Improving the Security Performance in Computer Grids

Architecture and Results
  • A. Moralis
  • V. Pouli
  • M. Grammatikou
  • S. Papavassiliou
  • V. Maglaris
Conference paper
Part of the Signals and Communication Technology book series (SCT)

Abstract

Security in computational Grids is mainly based on Grid Security Infrastructure (GSI) for authentication and Virtual Organization Membership Service for authorization. Although these mechanisms provide the required level of security, they lack in performance due to their dependence on public key cryptography. In our proposed security architecture we use a Kerberos-based approach (symmetric cryptography) to establish common secrets between grid services (exposed as web services) and clients. The architecture does not nullify GSI and VOMS, but allows a full mapping of GSI-VOMS to Kerberos credentials. The security architecture was designed to meet the specific quality of service (QoS) for nearly real-time control of distributed instruments that belong to different organizations by minimizing the impact of security processing. It is based on GSI and VOMS certificates for the initial login, translates them into Kerberos credentials for authentication and provides message level security implementing the OASIS Kerberos Token Profile. The security performance of our implementation, as shown in our measurements, outperforms the one when X509 Token Profile is used.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    R. Alfieri et al., “VOMS, an authorization system for virtual organizations”, Presented at the 1st European Across Grids Conf., Santiago de Compostela, Spain, Feb. 14, 2003.Google Scholar
  2. [2]
    R. Alfieri, R Cecchini, V. Ciaschini, F. Spataro, L. Dell’Agnello, A. Frohner, K. Lorentey, “From gridmap-file to VOMS: managing authorization in a Grid environment”, Future Generation Computer Systems, Vol. 21, no. 4, pp. 549–558. Apr. 2005.CrossRefGoogle Scholar
  3. [3]
  4. [4]
    Apache WSS4J – http://www.ws.apache.org/wss4j.Google Scholar
  5. [5]
    C. Coarfa, P. Druschel and D.S. Wallach, “Performance analysis of TLS web servers”, 9th Network and Systems Security Symposium, pp. 553–558, 2002.Google Scholar
  6. [6]
    I. Foster, C. Kesselman, S. Tuecke: “The anatomy of the grid: enabling scalable virtual organizations”, International Journal of Supercomputer Applications, Vol. 15, no. 3, pp. 200–222, 2001.CrossRefGoogle Scholar
  7. [7]
    GRIDCC Project web site – www.gridcc.orgGoogle Scholar
  8. [8]
    Heimdal Kerberos Server – http://www.pdc.kth.se/heimdal/.
  9. [9]
    IETF RFC 1510 – The Kerberos Network Authentication Service (V5).Google Scholar
  10. [10]
    IETF RFC 1508 – Generic Security Service Application Program Interface.Google Scholar
  11. [11]
    IETF RFC 2459 – Internet X.509 Public Key Infrastructure Certificate and CRL Profile.Google Scholar
  12. [12]
    IETF RFC 3820 – Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile.Google Scholar
  13. [13]
    IETF RFC 4556 – Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).Google Scholar
  14. [14]
    A. Moralis, A. Lenis, M. Grammatikou, S. Papavassiliou, V. Maglaris, “A distributed Kerberized access architecture for real time grids”, 4th International Workshop on Security in Information Systems WOSIS, 2006.Google Scholar
  15. [15]
    R. Needham, M. Schroeder, “Using encryption for authentication in large networks of computers”, Communications of the ACM, Vol. 21, no. 12, pp. 993–999, Dec. 1978.Google Scholar
  16. [16]
    Oasis WS Security Standards – http://www.oasis-open.org/specs/index.php#wssv1.1
  17. [17]
    Open Grid Forum – http://nfdump.sourceforge.net/.
  18. [18]
    L. Pearlman, V. Welch, I. Foster, K. Kesselman, S. Tuecke, “A community authorization service for group collaboration”, IEEE Workshop on Policies for Distributed Systems and Networks, 2002.Google Scholar
  19. [19]
    The European Policy Management Authority for Grid Authentication in e-Science – http://www.eugridpma.org/
  20. [20]
    W3C Web Services Activity – http://www.w3.org/2002/ws/Google Scholar
  21. [21]
    WS Security Kerberos Token Profile – http://www.oasis-open.org/committees/download. php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdfGoogle Scholar
  22. [22]
    WS-Security X509 Token Profile – http://www.oasis-open.org/committees/download. php/16785/wss-v1.1-spec-os-x509TokenProfile.pdfGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • A. Moralis
    • 1
  • V. Pouli
    • 1
  • M. Grammatikou
    • 1
  • S. Papavassiliou
    • 1
  • V. Maglaris
    • 1
  1. 1.National Technical University of AthensAthensGreece

Personalised recommendations