerberos GSS-API changes things in
the DRM.
8. Good Practices For Grid Authentication:-
Trust, Private Key Protection and
Non-Repudiation
• Digital signatures - based on the idea that only
the user has access their private key
• A user’s private key is generally protected by
the workstation’s operating system
– Typical protection is no better than for any
password that the user lets the operating system
store
• Hardware tokens can be used for strong private
key protection, mobility, and as a component in
a non-repudiation strategy
9. Grid Security Infrastructure (GSI)
• Basic Grid security needs
– Strong authentication
– Ability to encrypt data
– Single sign-on
• Solution
– GSI is based on PKI and certificates are used for
authentication
– Uses mutual authentication and encryption
when needed
10. PKI Mutual Authentication
• Client Authentication
1. Client connects to server and sends user’s certificate
2. Server uses its root key store to validate the user’s certificate
3. Server sends client some random data; client uses private key to
encrypt data; server decrypts data validating that client has access to
the private key
• Server Authentication
1. Server replies sending its digital certificate to the client
2. Client validates the server’s certificate using its trusted root store
3. Client sends some random data to the server; server encrypts the
data using its private key; client decrypts data validating that server
has access to the private key
• Globus uses SSL/TLS to accomplish mutual authentication
11. Background: Cross-certification
• Top section I: UAB I: UVA
S: UAB S: UVA
– Traditional hierarchical
validation example I: UAB I: UVA
S: User-2 S: User-1
• Bottom section
– Validation using cross I: UAB I: UVA
certification example S: UAB S: UVA
– UVA signed a certificate I: UAB Cross I: UVA
request from the UAB CA S: UVA Certs S: UAB
– UAB signed a certificate
request from the UVA CA I: UVA I: UAB
S: User-1 S: User-2