HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

YAO Hong-yan,LI Ming-chu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.30.003

2007-01-01

Abstract:The paper explores deeply on authorization in grid with respect to some key concept,including authorization parameters,authorization sequence and authorization model,then proposes in theory a framework for distributed authorization.Framework divides authorization into five parts.They are called in turn the trust management,policy management,privilege management,authorization mechanism & protocol management and authorization request management.Each part's function is also prescribed.Not only this framework makes technology development for each part is more specific,but also clarifies the way of establishing concrete authorization mechanism.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Wei Jie,Junaid Arshad,Pascal Ekin

DOI: https://doi.org/10.1007/s11227-009-0267-8

2009-01-01

Abstract:Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.

Bo Lang,Foster, I.,Siebenlist, F.,Ananthakrishnan, R.,T. Freeman

DOI: https://doi.org/10.1109/NCA.2006.4

2006-01-01

Abstract:A grid system is a virtual organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web services security specifications such as XACML, SAML, and the special security needs of the grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelist-based authorization mechanism that can be seamlessly integrated into the framework

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.

Jingshu Chen,Hong Wu,Qingyang Wang,Qingguan Wang

DOI: https://doi.org/10.1109/GCC.2006.15

2006-01-01

Abstract:A fundamental concern in building a secure grid computing environment is authentication of local and remote entities in the environment. The existing authentication technologies in the grid computing environments can effectively guarantee the valid authentication, but they cannot meet the demands of new security challenges in dynamic grid environment, such as flexibility, lightweight, and extensibility. In order to satisfy the security needs of the computational grid, we propose a reflective authentication framework which aims to improve the customizing ability of platform and adaptive ability in the open and dynamic grid environment

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Shaohua Tang,Sunan Shen,Ke Xue

2008-01-01

Abstract:A federated authentication and authorization scheme for cross-domain Grid services based upon SAML is proposed. A trust relationship based on PKI technique is established among federated domains firstly. When a user logs into its local domain, the identity of the user can then be recognized by the federated domains. The privileges that a cross-domain user can have are administrated by the resource domain locally. Therefore, an authenticated cross-domain user can access the authorized Grid services provided by the resource domain. SAML statements are adopted to transport the authentication and authorization assertion among trusted domains. A session key is used to prove the owner of the SAML assertions and to encrypt the sensitive data. The overall security mechanism is implemented. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Weizhong Qiang,Aleksandr Konstantinov,Hai Jin

DOI: https://doi.org/10.1109/GCC.2010.39

2010-01-01

Abstract:Grid has been proved to be a promising technology for integrating heterogeneous resources. However, with the emerging of various Grid middle wares, the heterogeneous problem also occurs for Grid middleware themselves, as well as for the Grid services developed on those middle wares, which is an obstacle for the interoperation. SOA(Service Oriented Architecture) has been introduced into the development of Grid middewares and services to solve this problem. One of the challenging tasks in the development, integration and deployment of Grid middle wares is to provide security framework. In this paper, the key issue of Grid security framework, i.e., authorization, is focused, and an attribute-based authorization framework is presented. Due to the adoption of SAML, XACML and the generic Web Service specifications, the proposed framework can achieve interoperability to other standard-based attribute authority services, as well as other standard-based policy evaluation services.

Weizhong Qiang,Aleksandr Konstantinov,Deqing Zou,Laurence T. Yang

DOI: https://doi.org/10.1016/j.jnca.2011.03.006

IF: 7.574

2012-01-01

Journal of Network and Computer Applications

Abstract:Security infrastructure is one of the most challenging tasks in the development, integration and deployment of Grid middlewares. Even though the Grid community addresses the security issue through public key infrastructures (PKI) to support mutual authentication using X.509 certificates, maintaining X.509 credentials is not that easy for non-IT-experts, and has proved to be an obstacle for a more wide deployment of Grid technologies. The identity federation is an increasingly popular technology that can facilitate cross-domain single sign-on without requiring the users to maintain any credentials additional to their own institutional accounts. We believe that utilizing identity federation for Grid middlewares is a promising path for the Grid technology to get more widely used. This paper describes a single sign-on infrastructure developed as a part of the NorduGrid ARC (Advanced Resource Connector) Grid middleware. It adopts the identity federation standard (SAML), as well as other Web Service standards. It focuses on a single sign-on solution at the middleware level for users to access Grids by only using their frequently used accounts, without being bothered to maintain X.509 credentials. Users can use their username/password only to access Grids developed in ARC middleware, as well as access Grids developed in other middlewares that requires users to provide X.509 certificates. Moreover, the single sign-on for workflow-like Grid applications (in which intermediate entities act on behalf of users) is also supported. As an important aspect of single sign-on, authorization is also considered by implementing an attribute-based authorization using SAML standard. In addition, the performance of single sign-on solution is measured. We identify performance limitations of security-related services inside this solution, and analyse the ways to avoid the limitations. To our knowledge, the work presented in this paper is the first evaluated implementation that utilizes identity federation for Grid usage on the middleware level.

Wei Jie,Junaid Arshad,Richard Sinnott,Paul Townend,Zhou Lei

DOI: https://doi.org/10.1145/1883612.1883619

2011-01-01

Abstract:Grid computing facilitates resource sharing typically to support distributed virtual organizations (VO). The multi-institutional nature of a grid environment introduces challenging security issues, especially with regard to authentication and authorization. This article presents a state-of-the-art review of major grid authentication and authorization technologies. In particular we focus upon the Internet2 Shibboleth technologies and their use to support federated authentication and authorization to support interinstitutional sharing of remote grid resources that are subject to access control. We outline the architecture, features, advantages, limitations, projects, and applications of Shibboleth in a grid environment. The evidence suggests that Shibboleth meets many of the demands of the research community in accessing and using grid resources.

Yongkai Cai,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.187

2008-01-01

Abstract:A federated security scheme based on WS-Security standard for cross-domain Grid is proposed. It integrates the WS-Security standard and the Grid security mechanism. A trust model is established based on WS-Trust specification. A communication is established based on WS-SecureConversation specification. The architecture is implemented in a SAML-based federated authentication and authorization cross-domain Grid. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.

Li Ma,Yongmei Zhang

DOI: https://doi.org/10.1109/ICMLC.2009.5212277

2009-01-01

Abstract:Grid is an important information infrastructure, its security has a great significance for services providing and reasonable sharing of resources. Safe and effective mechanism of identity authentication, evaluation methods of the entity are most important for the grid users to legitimately utilize resources, raise the legal user's credit rating and shield illegal users. This paper describes the identity authentication and trust model mechanism under information grid. A grid authentication framework is presented. Analyze the research status of the grid security mechanism, which focuses on the identity authentication and trust mechanism research status in grid environment. The current major identity authentication models aim at the certification authority on the basis of the PKI. designed a grid authentication framework, gives its system structure and concrete realization methods, and describes its working flow. Experiments show the structure is more simple and flexible than traditional authentication frameworks for PKI, and it can improve efficiency and reduce maintenance costs when the system is safe.

Weizhong Qiang,Hai Jin,Xuanhua Shi,Deqing Zou

DOI: https://doi.org/10.3321/j.issn:1671-4512.2005.12.036

2005-01-01

Abstract:The existed grid security mechanism is able not to meet the dynamic, autonomous and scalable requirements of virtual organization. Thus, a model for grid decentralized authorization based on the decentralized trust management mechanism was proposed. The naming relationship and delegation relationship between grid entities were defined in this model. The definition of the naming relationship can express the local naming relationship on the basis of meeting the requirements of the global naming relationship definition. The delegation relationship can implement the autonomous and dynamic authorization delegation, and being characterized by good scalability. On the basis of the model, HowU grid authorization system was realized. The storage of the authorization relationship and its discovery mechanism in grid authorization system were explained.

Lc Huang,Zh Wu

DOI: https://doi.org/10.1007/978-3-540-24680-0_166

2004-01-01

Abstract:Scalable security is a vital important issue for scalable Grid. There are several issues to be solved for scalable Grid security such as mapping from global subjects to local subjects, centralized certificate authority center, large number of users, many heterogenous security policies. In this paper, we present a scalable Grid security infrastructure(SGSI) to solve the above problems. We here describe the models and related protocols for scalable Grid authentication and authorization.