10. grid security
Upcoming SlideShare
Loading in...5

10. grid security



Authentication ...

Integrity and Confidentiality
Security Policy
A set of rules that define the security subjects, security objects, and relationships(security operations) among them.
CA(Certificate Authority)
The third party that does certification(the binding) and issuing certificate
Trust Domain
A logical, administrative structure where a single, consistent local security policy holds



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

10. grid security 10. grid security Presentation Transcript

  • GRID COMPUTING Grid Security Sandeep Kumar Poonia Head of Dept. CS/IT, Jagan Nath University, Jaipur B.E., M. Tech., UGC-NET LM-IAENG, LM-IACSIT,LM-CSTA, LM-AIRCC, LM-SCIEI, AM-UACEE 10/27/2013 Sandeep Kumar Poonia 1
  • The three classic security concerns of information security deal principally with data, and are: 1. Confidentiality: Data is only available to those who are authorized; 2. Integrity: Data is not changed except by controlled processes; 3. Availability: Data is available when required. 10/27/2013 Sandeep Kumar Poonia 2
  • Additional concerns deal more with people and their actions: 1. Authentication: Ensuring that users are who they say they are; 2. Authorization: Making a decision about who may access data or a service; 3. Assurance: Being confident that the security system functions correctly; 4. Non-repudiation: Ensuring that a user cannot deny an action; 5. Auditability: Tracking what a user did to data or a service. 10/27/2013 Sandeep Kumar Poonia 3 View slide
  • Other security concerns relate to: 1. Trust: People can justifiably rely on computerbased systems to perform critical functions securely, and on systems to process, store and communicate sensitive information securely; 2. Reliability: The system does what you want, when you want it to; 3. Privacy: Within certain limits, no one should know who you are or what you do. 10/27/2013 Sandeep Kumar Poonia 4 View slide
  • CRYPTOGRAPHY can be used to address four goals: 1. Message confidentiality: Only an authorized recipient is able to extract the contents of a message from its encrypted form; 2. Message integrity: The recipient should be able to determine if the message has been altered during transmission; 3. Sender authentication: The recipient can identify the sender, and verify that the purported sender did send the message; 4. Sender non-repudiation: The sender cannot deny sending the message. 10/27/2013 Sandeep Kumar Poonia 5
  • Security Requirements • Authentication solution for verifying identities among a user, the processes, and the resources during the computation • Support for Local Heterogeneity – Various authentication/authorization mechanism, polices • Several Constraints to meet – Single sign-on & delegation – Protection of Credentials – Interoperability with local security solutions: Inter-domain access mechanism – Uniform certification infrastructure – Support for secure group communication – Support for multiple implementations
  • Security Requirements Delegation • The context initiator gives the context acceptor the ability to initiate additional security contexts as an agent of the context initiator – Remote creation of a proxy credential – Allows remote process to authenticate on behalf of the user • Delegation in Globus – – – – New key pair generated remotely on server Proxy certificate and public key sent to client Clients signs proxy certificate with its private key and returns it Server puts proxy in /tmp
  • Terminology     Authentication Authorization Integrity and Confidentiality Security Policy – A set of rules that define the security subjects, security objects, and relationships(security operations) among them.  CA(Certificate Authority) – The third party that does certification(the binding) and issuing certificate  Trust Domain – A logical, administrative structure where a single, consistent local security policy holds
  • Security Policy in Grid        Multiple trust domains – Inter-domain interactions + mapping of inter-domain operations into local security policy Operations within a single trust domain are subject to local security policy only Mapping from global subjects to local subjects – Authenticated global subject is considered authenticated locally Mutual authentication between entities in different trust domains Local access control decisions by local system administrators The execution of programs without additional user interaction during the computation Processes running on behalf of the same subject within the same trust domain may share a single set of credentials
  • Globus Overview • Globus (Argonne National Lab) – software toolkit that makes it easier to build computational grids and grid-based applications – Protocols and APIs – Resource Management (GRAM) – Information Service (MDS) – Data Transfer (GridFTP) – Security (GSI) Proxies and delegation for secure single sign-on Proxies and Delegration PKI (CAs and Certificates) SSL / TTL for Authentication and message protection (Secured connection)
  • Certificate & CA Subject Name Public Key CA’s Public Key CA Name CA Name : CA Signature of CA Certificate Subject Name : CA Signature of CA User Certificate Issued by CA • A X.509 certificate binds a public key to a name • Used to identify and authenticate the user or service • By checking the signature, one can determine that a public key belongs to a given user • The CA signs its own certificate • distributed across the network CA’s Certificate
  • Mutual Authentication (How to identify each other ?) ① Connection established User A CA Certificate A User B ② A sends B its certificate ④ B sends A a plaintext ⑤ A encrypt the plaintext using CA and sends it to B CB Certificate B ③ 1) check validity of CA based on digital signature of C 2) extract the public key of A ⑥ B decrypt the encrypted message If this matches with the original message, B can trust A now
  • GSI in Action “Create Processes at A and B that Communicate & Access Files at C” User Single sign-on via “grid-id” & generation of proxy cred.User Proxy Proxy Or: retrieval of proxy cred. credential from online repository Remote process creation requests* GSI-enabled Authorize Ditto GSI-enabled Site A GRAM server Map to local id GRAM server Site B (Kerberos) (Unix) Create process Generate credentials Computer Computer Process Process Local id Communication* Local id Kerberos ticket Restricted proxy * With mutual authentication Remote file access request* Restricted proxy GSI-enabled Site C FTP server (Kerberos) Authorize Map to local Storage id system Access file
  • User Proxy Creation ① The User gains access to the computer C’UP CU ② Temporary Credential created The User ③ User Proxy Credential is created CUP User Proxy CUP = Sign(U) { C’UP , Start-Time, End-Time} ④ A User Proxy is created CUP
  • Resource Allocation Mutual Authentication based on CUP and CRM User Proxy CUP Resource Manager ① The UP request Resource Allocation CRM Sign(UP) { Allocation Specification } ② 1) Authentication(validate UP ③ PROCESS-HANDLE returned Process Manager & check the expiration) 2) Authorization by local polic (may need mapping betwee Globus users credential and local user ID or maynot) 3) Allocate Resource Resource PROCESS-HANDLE = Sign(RM) { host-identifier, process-identifier}
  • Process to Process Authentication ① Temporal Process Credential created User Proxy CUP C’P Sign(PM) { C’P : Process-Credential } ③ Process Credential Request CP ② C’P Passed to PM ④ 1) examine the request 2) generate CP and return it to PM CP = Sign(UP) {C’P} CP Process Manager CPM Process Resource ⑤ CP Passed to the Process
  • Resource Allocation request from a Process User Proxy Sign(P) { Operation, Operation Arguments } ① The process issues a request for the resource B Process CP CUP ③ return the result Sign(UP) { Execution-Result } ② 1) authenticate the request 2) executes the request Process Manager Resource Process CP CPM Resource B
  • Mapping between Globus Subject & Resource Subject (1) Globus Subject Global Name Mapping Resource Subject Local Name for local access to some resource CUP Globus Credential User ID CP Password Resource Credential Using Grid Map table