Grid Computing - X.509

Transcription

1 Grid Computing - X.509 Sylva Girtelschmid October 20, 2009

2 Public Key Infrastructure - PKI PKI Digital Certificates IT infrastructure that provides means for private and secure data exchange By using cryptographic key pair (public and private keys) Key pair is obtained through trusted authority - certification authority (CA) Cooperative encryption standard both parties must exchange their public keys both parties must trust the other party s CA

3 Certification Authorities - CAs PKI Digital Certificates Important components in data security and electronic commerce Guarantee identity of sender and receiver Have their own certificate (root certificate) - used for signing other certificates

4 Digital Certificates PKI Digital Certificates Digital documents associating a grid resource with its specific public key Data structure containing a public key and details about the key owner When signed by a CA, it is considered a tamper-proof electronic ID CA certifies that the enclosed public key belongs to the entity listed in the certificated The signature of the CA provides an integrity check for the digital certificate Not containing any confidential information Distributed and copied without restriction

5 Digital Certificates PKI Digital Certificates In general, the purpose is to verify the identity of the sender and to provide the receiver with the sender s public key Receiver uses CA s public key to: decode the digital certificate attached to the message to verify it was issued by this CA obtain the sender s public key and identification information contained in the certificate Receiver can now send encrypted replies In grid environment, the public key of the sender will be used to decrypt an SSL session ID, which is then used to encrypt all the data transfered between grid computers (- there are two types of certificates used - one for grid users and one for grid servers)

6 X.509 PKI System PKI Digital Certificates The X.509 certificate is the most widely used standard for defining the specific formats for PKC. Version 3 has three main variables: Certificate (version, algorithm ID, serial number, issuer, subject, validity, subject public key info, extensions and other optional fields such as the unique identifier of the subject and the issuer) Certificate signature algorithm Certificate signature Also includes standards for Certificate Revocation List (CRL) implementations.

7 Supporting Protocols Supporting Protocols Storing Standards Transport Layer Security (SSL/TLS) IPSec Secure Multipurpose Internet Mail Extension (S/MIME) Smartcard SSH HTTPS LDAPv3 EAP

8 PEM Supporting Protocols Storing Standards Privacy-enhanced Electronic Mail (IETF) Widely used standard for storing digital certificates (the default format for OpenSSL) Data format for: Certificate (public key) Private key Certificate Revocation Lists Stores data in Base64 encoded format surrounded with ascii headers Enclosed between BEGIN CERTIFICATE and END CERTIFICATE Extension:.PEM

9 DER Supporting Protocols Storing Standards Also widely used Binary encoded headerless format Can store private keys, public keys, and x.509 certificates Extensions:.DER,.CER (sometimes sequence of certificates)

10 Other storing standards Supporting Protocols Storing Standards -PKCS12 -PKCS7 Personal Information Exchange Standard Stores private keys and certificates Used to exchange public and private objects in a single file Used in Netscape and Microsoft Internet Explorer (in import and export options) Typical extension:.pfx or.p12 SignedData structure without data, just certificate(s) or CRL(s) Extensions:.P7C or.p7b

11 Package java.security.cert X.509 support in Java Provides classes and interfaces for parsing and managing X.509 v3 certificates Example classes: X509Certificate X509CRL X509CRLEntry X509Extension etc. Support for reading various certificate formats Access to public key and other attributes and extensions of the certificate

12 X.509 support in Java import java.security.cret.*; //Initialization of the CertificateFactory //implementing the specified certificate type CertificateFactory cf = CertificateFactory.getInstance("X.509"); //InputStream creation to read your data files InputStream certstream = new FileInputStream("certfile.pem"); InputStream crlstream = new FileInputStream("crl.pem"); //Creation of the X509Certificate and X509CRL objects X509Certificate cert = (X509Certificate) cf.generatecertificate(certstream); X509CRL crl = (X509CRL) cf.generatecrl(crlstream);