Security in computational grid
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Security in Computational Grid PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Security in Computational Grid. Seonho Kim Oct 18 th 2002. Content. Computational Grid Security Requirements in Grid Terminology Security Policy in Grid Globus overview Grid Security Architecture. What is Grid?.

Download Presentation

Security in Computational Grid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security in computational grid

Security in Computational Grid

Seonho Kim

Oct 18th 2002


Content

Content

  • Computational Grid

  • Security Requirements in Grid

  • Terminology

  • Security Policy in Grid

  • Globus overview

  • Grid Security Architecture


Security in computational grid

What is Grid?

  • A computational grid is a hardware and software infrastructure that provides dependable, consistent, pervasive, and inexpensive access to high-end computational capabilities

  • A Computational Grids is a wide area distributed and parallel computing environment consisting of heterogenous platforms spanning multiple administrative domains

    • coordinated resource sharing and problem solving in dynamic, multi-institutional virtual organizations

    • Checklists

      • Coordinates resources that are not subject to centralized control

      • Using standard, open, general-purpose protocols and interfaces

      • Deliver nontrivial qualities of services


Security

Security?

  • Protecting the system from its users

  • Preventing the unauthorized disclosure or modification of data

Security in Computational Grid

  • Characteristics of the Grid computing environment

    • Large & dynamic user population and resource pool

    • Dynamic resource acquisition and release

    • Dynamic creation and destruction of a variety of network connections

    • Heterogenous local authentication and authorization mechanisms and policies (e.g. Kerboros, plaintext passwords, SSL, SSH etc)

    • An individual user will be associated with different local name spaces, credentials, or accounts at different sites.


Security in computational grid

Security Requirements

  • Authentication solution for verifying identities among a user, the processes, and the resources during the computation

  • Support for Local Heterogeneity

    • Various authentication/authorization mechanism, polices

  • Several Constraints to meet

    • Single sign-on & delegation

    • Protection of Credentials

    • Interoperability with local security solutions: Inter-domain access mechanism

    • Uniform certification infrastructure

    • Support for secure group communication

    • Support for multiple implementations


Security in computational grid

Security Requirements - Delegation

  • The context initiator gives the context acceptor the ability to initiate additional security contexts as an agent of the context initiator

    • Remote creation of a proxy credential

    • Allows remote process to authenticate on behalf of the user

  • Delegation in Globus

    • New key pair generated remotely on server

    • Proxy certificate and public key sent to client

    • Clients signs proxy certificate with its private key and returns it

    • Server puts proxy in /tmp


Terminology

Terminology

  • Authentication

  • Authorization

  • Integrity and Confidentiality

  • Security Policy

    • A set of rules that define the security subjects, security objects, and relationships(security operations) among them.

  • CA(Certificate Authority)

    • The third party that does certification(the binding) and issuing certificate

  • Trust Domain

    • A logical, administrative structure where a single, consistent local security policy holds


Security policy in grid

Security Policy in Grid

  • Multiple trust domains

    • Inter-domain interactions + mapping of inter-domain operations into local security policy

  • Operations within a single trust domain are subject to local security policy only

  • Mapping from global subjects to local subjects

    • Authenticated global subject is considered authenticated locally

  • Mutual authentication between entities in different trust domains

  • Local access control decisions by local system administrators

  • The execution of programs without additional user interaction during the computation

  • Processes running on behalf of the same subject within the same trust domain may share a single set of credentials


Security in computational grid

Globus Overview

  • Globus (Argonne National Lab)

    • software toolkit that makes it easier to build computational grids and grid-based applications

      • Protocols and APIs

    • Resource Management (GRAM)

    • Information Service (MDS)

    • Data Transfer (GridFTP)

    • Security (GSI)

Proxies and delegation

for secure single sign-on

Proxies and Delegration

PKI

(CAs and

Certificates)

SSL /

TTL

for Authentication

and message protection

(Secured connection)


Security in computational grid

Certificate

Certificate & CA

Subject Name

Subject Name : CA

Public Key

CA’s Public Key

CA Name

CA Name : CA

Signature of CA

Signature of CA

CA’s Certificate

User Certificate

Issued by CA

  • A X.509 certificate binds a public key to a name

  • Used to identify and authenticate the user or service

  • By checking the signature, one can determine that

  • a public key

  • belongs to a given user

  • The CA signs its own certificate

  • distributed across the network


Security in computational grid

Certificate

A

Certificate

B

Mutual Authentication

(How to identify each other ?)

① Connection established

User A

User B

CA

CB

② A sends B its certificate

④B sends A a plaintext

③1) check validity of CA

based on digital signature of CA

2) extract the public key of A

⑤A encrypt the plaintext using CA

and sends it to B

⑥B decrypt the encrypted message

If this matches with the original message,

B can trust A now


Security in computational grid

GSI in Action“Create Processes at A and B that Communicate & Access Files at C”

Communication*

Remote file

access request*

GSI-enabled

FTP server

Authorize

Map to local id

Access file

Single sign-on via “grid-id”

& generation of proxy cred.

User Proxy

User

Proxy

credential

Or: retrieval of proxy cred.

from online repository

Remote process

creation requests*

Site A

(Kerberos)

GSI-enabled

GRAM server

Authorize

Map to local id

Create process

Generate credentials

Ditto

GSI-enabled

GRAM server

Site B

(Unix)

Computer

Computer

Process

Process

Local id

Local id

Kerberos

ticket

Restricted

proxy

Restricted

proxy

Site C

(Kerberos)

* With mutual authentication

Storage

system


Security in computational grid

User Proxy Creation

① The User gains access to the computer

C’UP

② Temporary Credential created

CU

The User

③User Proxy Credential is created

CUP

CUP = Sign(U) { C’UP , Start-Time, End-Time}

User Proxy

④A User Proxy is created

CUP


Security in computational grid

Resource Allocation

Mutual Authentication

based on CUP and CRM

User Proxy

Resource Manager

CUP

CRM

① The UP request Resource Allocation

Sign(UP) { Allocation Specification }

② 1) Authentication(validate UP

& check the expiration)

2) Authorization by local policy

(may need mapping between

Globus users credential

and local user ID

or maynot)

3) Allocate Resource

③PROCESS-HANDLE returned

Process

Manager

Resource

PROCESS-HANDLE = Sign(RM) { host-identifier, process-identifier}


Security in computational grid

Process to Process Authentication

① Temporal Process

Credential created

User Proxy

C’P

Process

CUP

Sign(PM) { C’P : Process-Credential }

③Process Credential

Request

CP

② C’P Passed to PM

Resource

Process

Manager

④1) examine the request

2) generate CP and return

it to PM

⑤CP Passed

to the Process

CPM

CP = Sign(UP) {C’P}

CP


Security in computational grid

Resource Allocation request from a Process

Sign(P) { Operation, Operation Arguments }

① The process issues

a request for the resource B

User Proxy

Process

CP

CUP

③return the result

Sign(UP) { Execution-Result }

② 1) authenticate the request

2) executes the request

Resource

Process

Manager

Process

CP

CPM

Resource B


Security in computational grid

Mapping between Globus Subject

& Resource Subject (1)

Globus

Subject

Mapping

Resource

Subject

User ID

Local Name

for local access to some resource

Global Name

CUP

CP

Password

Globus Credential

Resource Credential

Using Grid Map table


  • Login