Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Shaohua Tang,Sunan Shen,Ke Xue

2008-01-01

Abstract:A federated authentication and authorization scheme for cross-domain Grid services based upon SAML is proposed. A trust relationship based on PKI technique is established among federated domains firstly. When a user logs into its local domain, the identity of the user can then be recognized by the federated domains. The privileges that a cross-domain user can have are administrated by the resource domain locally. Therefore, an authenticated cross-domain user can access the authorized Grid services provided by the resource domain. SAML statements are adopted to transport the authentication and authorization assertion among trusted domains. A session key is used to prove the owner of the SAML assertions and to encrypt the sensitive data. The overall security mechanism is implemented. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Tianchi Ma,Shanping Li

DOI: https://doi.org/10.1007/978-3-540-24679-4_153

2004-01-01

Abstract:An instance-oriented security mechanism is proposed to deal with security threats in building a general-purpose mobile agent middleware in Grid environment. The proposed solution imports security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent's specific code segments, or even the states and requests. Study shows this mechanism can inject large flexibility and scalability into the security framework, and can avoid the inefficiency and potential damages obscuring in a conventional linear delegation model.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.

TC Ma,SP Li

DOI: https://doi.org/10.1109/clustr.2003.1253356

2003-01-01

Cluster Computing

Abstract:In this paper, an instance-oriented security mechanism is proposed, to attack possible security threats in grid-based mobile agent system. The proposed delegation profile allows application systems to define their own security instances, while it provides mechanisms to delegate one's identity on those instances, instead of on certain hosts, just like the conventional delegation does. This can prevent the delegated host from abusing privileges. By adopting the new delegation profile kernel, a new trust framework is then proposed to enhance the security verification ability and provide more fine-grained authorization to mobile agent platforms.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Yongkai Cai,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.187

2008-01-01

Abstract:A federated security scheme based on WS-Security standard for cross-domain Grid is proposed. It integrates the WS-Security standard and the Grid security mechanism. A trust model is established based on WS-Trust specification. A communication is established based on WS-SecureConversation specification. The architecture is implemented in a SAML-based federated authentication and authorization cross-domain Grid. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

JIANG Wei-chao,XIA Yang,HUANG Xiao

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.06.042

2005-01-01

Abstract:Web services, which adopt general protocol and technology, can be easily accessed by users and have been the research hotspot in distributed computing, but the downside of this easiness is that security is compromised. An access control system for web services is presented based on SAML and XACML, which uses SAML to single sign-on and introduces XACML to control the access of users. Based on SAML, XACML is imported to control the protected resources on web sites, and achieves the security of access control of web services.

YAN Jian-wei,LIANG Li,LIU Yong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.08.035

2005-01-01

Abstract:Introduces some prototypes of computational grid security. According to the domestic research actuality, this paper proposes a new grid security model with group authentication and collaboration. This model extends the current grid security model. The paper also discusses the security framework and collaboration mechanism in detail.

YANG Shengwen,SHI Meilin,JIANG Jinlei,XU Jun

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.034

2005-01-01

Abstract:Security is a challenging issue in grid systems.A service-oriented security architecture was developed to provide security in learning assessment grid(LAGrid),an e-Learning oriented grid system.A symmetric key infrastructure was used in for single sign on enabled authentication and role-based authorization.A security token service was designed to give message-level encryption and signature mechanisms.The service-oriented security architecture has been successfully implemented in LAGrid system which supports wide-area resource sharing and large-scale cross-organizational collaborative work.In addition,the system provides a secure,transparent and web-based user environment.

Yin Hao,Zhou Jiliu,Wu Huilin,Yu Liang

DOI: https://doi.org/10.1109/ISDPE.2007.73

2007-01-01

Abstract:Web-based portals have been increasingly used to integrate information from a variety of back-end Web services. In these systems, security is a critical feature. This paper presents a SAML/XACML based access control between portal and Web services to extend the authentication and authorization mechanism within a portal to external Web services. © 2007 IEEE.

MENG Fan-rong,XIE Hong-xia,WANG Ru-chuan,XIA Shi-xiong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.11.013

2007-01-01

Journal of Communications

Abstract:Grid was a kind of new-type network computing platform following World Wide Web;An infrastructure of sharing different resources including webpage in an all-round way was offered.In order to complete one task,many re-sources were often needed the participants to assort with,so single sign-on to simplify users’ operations was needed.The disadvantages of single sign-on were analyzed,and a solution based on SAML was proposed,the test and the perform-ance evaluation to it had been carried on.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.