220 likes | 727 Views
A Web Services based security architecture for instrumentation grids
E N D
Presented by Shaiju Paul 08DI017 Under the Guidance of Mrs. JaspherWillsie Katherine Asst. Professor/IT A Web Services based Security Architecture for Instrumentation Grids
Contents Base Paper Project Objective Literature Survey Proposed Security Architecture Conclusion References
Base Paper Title A Kerberos security architecture for web services based instrumentation grids Authors A. Moralis, National Technical University of Athens,Greece V. Pouli, National Technical University of Athens, Greece S. Papavassiliou, NTUA Athens, Greece V. Maglaris, NTUA Athens, Greece Publisher ELSEVIER, Future Generation Computer Systems 25 (2009) 804 – 818
Objective To improve the security performance of Grids maintaining at the same time interoperability with legacy Grid Security Infrastructure.
Literature Survey (1/8) Grid Computing • Grid Computing System connects distributed heterogeneous computing resources with high speed networks and integrates them into a transparent environment. • Used in large scale distributed high-performance computing • Provides the users with remote computing resources
Literature Survey (2/8) Basic principles of Grid Computing • Single Sign-on • Authorization to resources • Credential delegation • Communication Integrity • Communication confidentiality
Literature Survey (3/8) GRIDCC Project • GRIDCC project is integrating into the Grid remote interaction with instruments, along with distributed control and real time interaction • To increase both the usability and the usefulness of the system • Instrument Element (IE) is a set of services that provides the needed interface and implementation to enable remote control and monitoring of physical instruments
Literature Survey (4/8) Grid Security Infrastructure • The de-facto authentication mechanism for legacy Grids • Based on PKI Certification Authority issuing X.509 certificates • Supports delegation by the use of short-lived X.509 Proxy certificates • Secure message exchange via SSL
Literature Survey (5/8) X.509 Proxy Certificates • Proxy credentials are commonly used in security systems when one entity wishes to grant to another entity some set of its priviliges • Delegation can be performed dynamically without the assistance of a third party • Can be limited to arbitrary subsets of the delegating entity’s privileges
Literature Survey (6/8) Open Grid Services Architecture • Based on the concepts and technologies of Grid and Web services. • Defines standard mechanism for creating, naming and discovering Grid services • Provides location transparency • Supports integration with underlying native platform facilities • Also defines in terms of WSDL interfaces
Literature Survey (7/8) Web Service Security • Web services provide open and interoperable standards to manage distributed resources in a reliable and flexible way. • Based on XML encoded messages, communicating via the SOAP protocol • Is an application level open specification • Provides confidentiality, integrity and non-repudiation at the message level
Literature Survey (8/8) Kerberos Protocol • Used for authenticating users and services on a network • Is a trusted third party service • Based on symmetric key cryptography • WS Security Kerberos Token Profile specifies how to sign and encrypt a SOAP message by using a Kerberos ticket
Proposed Security Architecture (1/6) • Is a web services based security architecture • Improves security performance • Interoperable with the legacy GSI • Follows OGSA guidelines • Provides enhanced near real time services in Grid applications • Uses symmetric cryptography
Proposed Security Architecture (2/6) • Uses Kerberos authentication system in order to authenticate the users and support single sign on • Users authenticate to the Kerberos system using their X.509 certificates • After authentication they get a ticket from the Kerberos system • They can access to various resources for the whole ticket duration without the need of re-authentication
Proposed Security Architecture (4/6) Main Components • Authentication System : provides the Kerberos authentication and key management. • KrbClient : hides the security complexity and manages user’s credentials • Access Control Manager : protects Web Service by authenticating and authorizing incoming requests • Policy Repository : stores all the local access rules
Proposed Security Architecture (5/6) Basic Steps • The KrbClient authenticates the user using his X.509 certificate to the Kerberos Authentication service • The Authentication service returns to the user a special ticket called Ticket Granting Ticket • The KrbClient requests a ticket for the IE from the Ticket Granting Service • The KrbClient can inquire the Policy Repository to discover which IE’s or other web services he is authorized to invoke. This is an optional step
Proposed Security Architecture (6/6) Steps Contd. • The KrbClient can delegate the client’s certificate to the delegation service • The delegated credentials can be used by the IE to access other Grid resources on behalf of the Client • The KrbClient communicates with a Web Service securely via WSS, sending a SOAP message with the acquired ticket to the Web Service or IE • New rules are pushed to the Policy Repository when a change to the local rules are done. It allows the IE to pull their access rules from the policy repository
Implementation Tool Grid Security Services Simulator (G3S) Globus Toolkit
Conclusion A client-server model for a grid security architecture that follows OGSA guidelines and provides enhanced near real time services in Grid applications by adopting symmetric cryptography during the actual operation, has been introduced and designed
References [1] G. Laccetti , G. Schmid, A framework model for grid security, Future Generation Computer Systems, v.23 n.5, p.702-713, June, 2007 [2] http://www.gridcc.org [3] Open Grid Services Architecture, Version 1.5 http://www.ogf.org/documents/GFD.80.pdf [4] http://www.globus.org/security [5] The Heimdal Kerberos, http://www.pdc.kth.se/heimdal [6] WS Security Core Specification 1.1, http://www.oasis-open.org/specs/index.php#wssv1.1