10. grid security

GRID COMPUTING
Grid Security

Sandeep Kumar Poonia
Head of Dept. CS/IT, Jagan Nath University, Jaipur
B.E., M. Tech., UGC-NET
LM-IAENG, LM-IACSIT,LM-CSTA, LM-AIRCC, LM-SCIEI, AM-UACEE
10/27/2013


1

The three classic security concerns of information
security deal principally with data, and are:
1. Confidentiality: Data is only available to those
who are authorized;

2. Integrity: Data is not changed except by
controlled processes;
3. Availability: Data is available when required.

10/27/2013


2

Additional concerns deal more with people and their
actions:
1. Authentication: Ensuring that users are who they say
they are;
2. Authorization: Making a decision about who may
access data or a service;

3. Assurance: Being confident that the security system
functions correctly;
4. Non-repudiation: Ensuring that a user cannot deny
an action;
5. Auditability: Tracking what a user did to data or a
service.
10/27/2013


3

Other security concerns relate to:
1. Trust: People can justifiably rely on computerbased

systems

to

perform

critical

functions

securely, and on systems to process, store and
communicate sensitive information securely;
2. Reliability: The system does what you want, when
you want it to;
3. Privacy: Within certain limits, no one should know
who you are or what you do.

10/27/2013


4

CRYPTOGRAPHY
can be used to address four goals:
1. Message

confidentiality:

Only

an

authorized

recipient is able to extract the contents of a
message from its encrypted form;
2. Message integrity: The recipient should be able to
determine if the message has been altered during

transmission;
3. Sender authentication: The recipient can identify
the sender, and verify that the purported sender

did send the message;
4. Sender non-repudiation: The sender cannot deny
sending the message.
10/27/2013


5

Security Requirements
• Authentication solution for verifying identities
among a user, the processes, and the resources
during the computation
• Support for Local Heterogeneity
– Various authentication/authorization mechanism, polices

• Several Constraints to meet
– Single sign-on & delegation
– Protection of Credentials
– Interoperability with local security solutions: Inter-domain
access mechanism
– Uniform certification infrastructure
– Support for secure group communication
– Support for multiple implementations

Security Requirements Delegation
• The context initiator gives the context acceptor
the ability to initiate additional security contexts
as an agent of the context initiator
– Remote creation of a proxy credential
– Allows remote process to authenticate on behalf of the user

• Delegation in Globus
–
–
–
–

New key pair generated remotely on server
Proxy certificate and public key sent to client
Clients signs proxy certificate with its private key and returns it
Server puts proxy in /tmp

Terminology






Authentication
Authorization
Integrity and Confidentiality
Security Policy
– A set of rules that define the security subjects, security
objects, and relationships(security operations) among
them.



CA(Certificate Authority)
– The third party that does certification(the binding) and issuing
certificate



Trust Domain
– A logical, administrative structure where a single, consistent local
security policy holds

Security Policy in Grid














Multiple trust domains
– Inter-domain interactions + mapping of inter-domain
operations into local security policy
Operations within a single trust domain are subject to local
security policy only
Mapping from global subjects to local subjects
– Authenticated global subject is considered authenticated
locally
Mutual authentication between entities in different trust
domains
Local access control decisions by local system
administrators
The execution of programs without additional user
interaction during the computation
Processes running on behalf of the same subject within the
same trust domain may share a single set of credentials

Globus Overview
• Globus (Argonne National Lab)
– software toolkit that makes it easier to build
computational grids and grid-based applications
– Protocols and APIs
– Resource Management (GRAM)
– Information Service (MDS)
– Data Transfer (GridFTP)
– Security (GSI)
Proxies and delegation
for secure single sign-on

Proxies and Delegration

PKI
(CAs and
Certificates)

SSL /
TTL

for Authentication
and message protection
(Secured connection)

Certificate & CA
Subject Name

Public Key

CA’s Public Key

CA Name

CA Name : CA

Signature of CA

Certificate

Subject Name : CA

Signature of CA

User Certificate
Issued by CA

• A X.509 certificate binds a public key to a name
• Used to identify and authenticate the user or service
• By checking the signature, one can determine that
a public key
belongs to a given user
• The CA signs its own certificate
• distributed across the network

CA’s Certificate

Mutual Authentication
(How to identify each other ?)

① Connection established
User A
CA

Certificate
A

User B

② A sends B its certificate
④ B sends A a plaintext

⑤ A encrypt the plaintext using CA
and sends it to B

CB

Certificate
B

③ 1) check validity of CA

based on digital signature of C
2) extract the public key of A

⑥ B decrypt the encrypted message
If this matches with the original message,
B can trust A now

GSI in Action
“Create Processes at A and B that
Communicate & Access Files at C”

User

Single sign-on via “grid-id”
& generation of proxy cred.User Proxy
Proxy

Or: retrieval of proxy cred. credential
from online repository
Remote process
creation
requests*
GSI-enabled Authorize
Ditto GSI-enabled
Site A
GRAM server Map to local id
GRAM server Site B
(Kerberos)
(Unix)
Create process
Generate credentials
Computer
Computer
Process
Process Local id
Communication*
Local id
Kerberos
ticket

Restricted
proxy

* With mutual
authentication

Remote file
access request*

Restricted
proxy

GSI-enabled
Site C
FTP server
(Kerberos)
Authorize
Map to local
Storage
id
system
Access file

User Proxy Creation
① The User gains access to the computer
C’UP
CU

② Temporary Credential created

The User

③ User Proxy Credential is created
CUP

User Proxy

CUP = Sign(U) { C’UP , Start-Time, End-Time}

④ A User Proxy is created
CUP

Resource Allocation
Mutual Authentication
based on CUP and CRM
User Proxy
CUP

Resource Manager

① The UP request Resource Allocation

CRM

Sign(UP) { Allocation Specification }

② 1) Authentication(validate UP

③ PROCESS-HANDLE returned
Process
Manager

& check the expiration)
2) Authorization by local polic
(may need mapping betwee
Globus users credential
and local user ID
or maynot)
3) Allocate Resource
Resource

PROCESS-HANDLE = Sign(RM) { host-identifier, process-identifier}

Process to Process Authentication
① Temporal Process
Credential created
User Proxy
CUP

C’P

Sign(PM) { C’P : Process-Credential }
③ Process Credential
Request

CP

② C’P Passed to PM
④ 1) examine the request
2) generate CP and return
it to PM
CP = Sign(UP) {C’P}

CP

Process
Manager
CPM

Process

Resource

⑤ CP Passed
to the Process

Resource Allocation request from a Process

User Proxy

Sign(P) { Operation, Operation Arguments }
① The process issues
a request for the resource B
Process
CP

CUP

③ return the result
Sign(UP) { Execution-Result }

② 1) authenticate the request
2) executes the request

Process
Manager

Resource

Process

CP

CPM

Resource B

Mapping between Globus Subject
& Resource Subject (1)
Globus
Subject

Global Name

Mapping

Resource
Subject

Local Name
for local access to some resource

CUP

Globus Credential

User ID

CP

Password

Resource Credential

Using Grid Map table

10. grid security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to 10. grid security

Similar to 10. grid security (20)

More from Dr Sandeep Kumar Poonia

More from Dr Sandeep Kumar Poonia (20)

Recently uploaded

Recently uploaded (20)

10. grid security