Wei Jie,Junaid Arshad,Pascal Ekin

DOI: https://doi.org/10.1007/s11227-009-0267-8

2009-01-01

Abstract:Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Xiaoxi Wang

2010-01-01

Abstract:This paper analyzes the features of and challenges faced by grid security technology,sums up the main contents of the current research on grid security,makes the overview of the recent advances in the research on grid security,and discusses some problems still existing in this field and the future trends of grid security that possess preferable reference value to the research on grid security technology.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Li Ma,Yongmei Zhang

DOI: https://doi.org/10.1109/ICMLC.2009.5212277

2009-01-01

Abstract:Grid is an important information infrastructure, its security has a great significance for services providing and reasonable sharing of resources. Safe and effective mechanism of identity authentication, evaluation methods of the entity are most important for the grid users to legitimately utilize resources, raise the legal user's credit rating and shield illegal users. This paper describes the identity authentication and trust model mechanism under information grid. A grid authentication framework is presented. Analyze the research status of the grid security mechanism, which focuses on the identity authentication and trust mechanism research status in grid environment. The current major identity authentication models aim at the certification authority on the basis of the PKI. designed a grid authentication framework, gives its system structure and concrete realization methods, and describes its working flow. Experiments show the structure is more simple and flexible than traditional authentication frameworks for PKI, and it can improve efficiency and reduce maintenance costs when the system is safe.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.

YAN Jian-wei,LIANG Li,LIU Yong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.08.035

2005-01-01

Abstract:Introduces some prototypes of computational grid security. According to the domestic research actuality, this paper proposes a new grid security model with group authentication and collaboration. This model extends the current grid security model. The paper also discusses the security framework and collaboration mechanism in detail.

Li Ma,Yongmei Zhang

DOI: https://doi.org/10.1109/AMS.2009.41

2009-01-01

Abstract:The grid is an heterogeneous distributed environment, it has many new characteristics that are different with the traditional Internet, for example, it have many users and resources. These characteristics have decided complexity of the grid safety mechanism. Thus security is an important element of the practical of grid computing technology. In paper, we described a hybrid model of authentication against centralized, hierarchical structure, other traditional forms of authentication features and combining grid security needs. Compare and analyzed the hybrid model authentication mechanisms, performance, and the implement methods of these models, and verified the safety and effectiveness of the hybrid mode. It described the design process of hybrid mode in detail . Given the specific systems certification flow and the performance analysis of application , it is great significance for grid security and management.

Jingshu Chen,Hong Wu,Qingyang Wang,Qingguan Wang

DOI: https://doi.org/10.1109/GCC.2006.15

2006-01-01

Abstract:A fundamental concern in building a secure grid computing environment is authentication of local and remote entities in the environment. The existing authentication technologies in the grid computing environments can effectively guarantee the valid authentication, but they cannot meet the demands of new security challenges in dynamic grid environment, such as flexibility, lightweight, and extensibility. In order to satisfy the security needs of the computational grid, we propose a reflective authentication framework which aims to improve the customizing ability of platform and adaptive ability in the open and dynamic grid environment

Wei Jie,Zhenghong Huang,Michael Daw,Rob Procter,Xiaorong Li,Lianggui Tang,Sheng Lu

DOI: https://doi.org/10.1109/CEC-EEE.2007.84

2007-01-01

Abstract:Grid Information Service (GIS) is a core functional component of a Grid that provides information about various resources and their status. Security underpins a GIS making secure access to a GIS an important issue. On the basis of our existing work on a GIS architecture, we further propose a security framework which leverages Shibboleth as the authentication infrastructure and combines PERMIS authorization technology. As a result, this security framework integrates the advantages of both Shibboleth cross-domain identity federation and PERMIS policy driven role based access control, thus presenting a new security model for secure access to a GIS.

Hongxia Xie,Fanrong Meng

DOI: https://doi.org/10.1007/978-3-540-24679-4_165

2004-01-01

Abstract:Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations (VOs)." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. This paper reflects the challenges and requirements we have identified thus far in an OGSA environment and we proposes a strategy for addressing security within the Open Grid Services Architecture (OGSA) and the OGSA Authentication Services based on the defined architecture.

Huaji Shi,Xibin Zhao

DOI: https://doi.org/10.1109/SOSE.2006.17

2006-01-01

Abstract:This paper analyzes the requirement of authorization service for grid computing systems and proposes the use of threshold closure as a basic mechanism for implementing authorization service in grid computing systems. While pointing out the desirable features of threshold closure for complex authorization policies, the paper also discusses the practical limitations of threshold closure in such an environment, and then puts forward a new authorization service for virtual organization. In addition, an access control protocol which is based on PKI is designed in the paper. By segregating the policy and mechanism aspects of threshold closure, the new service can use existing security infrastructure in grid computing system while keep the ability to express complex authorization policy effectively

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.