Download - Security in Grid Computing
Security in Grid Computing
AZIZOL ABDULLAHDEPARTMENT OF COMMUNICATION
TECHNOLOGY AND NETWORK
Grid Example
Company A Company ZCompany B
GridService
GridService
GridService
GridService
GridService
GridService
GridService
GridService
GridService
Grid Virtual Organisation
Security Issues
Each company could be regarded as a domain
Each domain will have its own security policy
The primary goal of Grid environment is to encourage domain-to-domain interactions to share the resources
Security Issues: How to share the resources?
To encourage the controlled sharing of resources:The security overhead should be minimized
so that the sharing is appealingThe security mechanism applied should be
scalableDomains should not lose control over their
own resources
Security Issues: What is Trust ? Trust is to model the human social
behaviorWhen I use a credit card to pay the bill, the
bank trust me that I will pay back the money later
When I use the e-banking service to perform a transaction, I trust the bank that it will perform the transaction for me
Definition of Trust
Trust is the firm belief in the competence of an entity to behave as expected such that this firm belief is a dynamic value associated with the entity and is subject to the entity’s behavior and applies only within a specific context at a given time
Trust Trust value is a continuous and dynamic
value in the range of [0,1] 1 means very trustworthy 0 means very untrustworthy It is built on past experience It is context based (under different context
may have different trust value)
Reputation When making trust-based decisions,
entities can rely on others for information regarding to a specific entity.
The information regarding to a specific entity x is defined as the reputation of entity x.
Definition of Reputation
The reputation of an entity is an expectation of its behavior based on other entities’ observations or information about the entity’s past behavior within a specific context at a given time.
Security IssuesTraditional systems: Protect a system from its users Protect data of one user from compromiseIn Grid systems: Protect applications and data from system
where computation executes Stronger authentication needed (for users
and code) Protect local execution from remote
systems Different admin domains/security policies
Authentication Process of verifying identity of a participant to
an operation or request
Principal: entity whose identity is verifiedlocal user OR user logged into remote system
Traditional systems: authenticate client to protect server
Grid systems: mutual authentication requiredEnsure that resources and data not provided by
an attacker
Authentication Methods:Password-based Authentication
Send unencrypted passwords: only suitable when messages can’t be read by
untrusted processes while on network Instead: Prove knowledge of a password:
Don’t send password over networkUse password as an encryption keyEncrypt a known but non-repeating valueSend encrypted value to party verifying
authenticationBoth parties must know password or trust a
third-party to distribute it
Authentication Systems:Kerberos
Authentication and key distribution protocolUsed with symmetric encryption systems
(both sides must share same key)Better performance than systems using
public key or asymmetric cryptography Well-suited to frequent authentication Centrally administered Requires trusted, on-line certification
authority: Key Distribution Center (KDC)
Using Kerberos to authenticate a client and a server
1. Each client and server register their keys in advance with Kerberos authentication server
2. Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server
3. Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server
4. Kerberos server sends session key to client as well as a ticket that contains client’s name and session key, all encrypted with server’s key
Kerberos Authentication (cont.)5. Client caches encrypted session key and ticket,
which are valid for some period Reduces number of authentication requests to
server6. Client forwards ticket to service provider AND
sends server a timestamp encrypted using the session key
7. Server decrypts ticket and extracts session key8. Server uses session key to decrypt timestamp and
checks that timestamp is recent9. If client needs to authenticate server, server
encrypts the timestamp with the session key and sends it back to client
Authentication Systems: Secure Sockets Layer (SSL)
Widely-deployed: every web browser! Client authenticates identity of the server Send a session key from client to server to
set up an encrypted communication Server has a certificate that contains its
public key If client has a certificate, can authenticate
itself to the server
Using SSL to authenticate a server1. Client web browser with SSL contacts web server
with SSL2. Server sends public-key certificate to client3. Client uses public key of a trusted Certificate
Authority (CA) to verify server’s certificate is valid4. Client verifies that hostname embedded in
certificate is hostname of intended server5. Client extracts server’s public key from certificate6. Client uses server’s public key to encrypt a
session key for a symmetric cryptosystem7. Client sends encrypted session key to server8. Server uses its private key to decrypt session key9. Client and server communicate using symmetric
cryptosystem with session key
Certificates and Certification Authorities (CA)
Certification mechanism provides binding between encryption key and authenticated identity
Certification authority (CA) is a third party that certifies or validates the binding
CA issues a certificate and signs it Certificate is a data object that contains:
Distinguished name of a principalIn asymmetric cryptographic systems: the
public key of the principalOptional attributes: authorizations, group
memeberships, email addresses, alternate names
Certification (cont.) X.509 certificates:most widely used format
Web browsersSecure email servicesPublic-key-based electronic payment
systems Validating the binding
Verifier must know the CA’s public keyUses CA’s public key to validate CA’s
signature Hierarchy of CAs: each CA certified by
higher-level CA except for root CA(s) Applications and servers must know public
key of trusted root CAs
Data Origin Authentication Provides assurance that a particular
message, data item or executable originated with a particular principalDetermines whether program was modified
or sent by attacker
Delegation of Identity Process that grants one principal the
authority to act as another individual Assume another’s identity to perform
certain functions
E.g., in Globus: use the gridmap file on a particular resource to map authenticated user onto another’s account, with corresponding privileges
Authorization Process that determines whether a particular
operation is allowed Traditionally: based on authenticated identity of
requester and local information Access Control Lists (ACLs)
Grids: determine whether access to resource is allowed Might have access control lists associated with
resources, principals or authorized programs User-provided code must also be authenticated
Distributed Authorization E.g., Distributed Computing Environment Systems still being developed Distributed maintenance of authorization information:
Group membership Access control lists
Need to verify the authenticity of authorization (and assurance) information
One approach: Embed these attributes in certificates Signed by trusted third-party “Privilege attribute certificates”
Distributed Authorization (cont.) Restricted proxy: authorization certificate
that grants authority to perform operation on behalf of grantorRestricted for access to particular objects Only when specified restrictions are
satisfied Alternative: separate authorization server Party providing a service checks with
server whether a named principal is authorized
Delegation of Authority User or process that is authorized to
perform an operation can grant authroity to perform the operation to another process
More restricted than identity delegation In Grids:
Used for tasks that run remotely on grid that must read or write data stored across the network
E.g., resource manager allocates a node to a job and delegates to job’s initator authority to use that node
Integrity and Confidentiality Protect data during transmission on
networkAnyone connected to an open network may
observe, insert or possibly remove messages Cryptography
Encryption: scrambles data in a way that varies based on a secret encryption key
Decryption: unscramble data using corresponding decryption key
Ciphertext: scrambled dataPlaintext: original or unscrambled data
Encrypted messages provide integrity and confidentiality
Protect datadata encrypted before transmission and
decrypted afterward
Checksums protect data integrityAttach a checksum to data before enryptionAfter decryption, receiver verifies checksumDetect modifications of data by someone
who doesn’t know encryption key
Symmetric Cryptosystems Examples:DES (data encryption standard),
triple-DES, idea, blowfish, RC4, RC5 Uses same key for encryption & decryption Both parties must share same key With static keys:
User needs different key for every other user or service provider
Service provider maintains key for every user
Or, use mutually-trusted intermediary to generate and distribute session key to both partiesE.g., Kerberos Key Distribution Center
Symmetric Encryption Key Distribution Using Kerberos
1. Each client and server register their keys with Kerberos authentication server in advance
2. Client wants to communicate with service provider: sends client and service provider names to Kerberos authentication server
3. Kerberos server randomly generates a session key that will be used for symmetric encryption between client and server
4. Kerberos server sends session key to client as well as a ticket that contains client’s name and session key, all encrypted with server’s key
Key Distribution Using Kerberos (cont.)
5. Client caches encrypted session key and ticket, which are valid for some period Reduces number of authentication requests to
server6. Client forwards ticket to service provider AND
sends server a timestamp encrypted using the session key
7. Server decrypts ticket and extracts session key8. Server uses session key to decrypt timestamp,
checks that it is recent9. If client needs to authenticate server, server
encrypts the timestamp with the session key and sends to client
Asymmetric Cryptography Also Public Key cryptography (PKI) E.g., RSA or DSA (digital signature algorithm) Uses a pair of keys for encryption and decryption
Knowledge of one key does not reveal the other
Public key: published and available to anyone Private key: secret, known to only one party Advantage: can disseminate public key freely Disadvantage: significantly worse performance
than symmetric encryption Because of performance, rarely used in isolation Used in combination with symmetric encryption
Using Asymmetric Encryption to Exchange a Symmetric Key
1. Sender generates a symmetric session key and an associated checksum
2. Sender encrypts key and checksum using recipient’s public key and sends them to recipient
3. Recipient decrypts key and checksum using its private key
4. Recipient verifies checksum is correct and extracts session key
5. Communication proceeds using symmetric encryption with the session key
Using Asymmetric Encryption to Exchange Symmetric Key (cont.)
Pay asymmetric performance penalty at startup but not on every block transferred
Relies on each party knowing public keys or relying on trusted third party (CA) to verify public keys
Otherwise, attacker could replace public key with different public key that has a private key known by attacker
Encryption with PGP (Pretty Good Privacy)
Provides integrity, authentication and confidentiality for email and data files
Sender:Computes a message digest (similar to a
checksum)Encrypts original message using symmetric
cryptography with a message keyEncrypts the message digest with
asymmetric cryptography using the private key of the senderProvides a digital signature (integrity)
Encrypts the message key with asymmetric cryptography using recipient’s public key
PGP (Pretty Good Privacy) (cont.) Recipient:
Decrypts message digest using public key of sender
Decrypts message key using its own private key
Uses message key to decrypt original message
Verifies the correctness of message using digest
Digital Signatures Does not require encryption of original
message Message digest
Computationally infeasible for another message to produce the same digest
EncryptedAttached to messageCan detect if message was altered during
transmission Provides a digital signature
Summary Security Issues : Trust and Reputation Authentication
Password-basedKerberos authenticationSSL authenticationCertification authorities
Authorization Integrity and Confidentiality
Symmetric and asymmetric cryptographyPGP (Pretty Good Privacy)SSL