Presented by
Download
1 / 22

First-Review - PowerPoint PPT Presentation


  • 387 Views
  • Uploaded on

A Web Services based security architecture for instrumentation grids

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'First-Review' - Paulson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Presented by

Shaiju Paul

08DI017

Under the Guidance of

Mrs. JaspherWillsie Katherine

Asst. Professor/IT

A Web Services based Security Architecture for Instrumentation Grids


Contents
Contents

Base Paper

Project Objective

Literature Survey

Proposed Security Architecture

Conclusion

References


Base paper
Base Paper

Title

A Kerberos security architecture for web services based instrumentation grids

Authors

A. Moralis, National Technical University of Athens,Greece

V. Pouli, National Technical University of Athens, Greece

S. Papavassiliou, NTUA Athens, Greece

V. Maglaris, NTUA Athens, Greece

Publisher

ELSEVIER, Future Generation Computer Systems 25 (2009) 804 – 818


Objective
Objective

To improve the security performance of Grids maintaining at the same time interoperability with legacy Grid Security Infrastructure.


Literature survey 1 8
Literature Survey (1/8)

Grid Computing

  • Grid Computing System connects distributed heterogeneous computing resources with high speed networks and integrates them into a transparent environment.

  • Used in large scale distributed high-performance computing

  • Provides the users with remote computing resources


Literature survey 2 8
Literature Survey (2/8)

Basic principles of Grid Computing

  • Single Sign-on

  • Authorization to resources

  • Credential delegation

  • Communication Integrity

  • Communication confidentiality


Literature survey 3 8
Literature Survey (3/8)

GRIDCC Project

  • GRIDCC project is integrating into the Grid remote interaction with instruments, along with distributed control and real time interaction

  • To increase both the usability and the usefulness of the system

  • Instrument Element (IE) is a set of services that provides the needed interface and implementation to enable remote control and monitoring of physical instruments


Literature survey 4 8
Literature Survey (4/8)

Grid Security Infrastructure

  • The de-facto authentication mechanism for legacy Grids

  • Based on PKI Certification Authority issuing X.509 certificates

  • Supports delegation by the use of short-lived X.509 Proxy certificates

  • Secure message exchange via SSL


Literature survey 5 8
Literature Survey (5/8)

X.509 Proxy Certificates

  • Proxy credentials are commonly used in security systems when one entity wishes to grant to another entity some set of its priviliges

  • Delegation can be performed dynamically without the assistance of a third party

  • Can be limited to arbitrary subsets of the delegating entity’s privileges


Literature survey 6 8
Literature Survey (6/8)

Open Grid Services Architecture

  • Based on the concepts and technologies of Grid and Web services.

  • Defines standard mechanism for creating, naming and discovering Grid services

  • Provides location transparency

  • Supports integration with underlying native platform facilities

  • Also defines in terms of WSDL interfaces


Literature survey 7 8
Literature Survey (7/8)

Web Service Security

  • Web services provide open and interoperable standards to manage distributed resources in a reliable and flexible way.

  • Based on XML encoded messages, communicating via the SOAP protocol

  • Is an application level open specification

  • Provides confidentiality, integrity and non-repudiation at the message level


Literature survey 8 8
Literature Survey (8/8)

Kerberos Protocol

  • Used for authenticating users and services on a network

  • Is a trusted third party service

  • Based on symmetric key cryptography

  • WS Security Kerberos Token Profile specifies how to sign and encrypt a SOAP message by using a Kerberos ticket


Proposed security architecture 1 6
Proposed Security Architecture (1/6)

  • Is a web services based security architecture

  • Improves security performance

  • Interoperable with the legacy GSI

  • Follows OGSA guidelines

  • Provides enhanced near real time services in Grid applications

  • Uses symmetric cryptography


Proposed security architecture 2 6
Proposed Security Architecture (2/6)

  • Uses Kerberos authentication system in order to authenticate the users and support single sign on

  • Users authenticate to the Kerberos system using their X.509 certificates

  • After authentication they get a ticket from the Kerberos system

  • They can access to various resources for the whole ticket duration without the need of re-authentication



Proposed security architecture 4 6
Proposed Security Architecture (4/6)

Main Components

  • Authentication System : provides the Kerberos authentication and key management.

  • KrbClient : hides the security complexity and manages user’s credentials

  • Access Control Manager : protects Web Service by authenticating and authorizing incoming requests

  • Policy Repository : stores all the local access rules


Proposed security architecture 5 6
Proposed Security Architecture (5/6)

Basic Steps

  • The KrbClient authenticates the user using his X.509 certificate to the Kerberos Authentication service

  • The Authentication service returns to the user a special ticket called Ticket Granting Ticket

  • The KrbClient requests a ticket for the IE from the Ticket Granting Service

  • The KrbClient can inquire the Policy Repository to discover which IE’s or other web services he is authorized to invoke. This is an optional step


Proposed security architecture 6 6
Proposed Security Architecture (6/6)

Steps Contd.

  • The KrbClient can delegate the client’s certificate to the delegation service

  • The delegated credentials can be used by the IE to access other Grid resources on behalf of the Client

  • The KrbClient communicates with a Web Service securely via WSS, sending a SOAP message with the acquired ticket to the Web Service or IE

  • New rules are pushed to the Policy Repository when a change to the local rules are done. It allows the IE to pull their access rules from the policy repository


Implementation tool
Implementation Tool

Grid Security Services Simulator (G3S)

Globus Toolkit


Conclusion
Conclusion

A client-server model for a grid security architecture that follows OGSA guidelines and provides enhanced near real time services in Grid applications by adopting symmetric cryptography during the actual operation, has been introduced and designed


References
References

[1] G. Laccetti , G. Schmid, A framework model for grid security, Future Generation Computer Systems, v.23 n.5, p.702-713, June, 2007

[2] http://www.gridcc.org

[3] Open Grid Services Architecture, Version 1.5 http://www.ogf.org/documents/GFD.80.pdf

[4] http://www.globus.org/security

[5] The Heimdal Kerberos, http://www.pdc.kth.se/heimdal

[6] WS Security Core Specification 1.1, http://www.oasis-open.org/specs/index.php#wssv1.1



ad