SlideShare a Scribd company logo

Grid security seminar mohit modi

Mohit Modi
Mohit Modi

Grid Computing

Technology
1 of 9
Download to read offline
Visvesvaraya National Institute Of Technology Computer Science And Engineering Seminar Report Grid Security Presented By: Mohit Modi (BT08CSE043) Project Supervisor: O.G.Kakde
Abstract A Computational Grid is a collection of heterogeneous computers and resources spread across multiple administrative domains with the intent of providing users easy access to these resources. There are many ways to access the resources of a Computational Grid, each with unique security requirements and implications for both the resource user and the resource provider. A comprehensive set of Grid usage scenarios is analyzed with regard to security requirements such as authentication, authorization, integrity, and confidentiality. Here we examines the major security requirements of modern grids then goes on to focus on the X.509 certificates used within it .The main value of these scenarios and the associated security discussions is to provide a library of situations against which an application designer can match, thereby facilitating security-aware application use and development from the initial stages of the application design and invocation. A broader goal of these scenarios is to increase the awareness of security issues in Grid Computing. Introduction A Grid is a system that: 1) Coordinates resources that are not subject to centralized control … (A Grid integrates and coordinates resources and users that live within different control domains—for example, the user’s desktop vs. central computing; different administrative units of the same company; or different companies; and addresses the issues of security, policy, payment, membership, and so forth that arise in these settings. Otherwise, we are dealing with a local management system.) 2) … using standard, open, general-purpose protocols and interfaces (A Grid is built from multi-purpose protocols and interfaces that address such fundamental issues as authentication, authorization, resource discovery, and resource access. As I discuss further below, it is important that these protocols and interfaces be standard and open. Otherwise, we are dealing with an application specific system.) 3) … to deliver nontrivial qualities of service. (A Grid allows its constituent resources to be used in a coordinated fashion to deliver various qualities of service, relating for example to response time, throughput, availability, and security, and/or co-allocation of multiple resource types to meet complex user demands, so that the utility of the combined system is significantly greater than that of the sum of its parts.) So far the grid has lacked real standardization, many different companies are beginning to utilize grids, but run into problems when trying to link these proprietary grids together. General Model of Grid Security(Globus) Public Key Cryptography The most important thing to know about public key cryptography is that, unlike earlier cryptographic systems, it relies not on a single key (a password or a secret "code"), but on two keys. These keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. Also important is the fact that it is next to impossible (with our current knowledge of mathematics and available computing power) to obtain the second key from the first one and/or any messages encoded with the first key. By making one of the keys available publicly (a public key) and keeping the other key private , a person can prove that he or she holds the private key simply by encrypting a message. If the message can be decrypted using the public key, the person must have used the private key to encrypt the message.
Important: It is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner. Digital Signatures Using public key cryptography, it is possible to digitally "sign" a piece of information. Signing information essentially means assuring a recipient of the information that the information hasn't been tampered with since it left your hands. To sign a piece of information, first compute a mathematical hash of the information. (A hash is a condensed version of the information. The algorithm used to compute this hash must be known to the recipient of the information, but it isn't a secret.) Using your private key, encrypt the hash, and attach it to the message. Make sure that the recipient has your public key. To verify that your signed message is authentic, the recipient of the message will compute the hash of the message using the same hashing algorithm you used, and will then decrypt the encrypted hash that you attached to the message. If the newly-computed hash and the decrypted hash match, then it proves that you signed the message and that the message has not been changed since you signed it. Certificates A central concept in GSI(Grid Security Infrastructure) authentication is the certificate. Every user and service on the Grid is identified via a certificate, which contains information vital to identifying and authenticating the user or service. A GSI certificate includes four primary pieces of information:  A subject name, which identifies the person or object that the certificate represents.  The public key belonging to the subject.  The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject.  The digital signature of the named CA. Note that a third party (a CA) is used to certify the link between the public key and the subject in the certificate. In order to trust the certificate and its contents, the CA's certificate must be trusted. The link between the CA and its certificate must be established via some non-cryptographic means, or else the system is not trustworthy. GSI certificates are encoded in the X.509 certificate format, a standard data format for certificates established by the Internet Engineering Task Force (IETF). These certificates can be shared with other public key-based software, including commercial web browsers from Microsoft and Netscape. Mutual Authentication If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are. This is known as mutual authentication. The GSI uses the Secure Sockets Layer (SSL) for its mutual authentication protocol, which is described below. (SSL is also known by a new, IETF standard name: Transport Layer Security, or TLS.) Before mutual authentication can occur, the parties involved must first trust the CAs that signed each other's certificates. In practice, this means that they must have copies of the CAs' certificates--which contain the CAs' public keys--and that they must trust that these certificates really belong to the CAs. To mutually authenticate, the first person (A) establishes a connection to the second person (B). To start the authentication process, A gives B his certificate. The certificate tells B who A is claiming to be (the identity), what A's public key is, and what CA is being used to certify the certificate. B will first make sure that the certificate is valid by checking the CA's digital signature to make sure that the CA actually signed the certificate and that the certificate hasn't been tampered with. (This is where B must trust the CA that signed A's certificate.)
Once B has checked out A's certificate, B must make sure that A really is the person identified in the certificate. B generates a random message and sends it to A, asking A to encrypt it. A encrypts the message using his private key, and sends it back to B. B decrypts the message using A's public key. If this results in the original random message, then B knows that A is who he says he is. Now that B trusts A's identity, the same operation must happen in reverse. B sends A her certificate, A validates the certificate and sends a challenge message to be encrypted. B encrypts the message and sends it back to A, and A decrypts it and compares it with the original. If it matches, then A knows that B is who she says she is. At this point, A and B have established a connection to each other and are certain that they know each others' identities. Confidential Communication By default, the GSI does not establish confidential (encrypted) communication between parties. Once mutual authentication is performed, the GSI gets out of the way so that communication can occur without the overhead of constant encryption and decryption. The GSI can easily be used to establish a shared key for encryption if confidential communication is desired. Recently relaxed United States export laws now allow us to include encrypted communication as a standard optional feature of the GSI. A related security feature is communication integrity. Integrity means that an eavesdropper may be able to read communication between two parties but is not able to modify the communication in any way. The GSI provides communication integrity by default. (It can be turned off if desired). Communication integrity introduces some overhead in communication, but not as large an overhead as encryption. Securing Private Keys The core GSI software provided by the Globus Toolkit expects the user's private key to be stored in a file in the local computer's storage. To prevent other users of the computer from stealing the private key, the file that contains the key is encrypted via a password (also known as a pass phrase). To use the GSI, the user must enter the pass phrase required to decrypt the file containing their private key. We have also prototyped the use of cryptographic smartcards in conjunction with the GSI. This allows users to store their private key on a smartcard rather than in a filesystem, making it still more difficult for others to gain access to the key. Delegation and Single Sign-On The GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his pass phrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's pass phrase can be avoided by creating a proxy. A proxy consists of a new certificate (with a new public key in it) and a new private key. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. (See diagram below.) The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes. The proxy's private key must be kept secure, but because the proxy isn't valid for very long, it doesn't have to kept quite as secure as the owner's private key. It is thus possible to store the proxy's private key in a local storage system without being encrypted, as long as the permissions on the file prevent anyone else from looking at them easily. Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication without entering a password.
When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner. Note that the GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and GridFTP) is currently the only software which supports the delegation extensions to TLS (a.k.a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software. Problems with Globus security Scalability The Globus Security Infrastructure (GSI) makes extensive use of X.509 certificates, they have been found to be sufficiently secure for the small scale implementations so far. However the scalability of such a system is very poor for the receiving machine. The current grid authorization mechanisms is almost wholly concentrated on the use of Access Control Lists (ACL’s) holding details of every individual who is authorized to use a system. CA Trust Very careful consideration has to be given to which CA to sign up with and which to accept certificates from. If your computer knows to trust a certain CA it will trust all the certificates that are issued from it that turn out valid. Globus runs its own test CA for use in development of the toolkit. There are however many reasons why this CA is not suitable for use in real business. The Globus test CA merely checks that the certificate requests domain matches that of the email the request was sent from. It also checks the presence of any existing certificates for that machine. This level of security would be extremely inadequate for most types of grid system. Proxy Certificates When a proxy certificate is generated the PEM phrase authorizes a certificate generator to sign a new temporary certificate (self certified) which uses the original certificate as verification. ie you can prove the original certificates owner signed the proxy by entering the PEM phrase. This leaves a dilemma, a new public / private key set is generated for use while the proxy is active. The new private key cannot be secured by a user PEM phrase because that was the whole point of the proxy in the first place! Globus will not secure proxy certificates by itself. By this it is meant that the private key used is not encrypted. The machine it resides on represents the main line of defence against them being altered or stolen by outside forces. The reasoning behind this being that the certificate itself is only temporary and uses a different private key from the original permanent certificate anyway; however the risk is not necessarily negligible as a user can make a proxy certificate valid for as long as they wish.
Extended Security Model For Grid Assumptions: � Widespread grid adoption within companies of large / medium size. � Business outsourcing of tasks to specialist companies to simplify increasing maintenance and running costs. eg: Storage ,Software Access ,Dataset Access ,Hardware Access � The majority of business grid users will utilize such services, but will be largely unaware of their own company utilizing excess cycles on their office machines to cut costs; effectively hosting some services of its own (potentially for export as services themselves). Once those assumptions have been taken into account it is possible to see how the grid might look if it were to continue using its current security model in the future. One of the biggest problems is that of scalability. Now we show first attempt to control the scalability problem and then a generally workable approach. We assumes that the existing mechanisms of public key infrastructures and X.509 certificates will continue to remain the core of the model. One solution to this task would be to introduce the concept of group certificates, where everyone in the company used the same certificate. This method would at first look quite workable; unfortunately problems emerge when one considers the security implications of such a development. It weakens the PKI because it is by its very design a one to one mechanism. Issues with stolen copies, revocation of existing copies etc make this approach infeasible. A possible solution What is really needed is to reduce the amount of work the service has to do to establish authorization, without doing so by looking up the actual person However the traditional view of people being given roles does not work very well in the grid either. The main issues are that it is very difficult to give people meaningful roles, and people understand different things by those roles. These systems also tend to lose the security granularity to the stage where it is difficult to determine who uses a system if you need to. They do however make authorization much simpler as you are only checking whether a certain role can use a service. Therefore what is actually needed is the flexibility of a role based system, but with the potential to hold the same amount of information as the current systems. This is a somewhat daunting task as at first it would appear that the two methods are in direct opposition to each other. However it is possible to augment the two successfully, as described below: Role Augmented X.509 Authorization (RAXA) In order to make this security model as simple as possible. Basically Globus(general grid infrastructure(model)) uses X.509 certificates for authentication and authorization purposes. One of the problems with this approach is related to the way in which authorization occurs. The existing Globus security model only authorizes individuals to use machines, rather than groups of people. As the X.509 protocol is virtually standardized and well accepted this document wisely does not alter its operation in any way. It does however add to the authentication and authorization process an extra piece of evidence besides the X.509 certificate itself. This evidence is held within a separate file that accompanies the certificate. This approach avoids the need to re-engineer the existing X.509 format to add any extra fields. This proposal assumes a user may wish to have more than one “role” relating to them in the file. In its present form this information cannot be used as a validation mechanism due to its lack of credibility. Meaning anybody could write the entire accompanying file or alter it, or lie about their role in the company; therefore it is clear that individual users could not be trusted to write their own entries for security reasons. Thus a user could request an entry from a trusted centralized authority at each company / VO, which could in turn write the entry itself and send it to the user (after checking on the users request). However this still poses the problem that the user could change the entry when they receive it. In order to secure the individual entries from tampering and to prove who created them a type of digital signature can be created. **Role entry consists of Name of organization, Unique identifier from X.509 certificate, Date Issued, Date of Expiry
Conclusion In conclusion it is easy to see that the requirements of grid computing are complex, and in order to encompass new abilities and even a new interface paradigm, a number of changes are inevitable. This report highlights in particular issues relating to Globus, and the use of the X.509 certificate model for authentication purposes. This report also put forward a new form of Role based Action Control (RBAC)in the form of the RAXA extension proposal. Given the complexities of grid computing it is possible that RBAC mechanisms may play a part in the future of grid computing in order to streamline access rights. However a considerable amount of work would be required in the area to determine what level of integration with existing mechanisms is feasible.

Recommended

Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...IDES Editor
 
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"idsecconf
 
Cryptointro
CryptointroCryptointro
Cryptointrolosalamos
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewInformation Security Awareness Group
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Digital signature
Digital signatureDigital signature
Digital signature9799907840kd
 
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTION
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTIONROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTION
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTIONIJNSA Journal
 

Recommended

Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructureAditya Nama
 
Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...IDES Editor
 
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"
B.Noviansyah - “National Public Key Infrastructure: Friend or Foe?"idsecconf
 
Cryptointro
CryptointroCryptointro
Cryptointrolosalamos
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewInformation Security Awareness Group
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Digital signature
Digital signatureDigital signature
Digital signature9799907840kd
 
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTION
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTIONROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTION
ROLE OF MULTIPLE ENCRYPTION IN SECURE ELECTRONIC TRANSACTIONIJNSA Journal
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommercepriyanka Garg
 
Literature review of Digital Signature
Literature review of Digital SignatureLiterature review of Digital Signature
Literature review of Digital SignatureAsim Neupane
 
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONSECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONadeij1
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY csandit
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital SignaturesSumanth Paramesh
 
Digital Certificate
Digital CertificateDigital Certificate
Digital CertificateSumant Diwakar
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYShakas Technologies
 
Digital signature
Digital signatureDigital signature
Digital signatureCHESStest{perfect Kadhu}
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introductionAsim Neupane
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Ds over
Ds overDs over
Ds overjolly9293
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityPvrtechnologies Nellore
 
Digital Signature
Digital SignatureDigital Signature
Digital SignatureJonathon Dosh
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesBuddhika Karunanayaka
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYNexgen Technology
 
Flickrpowerpoint3
Flickrpowerpoint3Flickrpowerpoint3
Flickrpowerpoint3Richard Wolfe
 
Flickrpowerpoint2
Flickrpowerpoint2Flickrpowerpoint2
Flickrpowerpoint2Richard Wolfe
 
Un paseo por el Mundo
Un paseo por el MundoUn paseo por el Mundo
Un paseo por el MundoXII Semana de Comercio Vasco::Euskal Merkataritzaren XII astea.
 

More Related Content

What's hot

Literature review of Digital Signature
Literature review of Digital SignatureLiterature review of Digital Signature
Literature review of Digital SignatureAsim Neupane
 
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONSECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONadeij1
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesVivaka Nand
 
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY csandit
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYShakas Technologies
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introductionAsim Neupane
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityPvrtechnologies Nellore
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYNexgen Technology
 

What's hot (19)

Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
Literature review of Digital Signature
Literature review of Digital SignatureLiterature review of Digital Signature
Literature review of Digital Signature
 
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONSECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
 
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
BLOCKCHAIN-BASED SMART CONTRACTS : A SYSTEMATIC MAPPING STUDY
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introduction
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Ds over
Ds overDs over
Ds over
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
 

Viewers also liked

Alfresco
AlfrescoAlfresco
AlfrescoVictor
 

Viewers also liked (6)

Flickrpowerpoint3
Flickrpowerpoint3Flickrpowerpoint3
Flickrpowerpoint3
 
Flickrpowerpoint2
Flickrpowerpoint2Flickrpowerpoint2
Flickrpowerpoint2
 
Un paseo por el Mundo
Un paseo por el MundoUn paseo por el Mundo
Un paseo por el Mundo
 
Alfresco
AlfrescoAlfresco
Alfresco
 
Activitat 4
Activitat 4Activitat 4
Activitat 4
 
Farm book
Farm bookFarm book
Farm book
 

Similar to Grid security seminar mohit modi

Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy ExamLisa Olive
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd Iaetsd
 
Cost effective authentic and anonymous
Cost effective authentic and anonymousCost effective authentic and anonymous
Cost effective authentic and anonymousnexgentech15
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Securitynexgentechnology
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd Iaetsd
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...IJCERT JOURNAL
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Uport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identityUport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identityIan Beckett
 
Network Security
Network SecurityNetwork Security
Network SecurityBeth Hall
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 
A Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile SystemA Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile SystemEditor IJCATR
 
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Editor IJMTER
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...RSIS International
 

Similar to Grid security seminar mohit modi (20)

Cryptograpy Exam
Cryptograpy ExamCryptograpy Exam
Cryptograpy Exam
 
Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security Mechanisms
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
 
Iaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security withIaetsd a survey on cloud storage security with
Iaetsd a survey on cloud storage security with
 
Cost effective authentic and anonymous
Cost effective authentic and anonymousCost effective authentic and anonymous
Cost effective authentic and anonymous
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
Ppt
PptPpt
Ppt
 
Uport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identityUport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identity
 
Network Security
Network SecurityNetwork Security
Network Security
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computing
 
A Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile SystemA Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile System
 
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Grid security seminar mohit modi

  • 1. Visvesvaraya National Institute Of Technology Computer Science And Engineering Seminar Report Grid Security Presented By: Mohit Modi (BT08CSE043) Project Supervisor: O.G.Kakde
  • 2. Abstract A Computational Grid is a collection of heterogeneous computers and resources spread across multiple administrative domains with the intent of providing users easy access to these resources. There are many ways to access the resources of a Computational Grid, each with unique security requirements and implications for both the resource user and the resource provider. A comprehensive set of Grid usage scenarios is analyzed with regard to security requirements such as authentication, authorization, integrity, and confidentiality. Here we examines the major security requirements of modern grids then goes on to focus on the X.509 certificates used within it .The main value of these scenarios and the associated security discussions is to provide a library of situations against which an application designer can match, thereby facilitating security-aware application use and development from the initial stages of the application design and invocation. A broader goal of these scenarios is to increase the awareness of security issues in Grid Computing. Introduction A Grid is a system that: 1) Coordinates resources that are not subject to centralized control … (A Grid integrates and coordinates resources and users that live within different control domains—for example, the user’s desktop vs. central computing; different administrative units of the same company; or different companies; and addresses the issues of security, policy, payment, membership, and so forth that arise in these settings. Otherwise, we are dealing with a local management system.) 2) … using standard, open, general-purpose protocols and interfaces (A Grid is built from multi-purpose protocols and interfaces that address such fundamental issues as authentication, authorization, resource discovery, and resource access. As I discuss further below, it is important that these protocols and interfaces be standard and open. Otherwise, we are dealing with an application specific system.) 3) … to deliver nontrivial qualities of service. (A Grid allows its constituent resources to be used in a coordinated fashion to deliver various qualities of service, relating for example to response time, throughput, availability, and security, and/or co-allocation of multiple resource types to meet complex user demands, so that the utility of the combined system is significantly greater than that of the sum of its parts.) So far the grid has lacked real standardization, many different companies are beginning to utilize grids, but run into problems when trying to link these proprietary grids together. General Model of Grid Security(Globus) Public Key Cryptography The most important thing to know about public key cryptography is that, unlike earlier cryptographic systems, it relies not on a single key (a password or a secret "code"), but on two keys. These keys are numbers that are mathematically related in such a way that if either key is used to encrypt a message, the other key must be used to decrypt it. Also important is the fact that it is next to impossible (with our current knowledge of mathematics and available computing power) to obtain the second key from the first one and/or any messages encoded with the first key. By making one of the keys available publicly (a public key) and keeping the other key private , a person can prove that he or she holds the private key simply by encrypting a message. If the message can be decrypted using the public key, the person must have used the private key to encrypt the message.
  • 3. Important: It is critical that private keys be kept private! Anyone who knows the private key can easily impersonate the owner. Digital Signatures Using public key cryptography, it is possible to digitally "sign" a piece of information. Signing information essentially means assuring a recipient of the information that the information hasn't been tampered with since it left your hands. To sign a piece of information, first compute a mathematical hash of the information. (A hash is a condensed version of the information. The algorithm used to compute this hash must be known to the recipient of the information, but it isn't a secret.) Using your private key, encrypt the hash, and attach it to the message. Make sure that the recipient has your public key. To verify that your signed message is authentic, the recipient of the message will compute the hash of the message using the same hashing algorithm you used, and will then decrypt the encrypted hash that you attached to the message. If the newly-computed hash and the decrypted hash match, then it proves that you signed the message and that the message has not been changed since you signed it. Certificates A central concept in GSI(Grid Security Infrastructure) authentication is the certificate. Every user and service on the Grid is identified via a certificate, which contains information vital to identifying and authenticating the user or service. A GSI certificate includes four primary pieces of information:  A subject name, which identifies the person or object that the certificate represents.  The public key belonging to the subject.  The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject.  The digital signature of the named CA. Note that a third party (a CA) is used to certify the link between the public key and the subject in the certificate. In order to trust the certificate and its contents, the CA's certificate must be trusted. The link between the CA and its certificate must be established via some non-cryptographic means, or else the system is not trustworthy. GSI certificates are encoded in the X.509 certificate format, a standard data format for certificates established by the Internet Engineering Task Force (IETF). These certificates can be shared with other public key-based software, including commercial web browsers from Microsoft and Netscape. Mutual Authentication If two parties have certificates, and if both parties trust the CAs that signed each other's certificates, then the two parties can prove to each other that they are who they say they are. This is known as mutual authentication. The GSI uses the Secure Sockets Layer (SSL) for its mutual authentication protocol, which is described below. (SSL is also known by a new, IETF standard name: Transport Layer Security, or TLS.) Before mutual authentication can occur, the parties involved must first trust the CAs that signed each other's certificates. In practice, this means that they must have copies of the CAs' certificates--which contain the CAs' public keys--and that they must trust that these certificates really belong to the CAs. To mutually authenticate, the first person (A) establishes a connection to the second person (B). To start the authentication process, A gives B his certificate. The certificate tells B who A is claiming to be (the identity), what A's public key is, and what CA is being used to certify the certificate. B will first make sure that the certificate is valid by checking the CA's digital signature to make sure that the CA actually signed the certificate and that the certificate hasn't been tampered with. (This is where B must trust the CA that signed A's certificate.)
  • 4. Once B has checked out A's certificate, B must make sure that A really is the person identified in the certificate. B generates a random message and sends it to A, asking A to encrypt it. A encrypts the message using his private key, and sends it back to B. B decrypts the message using A's public key. If this results in the original random message, then B knows that A is who he says he is. Now that B trusts A's identity, the same operation must happen in reverse. B sends A her certificate, A validates the certificate and sends a challenge message to be encrypted. B encrypts the message and sends it back to A, and A decrypts it and compares it with the original. If it matches, then A knows that B is who she says she is. At this point, A and B have established a connection to each other and are certain that they know each others' identities. Confidential Communication By default, the GSI does not establish confidential (encrypted) communication between parties. Once mutual authentication is performed, the GSI gets out of the way so that communication can occur without the overhead of constant encryption and decryption. The GSI can easily be used to establish a shared key for encryption if confidential communication is desired. Recently relaxed United States export laws now allow us to include encrypted communication as a standard optional feature of the GSI. A related security feature is communication integrity. Integrity means that an eavesdropper may be able to read communication between two parties but is not able to modify the communication in any way. The GSI provides communication integrity by default. (It can be turned off if desired). Communication integrity introduces some overhead in communication, but not as large an overhead as encryption. Securing Private Keys The core GSI software provided by the Globus Toolkit expects the user's private key to be stored in a file in the local computer's storage. To prevent other users of the computer from stealing the private key, the file that contains the key is encrypted via a password (also known as a pass phrase). To use the GSI, the user must enter the pass phrase required to decrypt the file containing their private key. We have also prototyped the use of cryptographic smartcards in conjunction with the GSI. This allows users to store their private key on a smartcard rather than in a filesystem, making it still more difficult for others to gain access to the key. Delegation and Single Sign-On The GSI provides a delegation capability: an extension of the standard SSL protocol which reduces the number of times the user must enter his pass phrase. If a Grid computation requires that several Grid resources be used (each requiring mutual authentication), or if there is a need to have agents (local or remote) requesting services on behalf of a user, the need to re-enter the user's pass phrase can be avoided by creating a proxy. A proxy consists of a new certificate (with a new public key in it) and a new private key. The new certificate contains the owner's identity, modified slightly to indicate that it is a proxy. The new certificate is signed by the owner, rather than a CA. (See diagram below.) The certificate also includes a time notation after which the proxy should no longer be accepted by others. Proxies have limited lifetimes. The proxy's private key must be kept secure, but because the proxy isn't valid for very long, it doesn't have to kept quite as secure as the owner's private key. It is thus possible to store the proxy's private key in a local storage system without being encrypted, as long as the permissions on the file prevent anyone else from looking at them easily. Once a proxy is created and stored, the user can use the proxy certificate and private key for mutual authentication without entering a password.
  • 5. When proxies are used, the mutual authentication process differs slightly. The remote party receives not only the proxy's certificate (signed by the owner), but also the owner's certificate. During mutual authentication, the owner's public key (obtained from her certificate) is used to validate the signature on the proxy certificate. The CA's public key is then used to validate the signature on the owner's certificate. This establishes a chain of trust from the CA to the proxy through the owner. Note that the GSI and software based on it (notably the Globus Toolkit, GSI-SSH, and GridFTP) is currently the only software which supports the delegation extensions to TLS (a.k.a. SSL). The Globus Project is actively working with the Grid Forum and the IETF to establish proxies as a standard extension to TLS so that GSI proxies may be used with other TLS software. Problems with Globus security Scalability The Globus Security Infrastructure (GSI) makes extensive use of X.509 certificates, they have been found to be sufficiently secure for the small scale implementations so far. However the scalability of such a system is very poor for the receiving machine. The current grid authorization mechanisms is almost wholly concentrated on the use of Access Control Lists (ACL’s) holding details of every individual who is authorized to use a system. CA Trust Very careful consideration has to be given to which CA to sign up with and which to accept certificates from. If your computer knows to trust a certain CA it will trust all the certificates that are issued from it that turn out valid. Globus runs its own test CA for use in development of the toolkit. There are however many reasons why this CA is not suitable for use in real business. The Globus test CA merely checks that the certificate requests domain matches that of the email the request was sent from. It also checks the presence of any existing certificates for that machine. This level of security would be extremely inadequate for most types of grid system. Proxy Certificates When a proxy certificate is generated the PEM phrase authorizes a certificate generator to sign a new temporary certificate (self certified) which uses the original certificate as verification. ie you can prove the original certificates owner signed the proxy by entering the PEM phrase. This leaves a dilemma, a new public / private key set is generated for use while the proxy is active. The new private key cannot be secured by a user PEM phrase because that was the whole point of the proxy in the first place! Globus will not secure proxy certificates by itself. By this it is meant that the private key used is not encrypted. The machine it resides on represents the main line of defence against them being altered or stolen by outside forces. The reasoning behind this being that the certificate itself is only temporary and uses a different private key from the original permanent certificate anyway; however the risk is not necessarily negligible as a user can make a proxy certificate valid for as long as they wish.
  • 6. Extended Security Model For Grid Assumptions: � Widespread grid adoption within companies of large / medium size. � Business outsourcing of tasks to specialist companies to simplify increasing maintenance and running costs. eg: Storage ,Software Access ,Dataset Access ,Hardware Access � The majority of business grid users will utilize such services, but will be largely unaware of their own company utilizing excess cycles on their office machines to cut costs; effectively hosting some services of its own (potentially for export as services themselves). Once those assumptions have been taken into account it is possible to see how the grid might look if it were to continue using its current security model in the future. One of the biggest problems is that of scalability. Now we show first attempt to control the scalability problem and then a generally workable approach. We assumes that the existing mechanisms of public key infrastructures and X.509 certificates will continue to remain the core of the model. One solution to this task would be to introduce the concept of group certificates, where everyone in the company used the same certificate. This method would at first look quite workable; unfortunately problems emerge when one considers the security implications of such a development. It weakens the PKI because it is by its very design a one to one mechanism. Issues with stolen copies, revocation of existing copies etc make this approach infeasible. A possible solution What is really needed is to reduce the amount of work the service has to do to establish authorization, without doing so by looking up the actual person However the traditional view of people being given roles does not work very well in the grid either. The main issues are that it is very difficult to give people meaningful roles, and people understand different things by those roles. These systems also tend to lose the security granularity to the stage where it is difficult to determine who uses a system if you need to. They do however make authorization much simpler as you are only checking whether a certain role can use a service. Therefore what is actually needed is the flexibility of a role based system, but with the potential to hold the same amount of information as the current systems. This is a somewhat daunting task as at first it would appear that the two methods are in direct opposition to each other. However it is possible to augment the two successfully, as described below: Role Augmented X.509 Authorization (RAXA) In order to make this security model as simple as possible. Basically Globus(general grid infrastructure(model)) uses X.509 certificates for authentication and authorization purposes. One of the problems with this approach is related to the way in which authorization occurs. The existing Globus security model only authorizes individuals to use machines, rather than groups of people. As the X.509 protocol is virtually standardized and well accepted this document wisely does not alter its operation in any way. It does however add to the authentication and authorization process an extra piece of evidence besides the X.509 certificate itself. This evidence is held within a separate file that accompanies the certificate. This approach avoids the need to re-engineer the existing X.509 format to add any extra fields. This proposal assumes a user may wish to have more than one “role” relating to them in the file. In its present form this information cannot be used as a validation mechanism due to its lack of credibility. Meaning anybody could write the entire accompanying file or alter it, or lie about their role in the company; therefore it is clear that individual users could not be trusted to write their own entries for security reasons. Thus a user could request an entry from a trusted centralized authority at each company / VO, which could in turn write the entry itself and send it to the user (after checking on the users request). However this still poses the problem that the user could change the entry when they receive it. In order to secure the individual entries from tampering and to prove who created them a type of digital signature can be created. **Role entry consists of Name of organization, Unique identifier from X.509 certificate, Date Issued, Date of Expiry
  • 7.
  • 8.
  • 9. Conclusion In conclusion it is easy to see that the requirements of grid computing are complex, and in order to encompass new abilities and even a new interface paradigm, a number of changes are inevitable. This report highlights in particular issues relating to Globus, and the use of the X.509 certificate model for authentication purposes. This report also put forward a new form of Role based Action Control (RBAC)in the form of the RAXA extension proposal. Given the complexities of grid computing it is possible that RBAC mechanisms may play a part in the future of grid computing in order to streamline access rights. However a considerable amount of work would be required in the area to determine what level of integration with existing mechanisms is feasible.