HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Wenbao Jiang,Chen Li,Shuang Hao,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-540-31979-5_25

2005-01-01

Abstract:Delegation is an important tool for authorization in large distributed environments. However, current delegation mechanisms used in emerging Grids have problems to allow for flexible and secure delegation. This paper presents a framework to realize restricted delegation using a specific attribute certificate with trust value in grid environments. The framework employs attribute certificates to convey rights separately from identity certificates used for authentication, and enables chained delegations by using attribute certificate chains. In the framework the verifier can enforce securely authorization with delegation by checking the trust values of AC chains, and judge if a delegation is a trusted delegation by evaluating the reputation value of the delegation chain. The paper discusses the way of computing trust and reputation for delegation, and describes some details of delegation, including the creation of delegation credential and the chained delegation protocol.

Ma Tian-chi,Li Shan-ping

DOI: https://doi.org/10.1631/jzus.2005.a0405

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:New challenges are introduced when people try to build a general-purpose mobile agent middleware in Grid environment. In this paper, an instance-oriented security mechanism is proposed to deal with possible security threats in such mobile agent systems. The current security support in Grid Security Infrastructure (GSI) requires the users to delegate their privileges to certain hosts. This host-oriented solution is insecure and inflexible towards mobile agent applications because it cannot prevent delegation abuse and control well the diffusion of damage. Our proposed solution introduces security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent’s specific code segments, or even the states and requests. Applications can establish and configure their security framework flexibly on the same platform, through defining instances and operations according to their own logic. Mechanisms are provided to allow users delegating their identity to these instances instead of certain hosts. By adopting this instance-oriented security mechanism, a Grid-based general-purpose MA middleware, Everest, is developed to enhance Globus Toolkit’s security support for mobile agent applications.

TC Ma,SP Li

DOI: https://doi.org/10.1109/clustr.2003.1253356

2003-01-01

Cluster Computing

Abstract:In this paper, an instance-oriented security mechanism is proposed, to attack possible security threats in grid-based mobile agent system. The proposed delegation profile allows application systems to define their own security instances, while it provides mechanisms to delegate one's identity on those instances, instead of on certain hosts, just like the conventional delegation does. This can prevent the delegated host from abusing privileges. By adopting the new delegation profile kernel, a new trust framework is then proposed to enhance the security verification ability and provide more fine-grained authorization to mobile agent platforms.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Tianchi Ma,Shanping Li

DOI: https://doi.org/10.1007/978-3-540-24679-4_153

2004-01-01

Abstract:An instance-oriented security mechanism is proposed to deal with security threats in building a general-purpose mobile agent middleware in Grid environment. The proposed solution imports security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent's specific code segments, or even the states and requests. Study shows this mechanism can inject large flexibility and scalability into the security framework, and can avoid the inefficiency and potential damages obscuring in a conventional linear delegation model.

Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Yan Li,Huiping Sun,Zhong Chen,Jinqiang Ren,Haining Luo

DOI: https://doi.org/10.1109/SecTech.2008.50

2008-01-01

Abstract:With the development of grid technology, sensitive files and data protection become difficult tasks multi-domains. Traditional access control mechanisms are not suitable to such distributed environment. Several models and mechanisms utilize trust to assist access control decision. But few explicitly consider trust and risk as two separate factors which affect interactions between peers. In this paper, we present a novel mechanism which considers both trust and risk as two vital parameters to assist access control decision. In addition, a novel model of trust evaluation is proposed to represent the confidence in the peer. And to appease people’s anxiety about loss, a new model of risk assessment is also presented to indicate impacts on resources. At the end of this paper, simulation results will indicate that our mechanism is able to secure local system more efficiently and reliably.

XIAO Zheng-Hong,HU Zhong-Wang,YIN Hao

2006-01-01

Computer Science

Abstract:A significant challenge for Grid computing is to develop an efficient set of mechanisms and polices for securing grid processes. Auditing and accounting are fundamental requirements of large sites.In this paper,we identify security auditing requirements,and propose a Cross-Domain Security Auditing(CDSA)architecture based on Mobile agent. To make the least influence on the performance,a new secure mechanism for authorizing is implemented by way of modifying the traditional manner “route once,switch many” in network to the new manner “audit once,authorize many ” in Grid. The dynamic auditing is carried out by constructing a multi-value trust relationship model. The system enforces these mechanisms to enable cross-domain security auditing in the aid of user-defined services of Globus Toolkit Version 3.0 and IBM Aglet.

W Liu,Jp Wu,Hx Duan,X Li,P Ren

DOI: https://doi.org/10.1007/978-3-540-30208-7_47

2004-01-01

Abstract:This paper presents an authorization solution for resource management and control developed as part of the China Education and Research Network (CERNET) to perform fine-grained authorization of job and resource management requests in a Grid environment which meets the Fusion-Grid's security needs in large scale networks such as CERNET. It integrates the GT2 job manager and X.509 authorization and this model can be extended to other authorization decision functions. It allows the system to evaluate a user's resource specification language request against authorization policies on resource usage. Furthermore, based on XML integrated authorization policies, it allows other virtual organization members to manage the user's resources.

LI Wen-juan,WANG Xiao-dong,FU Yang-geng,FU Zhi-xiang

DOI: https://doi.org/10.3969/j.issn.1000-2243.2006.02.009

2006-01-01

Abstract:We firstly analyze three trust models in grid environment, compare their constructs, advanta|ges and disadvantages, then bring forward some advice such as defining identity weight, realizing authen|tication in the initialization, regarding trust recommendation as one type of trade context, enhancing self-determination of grid entities and establishing trust management layer, and based on the former analy|sis develop framework of a novel grid trust model.