1 / 22

First-Review

A Web Services based security architecture for instrumentation grids

Paulson
Download Presentation

First-Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Presented by Shaiju Paul 08DI017 Under the Guidance of Mrs. JaspherWillsie Katherine Asst. Professor/IT A Web Services based Security Architecture for Instrumentation Grids

  2. Contents Base Paper Project Objective Literature Survey Proposed Security Architecture Conclusion References

  3. Base Paper Title A Kerberos security architecture for web services based instrumentation grids Authors A. Moralis, National Technical University of Athens,Greece V. Pouli, National Technical University of Athens, Greece S. Papavassiliou, NTUA Athens, Greece V. Maglaris, NTUA Athens, Greece Publisher ELSEVIER, Future Generation Computer Systems 25 (2009) 804 – 818

  4. Objective To improve the security performance of Grids maintaining at the same time interoperability with legacy Grid Security Infrastructure.

  5. Literature Survey (1/8) Grid Computing • Grid Computing System connects distributed heterogeneous computing resources with high speed networks and integrates them into a transparent environment. • Used in large scale distributed high-performance computing • Provides the users with remote computing resources

  6. Literature Survey (2/8) Basic principles of Grid Computing • Single Sign-on • Authorization to resources • Credential delegation • Communication Integrity • Communication confidentiality

  7. Literature Survey (3/8) GRIDCC Project • GRIDCC project is integrating into the Grid remote interaction with instruments, along with distributed control and real time interaction • To increase both the usability and the usefulness of the system • Instrument Element (IE) is a set of services that provides the needed interface and implementation to enable remote control and monitoring of physical instruments

  8. Literature Survey (4/8) Grid Security Infrastructure • The de-facto authentication mechanism for legacy Grids • Based on PKI Certification Authority issuing X.509 certificates • Supports delegation by the use of short-lived X.509 Proxy certificates • Secure message exchange via SSL

  9. Literature Survey (5/8) X.509 Proxy Certificates • Proxy credentials are commonly used in security systems when one entity wishes to grant to another entity some set of its priviliges • Delegation can be performed dynamically without the assistance of a third party • Can be limited to arbitrary subsets of the delegating entity’s privileges

  10. Literature Survey (6/8) Open Grid Services Architecture • Based on the concepts and technologies of Grid and Web services. • Defines standard mechanism for creating, naming and discovering Grid services • Provides location transparency • Supports integration with underlying native platform facilities • Also defines in terms of WSDL interfaces

  11. Literature Survey (7/8) Web Service Security • Web services provide open and interoperable standards to manage distributed resources in a reliable and flexible way. • Based on XML encoded messages, communicating via the SOAP protocol • Is an application level open specification • Provides confidentiality, integrity and non-repudiation at the message level

  12. Literature Survey (8/8) Kerberos Protocol • Used for authenticating users and services on a network • Is a trusted third party service • Based on symmetric key cryptography • WS Security Kerberos Token Profile specifies how to sign and encrypt a SOAP message by using a Kerberos ticket

  13. Proposed Security Architecture (1/6) • Is a web services based security architecture • Improves security performance • Interoperable with the legacy GSI • Follows OGSA guidelines • Provides enhanced near real time services in Grid applications • Uses symmetric cryptography

  14. Proposed Security Architecture (2/6) • Uses Kerberos authentication system in order to authenticate the users and support single sign on • Users authenticate to the Kerberos system using their X.509 certificates • After authentication they get a ticket from the Kerberos system • They can access to various resources for the whole ticket duration without the need of re-authentication

  15. Proposed Security Architecture (3/6)

  16. Proposed Security Architecture (4/6) Main Components • Authentication System : provides the Kerberos authentication and key management. • KrbClient : hides the security complexity and manages user’s credentials • Access Control Manager : protects Web Service by authenticating and authorizing incoming requests • Policy Repository : stores all the local access rules

  17. Proposed Security Architecture (5/6) Basic Steps • The KrbClient authenticates the user using his X.509 certificate to the Kerberos Authentication service • The Authentication service returns to the user a special ticket called Ticket Granting Ticket • The KrbClient requests a ticket for the IE from the Ticket Granting Service • The KrbClient can inquire the Policy Repository to discover which IE’s or other web services he is authorized to invoke. This is an optional step

  18. Proposed Security Architecture (6/6) Steps Contd. • The KrbClient can delegate the client’s certificate to the delegation service • The delegated credentials can be used by the IE to access other Grid resources on behalf of the Client • The KrbClient communicates with a Web Service securely via WSS, sending a SOAP message with the acquired ticket to the Web Service or IE • New rules are pushed to the Policy Repository when a change to the local rules are done. It allows the IE to pull their access rules from the policy repository

  19. Implementation Tool Grid Security Services Simulator (G3S) Globus Toolkit

  20. Conclusion A client-server model for a grid security architecture that follows OGSA guidelines and provides enhanced near real time services in Grid applications by adopting symmetric cryptography during the actual operation, has been introduced and designed

  21. References [1] G. Laccetti , G. Schmid, A framework model for grid security, Future Generation Computer Systems, v.23 n.5, p.702-713, June, 2007 [2] http://www.gridcc.org [3] Open Grid Services Architecture, Version 1.5 http://www.ogf.org/documents/GFD.80.pdf [4] http://www.globus.org/security [5] The Heimdal Kerberos, http://www.pdc.kth.se/heimdal [6] WS Security Core Specification 1.1, http://www.oasis-open.org/specs/index.php#wssv1.1

  22. THANK YOU

More Related