review of grid computing security and present a newauthentication method for improving security

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 1, Issue 4, April 2014. ISSN 2348 - 4853

76 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org

Review of Grid Computing Security and Present a New

Authentication Method for Improving Security A. Kazemi

Department of Computer Engineering, Islamic Azad University of central Tehran branch, Iran

[email protected]

A B S T R A C T

The goal of grid networks is to integrate all of hardware and software capabilities of the different

sets of computers as a comprehensive system, in order to calculate and process the data. Data has

play key role in Grid computing. Support of distributed resources and prevent any unauthorized

access to data, require a secure access control system to grid network. security is an important

issue in grid computing and has been regarded as a challenge for Grid computing. This paper

reviews grid computing security mechanisms according to Bendahmane, Essaaidi, Moussaoui and

Younes [1] and presents a new authentication method with use of OTP security mechanism by

workflow that results a mechanism for controlling allowed access to grid networks for increasing

security, to envelope all of security services such confidentiality, collectivity, identification and as

Non-repudiation and prevent any security threats.

Index Terms : Authentication, Certificates, Grid Computing, GSI, Intrusion Detection, One-time

Password(OTP), Sandboxing, Security, Virtualization

I. INTRODUCTION

With the development of application requirements for high-performance computing, it is impossible to

solve super large-scale issues using a single high-performance computer or a single computer cluster.

Therefore, it is needed to connect distributed heterogeneous high-performance computer, computer

cluster, large-scale database server and large-scale file server with high-speed interconnection

network and integrate them into a transparent virtual high-performance computing environment.

This environment is named Grid Computing System [2][3][4]. Grid computing is emerging as a viable

option for high-performance computing, as the sharing of resources provides improved performance at a

lower cost than if each organization were to own its own “closed-box” resources [5]. Grid computing is

defined in literature as “systems and applications that integrate and manageresources and services

distributed across multiple control domains”[6]. A grid may be defined as a collection of computing

resources distributed over a local or wide area network, and available to an end user as a single large

computing system. Originally, the grid focused on the areas of computing power, data access, and storage

resources. It was intended for large- scale and distributed scientific computing that requires efficient and

dynamically determined access to large amounts of data and computational resources that are distributed

along several independently administered networks. However, the use of grid computing has been

expanding lately to include deployment of grid technologies within the context of business, which

significantly widens the range of applicability of grid technologies. However, security has been a

central issue in grid computing born the outset, and has been regarded as the most significant challenge for

grid computing. As a result, novel security technologies have been evolving all the time within the

gridComputing researchers[1]. This paper contains of two main sections:

A) Review grid-computing security




B) New authentication method proposed.

In this paper we review grid computing security mechanisms according to Bendahmane, Essaaidi,

Moussaoui and Younes [1] and presents a new authentication method with use of OTP security

mechanism by workflow that results a mechanism for controlling allowed access to grid networks for

increasing security.

A) Review Grid Computing Security

This section is according to Bendahmane, Essaaidi, Moussaoui and Younes [1] that presents the

classification of the different mechanisms and solutions pertaining to the different components of grid

computing security. As shown in Fig. 1, the proposed classification subdivide the grid computing security

into five main categories, which are Resources Level, Service Level, Authentication & Authorization Level,

Information Level, and Management Level Solutions.

Figure 1. Classification of grid computing security

II. RESOURCES LEVEL SOLUTIONS

Resources Level Solution focuses on protecting the grid resources, which include grid nodes (Host) and

communication network. Several isolation techniques such as Sandboxing and Virtualization are discussed

to protect grid nodes. The network security related to the grid resources are also of paramount importance.

In this area, Combining VPN and grid services (Hose service model), and Adaptive Grid Firewalls (AGF) are

addressed in this section. Another way to secure the grid resources is through intrusion detection system

(IDS) solution.

A. Host Security

1. Sandboxing

The solution to address Host Security can be achieved by isolating the portion of the resource

dedicated to the grid from the portion of the resource that the owner wishes to keep private[7]. The

Entropia system (called the Entropia Virtual Machine) uses a technique known as Sandboxing to

protect resources on the grid [8]. EVM has been specifically designed to cater to the desktop grid

environment, where there are a large number of desktop clients on which the grid jobs run, in addition

to the Entropia server. EVM consists of two components: the desktop controller and the sandbox

execution layer. The desktop controller is responsible for launching the processes to run the subjob,

and monitoring the running of the subjob on the host desktop. The sandbox execution layer, on the




other hand, provides desktop security through sandboxing and the mechanisms to interface with the

desktop controller. Based on the evaluations [9], the authors talks about the performance implication

of such a technique and have concluded that a system has an impact of around 6%. Comparing the VM

based sandboxing systems with others we find that the flexibility of these systems is greatly reduced

because they are closely aligned to specific applications or operating system.

2. Virtualization

Another way to provide isolation is through Virtualization where an illusion of a single machine is

provided through the creation of Virtual Machines. To provide virtualization, there is a need for a

software layer which provides the illusion of a real machine to multiple instances of vntual machines.

This layer has been traditionally called Virtual Machine Monitor (VMM). There are also concepts

called the host operating system and guest operating system. The former is the operating system or OS

which hosts the VMM, and the latter is the operating system which is hosted on top of the VMM. There

are three popular virtualization technologies: hosted virtualization, para-virtualization, and shared

kernel based virtualization techniques.

a. The Hosted Virtualization

model is one where the VMM and the guest OS run on the user space of the host OS. The

applications running on the host OS and the guest OS share the same user space. Generally, this

model does not require any modification to the host OS. However, since there are multiple

redirections, the performance of such a model suffers significantly. VMWare GSX Server [10] is an

example of hosted virtualization system.

b. The Para- Virtualization

model is one where the operating systems are modified and recompiled so that the multiple

redirections of the hosted model can be avoided. The performance of the para-virtualization based

systems is comparatively better than the hosted virtualization based systems. Xen [11] and Virtuozzo

[12] are examples of para- virtualization systems.

c. The Shared Kernel

systems are those systems where the kernel is shared and the user space is partitioned to be used by

different sets of applications. An example of shared kernel based virtualization systems is the Linux

VServer [13]. The virtualization solutions provide efficient isolation. However, some of the

virtualization solutions like the hosted virtualization model come with a performance overhead which

for some applications may be significant. Regarding the para- virtualization solutions, the Xen provides

very good performance. However, most of these solutions are available for open operating systems like

Linux and currently not available for closed systems like Windows. However, advances in the field of

processor level support for virtualization auger well for the para-virtualization systems. There is

another point of concern before virtualization systems become default solutions for isolation needs.

There is a need for development of policy management mechanisms on the virtualization systems.

Research is currently being carried out in this regard [10].

B. Network Security

Firewalls or VPNs between the user’s host and the server host, or between different server hosts

present a serious challenge to grid security measures. Several research efforts have been undertaken

in network security such as combining VPN and grid services (Hose service model) [14], and Adaptive

Grid Firewalls (AGF) [15].

1. The Hose service model [16]. is an effort to provide flexible resource management in a VPN

environment. Proposed by researchers from AT&T Research, the Hose service model is




characterized by aggregate traffic from a set of end-points to another in a VPN. The hose service

model is a flexible alternative to the customer pipe service model, where a customer buys a set of

fixed allocations (customer-pipes) from the service provider. In this model, the customers specify

the incoming and outgoing traffic aggregated over the different sites in the VPN system. Following

are the advantages of the Hose model:

a. Flexibility

The Hose model allows the flexibility of clubbing together traffic having similar QoS requirements.

Overall, it provides more flexibility in terms of resource allocation and utilization.

b. On demand resource

This type of model fits nicely with the grid vision as resources could be adjusted on demand. In spite

of the flexibility provided by this model, one of the main disadvantages of this type of model is the lack

of QoS guarantees t h a t i t can provi de . Since the resources can be shared, the absolute

guarantees are hard to provide which became a bottleneck for such a system to be widely accepted.

The Adaptive Firewall for the Grid (AGF) [17]: is a project done at Technical University of Denmark

(DTU). The main motivation behind the work is the observation that to meet the grid firewall

requirements, the administrators need to open several well—known ports, and a range of ephemeral

ports for incoming connections. This can be dangerous as adversaries may be able to sneak into the

system through the open ports. The AGF system develops a mechanism so that the firewall can

adaptively open and close ports based on service requests. The firewall will open the ports when it

receives authenticated requests. Moreover, the firewall will close the ports when there are no service

activities on those ports.

c. Intrusion detection systems in grid computing IDS systems [18][19] basically consist of a set of

detectors that detect attacks based on a set of policies and information. In principle, it works similar

to alarm systems implemented in many buildings and apartments for protection against burglars. In

[20], the authors have categorized I D S systems into two main categories: anomaly detection

systems and signature detection systems. The former type of IDS systems, intrusion is detected

based on abnormalities of system behavior. The detector forms an opinion based on the normal

behavior of the system through a long term observed behavior and system policies. In signature

detection system, an intrusion is detected based on a specific signature or a model. It is to be noted

that the signature is based on long term information about the intrusion behavior. Several grid

based IDS systems have been conceived, designed, and implemented. Fig. 2 shows the basic

components of a grid based IDS system. Most of the grid based IDS systems consist of several

components: A set of sensors which are able to monitor the state of the grid systems. The

information supplied by the sensors are then collected and analyzed by IDS systems like SNORT

[21]. The information is then logged through an interface to query the information, and suitable

alarms and action mechanisms are then provided. Several grid based systems, described in the

literature, are SANTA-G [22], which uses SNORT as the IDS system and R-GMA for querying the

monitored information. Another example of grid based IDS is GIDA [23] which also uses a similar

structure. IDS on Oracle l0G database is provided in [24]. IACID [25] from USC, provides a Grid

based IDS system having separate network and host IDS systems.




Figure 2. Grid based IDS systems

B. SERVICE LEVEL SOLUTIONS

The DOS attack is one of the most important security threats existing in grid computing, because users can

use the service grid to launch Denial of Service Attack (DOS). The solutions proposed for (DOS) can be

categorized into mainly two types: Preventive solutions and Reactive solutions [26]. Preventive solutions

like application filtering, location hiding, and the throttling techniques, are used to detect and reduce the

effectiveness of the attacks born taking place by either generating alarms, dToping suspicious packets or

request, or reroute to balance the load. The reactive solutions aim at identifying the attacker after the

attack has been completed. This is an active area of research because the current identification techniques

are totally manual, and may span over months. The current solutions can be broadly categorized into: link

testing, logging, ICMP traceback, and IP traceback. It is to be noted that DoS attacks cannot be mitigated

by one solution alone and multiple solutions should be employed to improve the effectiveness. Among the

different available solutions, the preventive solutions are the only techniques that have been successfully

implemented. However, most of these solutions have limited success and more research and development

efforts are needed. The reactive solution space is sparser. Though several interesting research ideas like

packet marking and link testing have been proposed, the implementations have not been carried out due

to the complex nature of the analysis involved.

C. AUTHENTICATION & AUTHORIZATION LEVEL SOLUTIONS

A. Authentication

Authentication deals with verification of the identity of an entity within a network. An entity may be a

user, a resource or a service provided as part of the Grid. GSI (Grid Security Infrastructure) provide the

solution based on X.509 certificate to authenticate the different entity, and has been implemented in

all versions of Globus [27]. It assumes that each entity within the grid system possesses a public

private key pair, and there exists a trusted third party or Certificate Authority (CA) to sign and certify

the entity. The authentication solution provided by GSI X.509 credentials has a proven security

capability; however it requires a Public Key Infrastructure to make it a viable solution, which may

suffer from scalability issues. Another problem is the integration with Kerberos, because GSI, in its

current form, does not support Kerberos based interaction. In other words, Globus security does not

accept Kerberos credentials as an authentication mechanism. To make this integration possible, there is

a need for gateways or translators which accept GSI credentials and convert it to Kerberos credentials

and vice versa. KX.509/KCA [28] can act as a GSI to a Kerberos gateway while SSLK5/PKINIT can be

used as a Kerberos to GSI gateway.In this context another authentication technology is presented in

[29]. LDAP technology proposes mechanisms to manage authentication. Indeed, several methods of

authentication corresponding to various security levels are available in standard LDAP

(login/password, login/password with hashing of this last, login/password on SSL, X.509 certificate; the




anonymous connection is generally limited to the consultation of restricted parts of the directory). In

terms of security, LDAP provides various guarantees thanks to the integration of cypher and

authentication standard mechanisms (SSL/TLS, SASL) coupled with Access Control Lists. All these

mechanisms enable an efficient protection of transactions and access to the data incorporated in the

LDAP directory. The possibilities of authentication can be extended with the SASL API (Simple

Authentication and Security Layer) allowing to easily integrating mechanisms of strong authentication

like Kerberos or systems of one-time passwords.

B. Authorization

Authorization deals with the verification of an action that an entity can perform after that an

authentication is performed successfully. In this section we subdivide the authorization system into

two categories: centralized systems like CAS [30], VOMS [31], EALS [32], and decentralized systems

like Akenti [33], PERMIS [34], Grid-MAP. Also we will compare the systems with the different

characteristics such as interoperability, security, scalability, and revocation. Centralized authorization

systems are authorization system for an entire Virtual Organization (VO). These types of systems are

necessitated by the presence of a VO which has a set of users, and several Resource Providers (RP)

who own the resources to be used by the users of the VO. Whenever a user wants to access certain

resources owned by a RP, he/she obtains a credential from the authorization system which allows

certain rights to the users. The user presents the credentials to the resource to gain access to the

resource. In this type of system, the resources hold the final right in allowing or denying the access to

the users. Decentralized authorization systems implement the decision to authorize the access to a set

of resources. Resource providers grant privileges to the community. This is done after establishing a

trust relationship with the community. When a user wants to access a resource, he produces his

credentials which contain VO specific policy assertions. It is now up to the resource provider to make a

decision whether to grant or reject the request for access to its resources. Based on different studies

made in the literature of grid authorization systems, we compare these systems upon several

characteristics. In terms of Scalability, for administrators, it is more scalable to have the policies in a

centralized system rather than in each and every node of the grid system. In these counts, both CAS and

VOMS score highly. Since both of them has a centralized database. On the other hand, decentralized

systems like Akenti and PERMIS are both scalable, but are restricted in terms of number of users

supported. The worst in this category is the Gridmap system as administrators need to update each

and every system for addition and deletion of nodes, users, or policies. In terms of Security,

Certificates are most prevalent means of authentication while EALS supports passwords, certificates, or

other types of credentials like biometrics. However, most of the centralized based systems are prone to

DoS attacks as most of them depend on a centralized database for storing policies. Since VOMS

supports multiple stakeholders, even if one of the databases storing a particular stakeholder’s

certificates/credentials is under DoS attack, the other resources would be unaffected. Akenti and EALS

can distribute the requests to multiple servers in case a DoS attack is detected. Gridmap is mostly

unaffected as the attacker needs to attack a significant number of resources to have a big impact. In

terms of Revocation, CAS and VOMS do not have explicit revocation mechanisms. Therefore, once an

adversary gains access to the system then it can access all the resources based on the obtained

credentials. EALS and Akenti, have inherent revocation mechanisms as these can be added to the

policies and the effect will be immediate. The same argument can be extended to the Gridmap system

also; however the administrator needs to change the policy in each and every resource in the grid

system. In terms of Inter-operability, which is important to the grid authorization systems is how inter-

operable the systems are. CAS and PERMIS have been made to inter-operate using SAML [35]

standards. However, if they are to be used extensively in the enterprises, policies need to be exposed




as XACML [36] standards and exchanged using SAML. Also, there is a need to integrate with different

identity management systems like LDAP, Windows Active Directory, and so on. One step in that

direction would be to integrate with the Liberty framework for federated identity management. EALS is

the most advanced in this regard as it has adapters for most industry products and adheres to most of

the common industry standards and practices. The two authorization systems complement each other,

and can be implemented together to provide a holistic authorization solution.

D. INFORMATION LEVEL SOLUTIONS

Information Level includes those security concerns that arise during the communication between two

entities. These include confidentiality, integrity, and Single Sign On [37]. The information security issues

exist in all fields of computing and communications and have been studied for quite some time. In the grid

computing area, GSI (in Globus Toolkit 4.0 or GT4) provide secure communication at two levels: Transport

Level Security, in GT4, protects the data transferred at the transport layer using standards like Transport

Layer Security (TLS). GT4 uses the SSL/TLS protocol over HTTP for securing the communication between

the client and the server. The transport level security is the default security mechanism used in GT4. The

main reason for that is the performance overhead introduced by message level security mechanisms.

Message Level Security, on the other hand, works at a higher layer and uses Web services based standards

like WS- Security, WS-SecureConversation, etc. by protecting the SOAP messages that are being transferred

over the transport channel. The WS-Security standard defines a framework for applying security to

individual SOAP messages; GSI conforms to this standard. GSI uses these mechanisms to provide security on

a per-message basis, i.e., to an individual message without any pre-existing context between the sender and

receiver (outside sharing some set of trust roots). WS- SecureConversation is a proposed standard that

allows for an initial exchange of a message to establish a security context that can then be used to

protect subsequent messages in a manner that requires less computational overhead. Based on the

evaluations [38], the authors have concluded that transport level security (SSL) is faster than message

level security, and should be used if there is no special requirement to use message level security.

Moreover, another solution likes algorithms of results certification can be used to provide results integrity

for job execution, where tasks or their results have been corrupted due to benign or malicious act.

E. MANAGEMENT LEVEL SOLUTION

Credentials are important in grid systems as they are used for accessing the Grid resources. Therefore,

there are needs for mechanisms to securely store, access, and manage credentials in grid systems.

Credential Management (CM) systems are precisely meant for this purpose. Credential management

systems can be divided into two main categories: credential repositories and credential federation systems.

As the name suggests, the credential repositories or credential storage systems are concerned about

securely storing the credentials, generating new credentials on demand, and sometimes generating proxy

credentials on user’s behalf for delegation purposes. Examples of credential storage systems are smartcards,

MyProxy etc. According to [39] smart cards are very secure; however cost can be a hindrance in its

widespread adoption. Research and development efforts are needed for creating virtual smart card

technologies on top of existing technologies like MyProxy. MyProxy credential manager, though a

good effort, is susceptible to dictionary attacks. Credential federation systems or credential share systems

are responsible for sharing the credentials across different domains or realms. Examples of credential

share systems are the Liberty Project, KX.509, VCMan, etc. VCMan and KX.509 have limited use at this

moment as they only support X.509 and Kerberos. VCMan also requires CAS support. The Liberty

framework is an important industry effort to create a common framework for identity management and

research is needed for integrating that framework with existing grid based systems.




B ) New Authentication Method Proposed

In Grid networks, for controlling of allowed accesses to the system, the authentication method is used by

the X.509 digital certificate authentication. However discovering of it and using it to logging to system by

invaders is possible. In this paper, we present a method to enhance the security authentication that in

every access to the system a disposable password (encryption key) is used for user authentication. This

approach reduces the chances of theft and reuse by the attacker.

I. ONE-TIME PASSWORD TECHNOLOGY(OTP)

Currently there are various ways to attack computer systems in networks. Some types of attacks are

guessing weak and inappropriate passwords, testing all possible states and dictionary attacks. One way

to avoid this problem is to use disposable passwords or dynamic (One Time Password) as passwords.

One of the main advantages of dynamic passwords as compared to traditional password is their

robustness against attacks, Because each password is used only in one work session, there is no

possibility of hearing and reuse of password, so it is more important than static passwords and is suitable

for high security applications in the virtual world. One Time Password or OTP is one of the authentication

methods. Authentication is done in three ways, namely:

1. What You Know Authentication (such as a password)

2. What You Have Authentication (eg, token or card)

3. What You Are Authentication (eg, corneal scans or fingerprinting)

The first authentication method has long been used and in this manner there is always concerns about

disclosing and forgetting the password. The third type of authentication being used vastly but it does not

operate in virtual environment, because in this way the user needs different equipment such as cameras,

scanners, as well as fingerprint, that is not possible for all users. But the second authentication method

that is the main topic of this paper provides the best method and producer tool to generate OTP to us.

This method is usually used with the first method of authentication and called two-factor Authentication

[40]. Devices that could produce disposable password is called OTP Token and have various varieties.

A. Categorizing types of OTP Token

In order to generate disposable passwords a tool called OTP Token is used. This tool can either used as

hardware or software for the user. In Two-factor authentication simultaneously two factor is used for

user authentication [40]. One of these factors can be fixed password and other factor usually is a device,

software or a tool that the user owns. The second factor can be used in two forms: hardware and

software. The hardware form is usually took the form of hardware devices that have a unique ID and each

person should have one of these devices that is different from the rest. The software form also, as the

name suggests is a unique software program that give to the user and is different with other users

software. (Nayeb and Sharifi, 1391).

B. System Features

Software architecture:

OTP Tokens are not independent system and What they do is completed with other systems, in other

words passwords that they are generated is checked by another system, called AA Server (Authentication,

Authorization Server) or central authentication server. Overview of the software architecture of this

system is shown in the following figure:




Figure 3. The software architecture(OTP Token System)

1. Authentication Server (AA Server) and its features

AA server is a centralized authentication system that performs authentication of all users centralized.

This system has the capability to communicate with other systems such as the Internet banking and

could authenticate users of these systems. Thus, these systems may also transfer their user

authentication to AA Server. The overall structure of the system is as follows:

Figure 4. Central Authentication System(AA Server)

Authentication server capabilities includes the following :

User Authentication

Members Management

assigning OTP Token to the user

changing OTP Token settings

Synchronization of OTP Token with server

2. System Security

Because of using the password created by the user only once the other users logging to the system by

previous password to steal information or access to the information is not possible.

C. Methods to Produse OTP




Note that as we intended in this paper to control secure access to grid networks with workflow, user

authentication and verification, we need mention production methods of OTP. As can be seen in Fig. 5, to

generate OTP the following methods performed: Scratch List: The easiest mode of OTP that the list of codes is given in the paper to the client that the

server is informed of these codes and client use those codes either in order or with index.

Short Time: In this method, the server and client are shared with one or more passwords and disposable

code produced with the help of this code and the current time. The main problem is that in this method

server and the client should be synchronized with each other. It should be noted that the procedure is

similar to Token.

Challenge / Response: This method improves the previous method in which instead of using time, a

unique number generated by the server (Challenge) is used [41][42].

Figure 5. Authentication methods[42]

Here, we use Challenge / Response and Hash Algorithm to generate the OTP or one-time password. In the

authentication process there is only one value that its sameness is to be checked between the two

systems, so we use one-way encryption algorithm of Hash.

All of these algorithms are one-way, so main information could not be obtained from the original data

source after coding of information and it could be decoded only if these codes are in hand [43].

The hash used primarily to ensure that both sides are using the same encryption key, without requiring

the key to be exchanged between the two sides. The most popular methods of Hashing are:

_Message Digest algorithm 5 (MD5)

_Secure Hash Algorithm (160 bits) (SHA_1)

_SHA_256

_SHA_384

_SHA_512

II. PROPOSED SOLUTION




In this paper, for authentication we use software type (software pattern) that is unique to produce

disposable password. User register through the site or by entering his personal details and according to

input data (unique) such as name, surname, date of birth, and ... and with using the SHA1 (based on [44]

and [45]) password generated and stored in the database server. Using the Software Pattern has this

advantage that any software can be used only for a single user. In this proposed method, user that need to

enter grid network or use resources firstly enter in a workflow and with password that is produced by

OTP security mechanism and Hash algorithm (Fig. 6) checked by workflow or central authentication

system and if confirmed by the identity authentication center, the user is allowed to enter to system and

indirectly will access the desired data through a single server.

Figure 6. Production process & Authentication One-time password

In this method the user for receiving grid network services, or by introducing himself to the appropriate

agency, after confirming the identity and authenticity of the user, a software pattern and a unique ID is

assigned to the user. This ID has encrypted with Hash algorithms and provided to the user along with

software pattern. For each network user login, user enters his ID code and receives a Challenge from

server. By Challenge code and software pattern and with using the Hash, disposable password that is a

symmetric disposable key is generated; This password is authenticated via workflow by AA Server that is a

centralized authentication and if user authenticated he allowed to enter into grid network and user passed

to server unit. Here the user passed his request to server unit and unit gives requested resources or data

to the user. Thus access to grid network and resources is indirectly and through the central authentication

system. This produce a secure channel to access resources and data and will increase the safety and

efficiency of grid networks.

III. CONCLUSION

In this paper the most important mechanisms and solutions of security in grid computing classified into

five main categories and reviewed, which are Resources Level, Service Level, Authentication &

Authorization Level, Information Level and Management Level Solutions. This review can help everybody

for researching in grid computing security and the results of proposed new method are:

Authentication of user performed by OTP that is a disposable symmetric OTP and each entering to system

is different from previous enters and leakage of it will not cause any breach in the system. Grid network

entry and access to resources takes place after authentication by authentication center. Using Hash

algorithm to encrypt the password on OTP process, it has the added bonus that with leakage of it basic

information could not be obtained. To fix it, simply change the hash function. These things results more

complex grid network and resources access by intruders. This method covers all the security services such




as confidentiality, integrity, authentication and Non-repudiation and prevents any security threat. All above

cases contribute to increasing safety and efficiency in the grid networks.

IV. REFERENCES

[1] A. Bendahmane, M. Essaaidi, A. El-Moussaoui, and A. Younes, “Grid computing security

mechanisms: Stateof- the-art,” in Intern. Conf. on Multimedia Computing and Systems., Apr. 2009,

pp. 535–540.

[2] Ian Foster and Carl Kesselman. The Grid: Blueprint for a New Computing Infrastructure.

Morgan Kaufmann Publishers, Inc., San Francisco, California, 1999.

[3] Ian Foster, Carl Kesselman, and Steven Tuecke. The Anatomy of the Grid: Enabling Scalable

Virtual Organizations. International Journal of Supercomputer Applications, 2001.

[4] Ian Foster. Internet Computing and the Emerging Grid. Available from

http://www.nature.com/nature/webmatters/grid/grid.html.

[5] A.R. Butt, A. Sumalatha, N.H. Kapadia, Grid computing portals and security issues, Journal of Parallel

and Distributed Computing 63 (10) (2003) 1006–1014.

[6] M. Humphrey, M.R. Thompson, K.R. Jackson, Security for grids, Proc. of IEEE 93 (3) (March 2005)

644–652

[7] E.Cody, R.Sharman, R.H.Rao, S.Upadhyaya, “Security in grid computing: A review and

synthesis,” Decision Support Systems 44 (2008) 749—764.

[8] A. Chien, B. Calder, S. Elder, ENTROPIA: architecture and performance for an Enterprise

desktop grid system, Journal of Parallel and Distributed Computing 65 (5) (2003) 597—610.

[9] B. Calder, A. Chien, J. Wang, D. Yang. The Entropia Virtual Machine for Desktop Grids. In Intl.

Conf. on Virtual Execution Env, Chicago (IL), 2005.

[10] VMWare&. www.vmware.com, accessed on l3th July, 2006.

[11] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, A. Warfield.

Xen and the Art of Virtualization. In ACM Proc. Syrup. On Operating Systems Principles (SOSP),

NY, pp. 164-177, 2003.

[12] Virtuozzo Team. A Complete Server Virtualization and Automation Solution.Virtuozzo White

Paper and Data Sheet, 2005.

[13] VServer. http://linux-vserver.org/Documentation, accessed on l3th July, 2006.

[14] N.G. Duffield, P. Goyal. Greenberg, P. Mishra, K.K. Ramakrishnan, J.E. van der Merive. A flexible

model for resource management in virtual private networks. In Proc. of the Conference on

Applications, Technologies, Architectures, and Protocols. Computer Communication, ACM Press,

pp. 95—108, 1999.

[15] T.D. Yao. Adaptive F irewalls for the Grid. Master’s Thesis, Technical University of Denmark, 2005.




[16] N.G. Duffield, P. Goyal. Greenberg, P. Mishra, K.K. Ramakrishnan, J.E. van der Merive. A flexible

model for resource management in virtual private networks. In Proc. of the Conference on

Applications, Technologies, Architectures, and Protocols. Computer Communication, ACM Press,

pp. 95—108, 1999.

[17] T.D. Yao. Adaptive Firewalls for the Grid. Master’s Thesis, Technical University of Denmark,

2005.

[18] J. Allen. State of The Practice: Intrusion Detection Technologies. Carnegie Mellon, SEI, Tech,

Report CMU/SEI-99-TR-028, ESC-99- 028, 2000.

[19] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Technical report 99-15,

Dept. of Computer Engineering, Chalmers University of Technology, Goteborg (Sweden), 200

[20] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Technical report 99-15,

Dept. of Computer Engineering, Chalmers University of Technology, Goteborg (Sweden),

2000.Snort. http://www.snort.org, accessed on 13th July, 2006.

[21] S. Kenny, B. Coghlan. Towards a Grid wide Intrusion Detection System. In Proc. European Grid

Conference (EGC), Prague, 2005.

[22] M.F. Tolba, M.S. Abdel-Wahab, I.A. Taha, A.M. Al-Shishtawy. GIDA: Toward Enabling Grid Intrusion

Detection System. In Proc. Conference on Cluster Computing and Grid (CCGrid), Cardiff(Wales),

2005.

[23] www.oracle.com/technology/products/bi/odm/pdf/odm based intrusiondetectionaper

1205.pdf, accessed on l3th July, 2006.

[24] T. Ryutov, C. Neumann, L. Zhou. Integrated Access Control and Intrusion Detection (IACID)

Framework for Secure Grid Computing. Tech. Report., University of Southern California, 2005.

[25] A.Chakrabarti. Grid Computing Security, Springer Berlin Heidelberg New York, 2007.

[26] www.globus.org, accessed on 13th July 2006.

[27] O. Komievskaia, P. Honeyman, B. Doster, K. Coffman. Kerberized Credential Translation: A

Solution to Web Access Control. In Proc. USENIX Security Symposium, Washington, pp. 235-249,

2001.

[28] Dagorn, N., Bernard, N., and Varrette, S. Practical Authentication in Distributed Environments. In

IEEE International Computer Systems and Information Technology Conference (ICSIT’05)

(Sheraton Hotel— Alger, July 19—21 2005), IEEE, Ed. Still waiting for precisions on proceedings.

[29] L. Pearlman, V. Welch, I. Foster, C. Kesselman, S. Tuecke. A Community Authorization Service for

Group Collaboration. In Proceedings of the IEEE 3rd International Workshop on Policies for

Distributed Systems and Networks, Monterey (CA), pp 50-59, 2002.




[30] R. Alfieri, R. Cecchini, V. C iaschini, L. dell’Agnello, A. Frohner, A. Gianoli, K. Lorentey, F. Spataro.

VOMS: an Authorization System for Virtual Organizations. In I st European Across Grids

Conference, Santiago e Compostella (Spain), 2003.

[31] A. Chakrabarti, A. Damodaran. Enterprise Authorization and Licensing Service. Infosys Tech.

Report, 2006.

[32] M. Thompson, A. Essiari, S. Mudumbai. ACM Transactions on Information and System Security, (TI

SSEC), vol. 6, issue 4, pp: 566- 588, 2003.

[33] D. Chadwick, O. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. In

ACM SACMAT, Lake Tahoe (CA), pp. 135-140, 2002.

[34] E. MALER, P. MISHRA, and R. PHILPOTT Eds. The OASIS Security Assertion Markup Language

(SAML) v1.1. Standard, Organization for the Advancement of Structured Information Standards

(OASIS), September 2003.

[35] T. Moses (Ed). eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard,

2005, available at http://docs.oasisopen. org/xacml/2.0/access control-xacml-2.0-core-spec-

os.pdf, accessed on l3th July, 2006.

[36] Varrette, S., and Roch, J.-L. Certification logicielle de Calcul Global avec de’pendances sur grille.

In Proceedings des 15 ’ewes rencontres francophones du paral1e’lisme (RenPar’ 15) (La-Colle-

Sur-Loup, France, 15—17 October 2003), M. Auguin, F. Baude, D. Lavender, and M. Riveill,

Eds., pp. l69—176.

[37] Hirasuna, S.; Slominski, A.; Fang, L.; Gannon, D., "Performance comparison of security

mechanisms for grid services", in Proc. 5th IEEE/ACM International Workshop on Grid

Computing, pp. 360 364, Nov. 2004

[38] Sandhu R, Bell are M, Ganesan R. Password-enabled PKI: virtual smartcards versus virtual soft

tokens. Proceedings of the 1st Annual PKI Research Workshop. Gaithersburg, MD, April 2002.

[39] F. Aloul, S. Zahidi ,W. El-Hajj, ”Two FactorAuthentication Using Mobile Phones” ,Proceedings OF

IEEE International Conference on Mobile Technology, 2009.

[40] M. AlZomai, A. Jøsang, A. McCullagh, E. Foo: “Strengthening SMS-Based Authentication through

Usability”, 2008 International Symposium on Parallel and Distributed Processing with

Applications

[41] Thomas Weigold, Thorsten Kramp, and Michael Baentsch, “Remote Client Authentication”, IEEE

Security & Privacy journal Published by the IEEE Computer Society, 2008.

[42] Gupta, Alok, " Digital signature: use and modification to achieve success in next generational e-

business processes “, February 2003.

[43] N.R. Potlapally, S. Ravi, A. Raghunathan,” Analyzing the energy consumption of security

protocols”, Princeton University, ACM Digital Library, 2003.

review of grid computing security and present a newauthentication method for improving security

Documents