Grid Security Homework Exercise

Objective

Prerequisites

• Cryptography lecture notes
• X.509 lecture notes
• Shibboleth lecture notes
• GSI lecture notes
• Kerberos lecture notes

Assignment:    Answer the questions as specified. Turn in your answers to me on paper on the day that it is due.

1. Compare authentication and authorization mechanisms for virtual organizations.

You may need to read about "Security for Grid Services" at http://www.globus.org/security/GSI3/GT3-Security-HPDC.pdf and "A Community Authorization Service for Group Collaboration" at http://www.globus.org/research/papers/CAS_2002_Revised.pdf to complete your answers.

I would like you to compare and contrast Shibboleth, GSI, and Kerberos. First, create a table that lists the steps of each protocol as we discussed in class. As much as possible, try to aline the steps in each protocol to their counterparts. This will not be possible for every step. For example, the table may begin with:

	Shibboleth	GSI	Kerberos
0.	Assumes that Identity Provider components HS and AA and Service Provider components ACS and AR have certificates from a trusted CA.	Assumes that every user and every service has a certificate from a trusted CA.	Assumes that each pair of {user, Authentication Server}, {Authentication Server, TGS}, and {TGS, Service Server} share a secret key.
1.	User logs in to local authentication system.	User logs in to local authentication system.	User logs in to local authentication system.
2.		User creates a proxy certificate.
3.	User contacts the target Service Provider directly.
4.	The user is redirected to the WAYF, and then to the Identity Provider and is authenticated.	User contacts the CAS and is authenticated.	User contacts the Authentication Server and is authenticated.
5.	User receives a unique handle for this session. The handle consists of ...	User receives a community proxy. The proxy consists of ...	User receives a Ticket Granting Ticket (TGT). The TGT consists of ...
etc.	...	...	...

I suggest that you use the HTML in the source of this document for formatting your table, although you are free to come up with a better way of formatting the table. I will give bonus points to the most complete and best formatted table and may use it, with your permission and credit to you, in the GPN ETR website at http://archie.csce.uark.edu/gpn/.

After you have completed your table, write three (moderate length) paragraphs, one for each of the three protocols, and comment with respect to the following points:

1. Where are attributes maintained for users?
2. What is the mechanism for controlling when and how attributes are released?
3. What is the mechanism for authorizing a user that presents certain attributes?
4. How is privacy preserved?
5. What are the advantages and disadvantages of this system?

2. Exercise to acquire your own Globus User Certificate for talon.csce.uark.edu

1. Login to talon.csce.uark.edu

2. Run the following command:

   	% grid-cert-request
   

3. After you enter a passphrase, this creates 3 files:

           $ ls
   	/home/yourusername/.globus/usercert.pem
   	/home/yourusername/.globus/usercert_request.pem
   	/home/yourusername/.globus/userkey.pem
   

4. Email the file usercert_request.pem to lngo@uark.edu. Be careful! The redirection

            mail lngo@uark.edu < usercert_request.pem
   

   will NOT work on talon because it is not set up to receive mail. You need to use webmail or your usual mail client.

5. After receiving the signed file back, copy it into /home/yourusername/.globus/ and rename it as usercert.pem, thus replacing the old usercert.pem file

6. To test the certificates, run:

   	% grid-proxy-init -debug -verify
   

7. Log the output of the test as a result of this exercise. Print the log to turn in along with question 1 above.