review of grid computing security and present a newauthentication method for improving security
TRANSCRIPT
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
76 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
Review of Grid Computing Security and Present a New
Authentication Method for Improving Security A. Kazemi
Department of Computer Engineering, Islamic Azad University of central Tehran branch, Iran
A B S T R A C T
The goal of grid networks is to integrate all of hardware and software capabilities of the different
sets of computers as a comprehensive system, in order to calculate and process the data. Data has
play key role in Grid computing. Support of distributed resources and prevent any unauthorized
access to data, require a secure access control system to grid network. security is an important
issue in grid computing and has been regarded as a challenge for Grid computing. This paper
reviews grid computing security mechanisms according to Bendahmane, Essaaidi, Moussaoui and
Younes [1] and presents a new authentication method with use of OTP security mechanism by
workflow that results a mechanism for controlling allowed access to grid networks for increasing
security, to envelope all of security services such confidentiality, collectivity, identification and as
Non-repudiation and prevent any security threats.
Index Terms : Authentication, Certificates, Grid Computing, GSI, Intrusion Detection, One-time
Password(OTP), Sandboxing, Security, Virtualization
I. INTRODUCTION
With the development of application requirements for high-performance computing, it is impossible to
solve super large-scale issues using a single high-performance computer or a single computer cluster.
Therefore, it is needed to connect distributed heterogeneous high-performance computer, computer
cluster, large-scale database server and large-scale file server with high-speed interconnection
network and integrate them into a transparent virtual high-performance computing environment.
This environment is named Grid Computing System [2][3][4]. Grid computing is emerging as a viable
option for high-performance computing, as the sharing of resources provides improved performance at a
lower cost than if each organization were to own its own “closed-box” resources [5]. Grid computing is
defined in literature as “systems and applications that integrate and manageresources and services
distributed across multiple control domains”[6]. A grid may be defined as a collection of computing
resources distributed over a local or wide area network, and available to an end user as a single large
computing system. Originally, the grid focused on the areas of computing power, data access, and storage
resources. It was intended for large- scale and distributed scientific computing that requires efficient and
dynamically determined access to large amounts of data and computational resources that are distributed
along several independently administered networks. However, the use of grid computing has been
expanding lately to include deployment of grid technologies within the context of business, which
significantly widens the range of applicability of grid technologies. However, security has been a
central issue in grid computing born the outset, and has been regarded as the most significant challenge for
grid computing. As a result, novel security technologies have been evolving all the time within the
gridComputing researchers[1]. This paper contains of two main sections:
A) Review grid-computing security
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
77 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
B) New authentication method proposed.
In this paper we review grid computing security mechanisms according to Bendahmane, Essaaidi,
Moussaoui and Younes [1] and presents a new authentication method with use of OTP security
mechanism by workflow that results a mechanism for controlling allowed access to grid networks for
increasing security.
A) Review Grid Computing Security
This section is according to Bendahmane, Essaaidi, Moussaoui and Younes [1] that presents the
classification of the different mechanisms and solutions pertaining to the different components of grid
computing security. As shown in Fig. 1, the proposed classification subdivide the grid computing security
into five main categories, which are Resources Level, Service Level, Authentication & Authorization Level,
Information Level, and Management Level Solutions.
Figure 1. Classification of grid computing security
II. RESOURCES LEVEL SOLUTIONS
Resources Level Solution focuses on protecting the grid resources, which include grid nodes (Host) and
communication network. Several isolation techniques such as Sandboxing and Virtualization are discussed
to protect grid nodes. The network security related to the grid resources are also of paramount importance.
In this area, Combining VPN and grid services (Hose service model), and Adaptive Grid Firewalls (AGF) are
addressed in this section. Another way to secure the grid resources is through intrusion detection system
(IDS) solution.
A. Host Security
1. Sandboxing
The solution to address Host Security can be achieved by isolating the portion of the resource
dedicated to the grid from the portion of the resource that the owner wishes to keep private[7]. The
Entropia system (called the Entropia Virtual Machine) uses a technique known as Sandboxing to
protect resources on the grid [8]. EVM has been specifically designed to cater to the desktop grid
environment, where there are a large number of desktop clients on which the grid jobs run, in addition
to the Entropia server. EVM consists of two components: the desktop controller and the sandbox
execution layer. The desktop controller is responsible for launching the processes to run the subjob,
and monitoring the running of the subjob on the host desktop. The sandbox execution layer, on the
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
78 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
other hand, provides desktop security through sandboxing and the mechanisms to interface with the
desktop controller. Based on the evaluations [9], the authors talks about the performance implication
of such a technique and have concluded that a system has an impact of around 6%. Comparing the VM
based sandboxing systems with others we find that the flexibility of these systems is greatly reduced
because they are closely aligned to specific applications or operating system.
2. Virtualization
Another way to provide isolation is through Virtualization where an illusion of a single machine is
provided through the creation of Virtual Machines. To provide virtualization, there is a need for a
software layer which provides the illusion of a real machine to multiple instances of vntual machines.
This layer has been traditionally called Virtual Machine Monitor (VMM). There are also concepts
called the host operating system and guest operating system. The former is the operating system or OS
which hosts the VMM, and the latter is the operating system which is hosted on top of the VMM. There
are three popular virtualization technologies: hosted virtualization, para-virtualization, and shared
kernel based virtualization techniques.
a. The Hosted Virtualization
model is one where the VMM and the guest OS run on the user space of the host OS. The
applications running on the host OS and the guest OS share the same user space. Generally, this
model does not require any modification to the host OS. However, since there are multiple
redirections, the performance of such a model suffers significantly. VMWare GSX Server [10] is an
example of hosted virtualization system.
b. The Para- Virtualization
model is one where the operating systems are modified and recompiled so that the multiple
redirections of the hosted model can be avoided. The performance of the para-virtualization based
systems is comparatively better than the hosted virtualization based systems. Xen [11] and Virtuozzo
[12] are examples of para- virtualization systems.
c. The Shared Kernel
systems are those systems where the kernel is shared and the user space is partitioned to be used by
different sets of applications. An example of shared kernel based virtualization systems is the Linux
VServer [13]. The virtualization solutions provide efficient isolation. However, some of the
virtualization solutions like the hosted virtualization model come with a performance overhead which
for some applications may be significant. Regarding the para- virtualization solutions, the Xen provides
very good performance. However, most of these solutions are available for open operating systems like
Linux and currently not available for closed systems like Windows. However, advances in the field of
processor level support for virtualization auger well for the para-virtualization systems. There is
another point of concern before virtualization systems become default solutions for isolation needs.
There is a need for development of policy management mechanisms on the virtualization systems.
Research is currently being carried out in this regard [10].
B. Network Security
Firewalls or VPNs between the user’s host and the server host, or between different server hosts
present a serious challenge to grid security measures. Several research efforts have been undertaken
in network security such as combining VPN and grid services (Hose service model) [14], and Adaptive
Grid Firewalls (AGF) [15].
1. The Hose service model [16]. is an effort to provide flexible resource management in a VPN
environment. Proposed by researchers from AT&T Research, the Hose service model is
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
79 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
characterized by aggregate traffic from a set of end-points to another in a VPN. The hose service
model is a flexible alternative to the customer pipe service model, where a customer buys a set of
fixed allocations (customer-pipes) from the service provider. In this model, the customers specify
the incoming and outgoing traffic aggregated over the different sites in the VPN system. Following
are the advantages of the Hose model:
a. Flexibility
The Hose model allows the flexibility of clubbing together traffic having similar QoS requirements.
Overall, it provides more flexibility in terms of resource allocation and utilization.
b. On demand resource
This type of model fits nicely with the grid vision as resources could be adjusted on demand. In spite
of the flexibility provided by this model, one of the main disadvantages of this type of model is the lack
of QoS guarantees t h a t i t can provi de . Since the resources can be shared, the absolute
guarantees are hard to provide which became a bottleneck for such a system to be widely accepted.
The Adaptive Firewall for the Grid (AGF) [17]: is a project done at Technical University of Denmark
(DTU). The main motivation behind the work is the observation that to meet the grid firewall
requirements, the administrators need to open several well—known ports, and a range of ephemeral
ports for incoming connections. This can be dangerous as adversaries may be able to sneak into the
system through the open ports. The AGF system develops a mechanism so that the firewall can
adaptively open and close ports based on service requests. The firewall will open the ports when it
receives authenticated requests. Moreover, the firewall will close the ports when there are no service
activities on those ports.
c. Intrusion detection systems in grid computing IDS systems [18][19] basically consist of a set of
detectors that detect attacks based on a set of policies and information. In principle, it works similar
to alarm systems implemented in many buildings and apartments for protection against burglars. In
[20], the authors have categorized I D S systems into two main categories: anomaly detection
systems and signature detection systems. The former type of IDS systems, intrusion is detected
based on abnormalities of system behavior. The detector forms an opinion based on the normal
behavior of the system through a long term observed behavior and system policies. In signature
detection system, an intrusion is detected based on a specific signature or a model. It is to be noted
that the signature is based on long term information about the intrusion behavior. Several grid
based IDS systems have been conceived, designed, and implemented. Fig. 2 shows the basic
components of a grid based IDS system. Most of the grid based IDS systems consist of several
components: A set of sensors which are able to monitor the state of the grid systems. The
information supplied by the sensors are then collected and analyzed by IDS systems like SNORT
[21]. The information is then logged through an interface to query the information, and suitable
alarms and action mechanisms are then provided. Several grid based systems, described in the
literature, are SANTA-G [22], which uses SNORT as the IDS system and R-GMA for querying the
monitored information. Another example of grid based IDS is GIDA [23] which also uses a similar
structure. IDS on Oracle l0G database is provided in [24]. IACID [25] from USC, provides a Grid
based IDS system having separate network and host IDS systems.
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
80 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
Figure 2. Grid based IDS systems
B. SERVICE LEVEL SOLUTIONS
The DOS attack is one of the most important security threats existing in grid computing, because users can
use the service grid to launch Denial of Service Attack (DOS). The solutions proposed for (DOS) can be
categorized into mainly two types: Preventive solutions and Reactive solutions [26]. Preventive solutions
like application filtering, location hiding, and the throttling techniques, are used to detect and reduce the
effectiveness of the attacks born taking place by either generating alarms, dToping suspicious packets or
request, or reroute to balance the load. The reactive solutions aim at identifying the attacker after the
attack has been completed. This is an active area of research because the current identification techniques
are totally manual, and may span over months. The current solutions can be broadly categorized into: link
testing, logging, ICMP traceback, and IP traceback. It is to be noted that DoS attacks cannot be mitigated
by one solution alone and multiple solutions should be employed to improve the effectiveness. Among the
different available solutions, the preventive solutions are the only techniques that have been successfully
implemented. However, most of these solutions have limited success and more research and development
efforts are needed. The reactive solution space is sparser. Though several interesting research ideas like
packet marking and link testing have been proposed, the implementations have not been carried out due
to the complex nature of the analysis involved.
C. AUTHENTICATION & AUTHORIZATION LEVEL SOLUTIONS
A. Authentication
Authentication deals with verification of the identity of an entity within a network. An entity may be a
user, a resource or a service provided as part of the Grid. GSI (Grid Security Infrastructure) provide the
solution based on X.509 certificate to authenticate the different entity, and has been implemented in
all versions of Globus [27]. It assumes that each entity within the grid system possesses a public
private key pair, and there exists a trusted third party or Certificate Authority (CA) to sign and certify
the entity. The authentication solution provided by GSI X.509 credentials has a proven security
capability; however it requires a Public Key Infrastructure to make it a viable solution, which may
suffer from scalability issues. Another problem is the integration with Kerberos, because GSI, in its
current form, does not support Kerberos based interaction. In other words, Globus security does not
accept Kerberos credentials as an authentication mechanism. To make this integration possible, there is
a need for gateways or translators which accept GSI credentials and convert it to Kerberos credentials
and vice versa. KX.509/KCA [28] can act as a GSI to a Kerberos gateway while SSLK5/PKINIT can be
used as a Kerberos to GSI gateway.In this context another authentication technology is presented in
[29]. LDAP technology proposes mechanisms to manage authentication. Indeed, several methods of
authentication corresponding to various security levels are available in standard LDAP
(login/password, login/password with hashing of this last, login/password on SSL, X.509 certificate; the
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
81 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
anonymous connection is generally limited to the consultation of restricted parts of the directory). In
terms of security, LDAP provides various guarantees thanks to the integration of cypher and
authentication standard mechanisms (SSL/TLS, SASL) coupled with Access Control Lists. All these
mechanisms enable an efficient protection of transactions and access to the data incorporated in the
LDAP directory. The possibilities of authentication can be extended with the SASL API (Simple
Authentication and Security Layer) allowing to easily integrating mechanisms of strong authentication
like Kerberos or systems of one-time passwords.
B. Authorization
Authorization deals with the verification of an action that an entity can perform after that an
authentication is performed successfully. In this section we subdivide the authorization system into
two categories: centralized systems like CAS [30], VOMS [31], EALS [32], and decentralized systems
like Akenti [33], PERMIS [34], Grid-MAP. Also we will compare the systems with the different
characteristics such as interoperability, security, scalability, and revocation. Centralized authorization
systems are authorization system for an entire Virtual Organization (VO). These types of systems are
necessitated by the presence of a VO which has a set of users, and several Resource Providers (RP)
who own the resources to be used by the users of the VO. Whenever a user wants to access certain
resources owned by a RP, he/she obtains a credential from the authorization system which allows
certain rights to the users. The user presents the credentials to the resource to gain access to the
resource. In this type of system, the resources hold the final right in allowing or denying the access to
the users. Decentralized authorization systems implement the decision to authorize the access to a set
of resources. Resource providers grant privileges to the community. This is done after establishing a
trust relationship with the community. When a user wants to access a resource, he produces his
credentials which contain VO specific policy assertions. It is now up to the resource provider to make a
decision whether to grant or reject the request for access to its resources. Based on different studies
made in the literature of grid authorization systems, we compare these systems upon several
characteristics. In terms of Scalability, for administrators, it is more scalable to have the policies in a
centralized system rather than in each and every node of the grid system. In these counts, both CAS and
VOMS score highly. Since both of them has a centralized database. On the other hand, decentralized
systems like Akenti and PERMIS are both scalable, but are restricted in terms of number of users
supported. The worst in this category is the Gridmap system as administrators need to update each
and every system for addition and deletion of nodes, users, or policies. In terms of Security,
Certificates are most prevalent means of authentication while EALS supports passwords, certificates, or
other types of credentials like biometrics. However, most of the centralized based systems are prone to
DoS attacks as most of them depend on a centralized database for storing policies. Since VOMS
supports multiple stakeholders, even if one of the databases storing a particular stakeholder’s
certificates/credentials is under DoS attack, the other resources would be unaffected. Akenti and EALS
can distribute the requests to multiple servers in case a DoS attack is detected. Gridmap is mostly
unaffected as the attacker needs to attack a significant number of resources to have a big impact. In
terms of Revocation, CAS and VOMS do not have explicit revocation mechanisms. Therefore, once an
adversary gains access to the system then it can access all the resources based on the obtained
credentials. EALS and Akenti, have inherent revocation mechanisms as these can be added to the
policies and the effect will be immediate. The same argument can be extended to the Gridmap system
also; however the administrator needs to change the policy in each and every resource in the grid
system. In terms of Inter-operability, which is important to the grid authorization systems is how inter-
operable the systems are. CAS and PERMIS have been made to inter-operate using SAML [35]
standards. However, if they are to be used extensively in the enterprises, policies need to be exposed
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
82 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
as XACML [36] standards and exchanged using SAML. Also, there is a need to integrate with different
identity management systems like LDAP, Windows Active Directory, and so on. One step in that
direction would be to integrate with the Liberty framework for federated identity management. EALS is
the most advanced in this regard as it has adapters for most industry products and adheres to most of
the common industry standards and practices. The two authorization systems complement each other,
and can be implemented together to provide a holistic authorization solution.
D. INFORMATION LEVEL SOLUTIONS
Information Level includes those security concerns that arise during the communication between two
entities. These include confidentiality, integrity, and Single Sign On [37]. The information security issues
exist in all fields of computing and communications and have been studied for quite some time. In the grid
computing area, GSI (in Globus Toolkit 4.0 or GT4) provide secure communication at two levels: Transport
Level Security, in GT4, protects the data transferred at the transport layer using standards like Transport
Layer Security (TLS). GT4 uses the SSL/TLS protocol over HTTP for securing the communication between
the client and the server. The transport level security is the default security mechanism used in GT4. The
main reason for that is the performance overhead introduced by message level security mechanisms.
Message Level Security, on the other hand, works at a higher layer and uses Web services based standards
like WS- Security, WS-SecureConversation, etc. by protecting the SOAP messages that are being transferred
over the transport channel. The WS-Security standard defines a framework for applying security to
individual SOAP messages; GSI conforms to this standard. GSI uses these mechanisms to provide security on
a per-message basis, i.e., to an individual message without any pre-existing context between the sender and
receiver (outside sharing some set of trust roots). WS- SecureConversation is a proposed standard that
allows for an initial exchange of a message to establish a security context that can then be used to
protect subsequent messages in a manner that requires less computational overhead. Based on the
evaluations [38], the authors have concluded that transport level security (SSL) is faster than message
level security, and should be used if there is no special requirement to use message level security.
Moreover, another solution likes algorithms of results certification can be used to provide results integrity
for job execution, where tasks or their results have been corrupted due to benign or malicious act.
E. MANAGEMENT LEVEL SOLUTION
Credentials are important in grid systems as they are used for accessing the Grid resources. Therefore,
there are needs for mechanisms to securely store, access, and manage credentials in grid systems.
Credential Management (CM) systems are precisely meant for this purpose. Credential management
systems can be divided into two main categories: credential repositories and credential federation systems.
As the name suggests, the credential repositories or credential storage systems are concerned about
securely storing the credentials, generating new credentials on demand, and sometimes generating proxy
credentials on user’s behalf for delegation purposes. Examples of credential storage systems are smartcards,
MyProxy etc. According to [39] smart cards are very secure; however cost can be a hindrance in its
widespread adoption. Research and development efforts are needed for creating virtual smart card
technologies on top of existing technologies like MyProxy. MyProxy credential manager, though a
good effort, is susceptible to dictionary attacks. Credential federation systems or credential share systems
are responsible for sharing the credentials across different domains or realms. Examples of credential
share systems are the Liberty Project, KX.509, VCMan, etc. VCMan and KX.509 have limited use at this
moment as they only support X.509 and Kerberos. VCMan also requires CAS support. The Liberty
framework is an important industry effort to create a common framework for identity management and
research is needed for integrating that framework with existing grid based systems.
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
83 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
B ) New Authentication Method Proposed
In Grid networks, for controlling of allowed accesses to the system, the authentication method is used by
the X.509 digital certificate authentication. However discovering of it and using it to logging to system by
invaders is possible. In this paper, we present a method to enhance the security authentication that in
every access to the system a disposable password (encryption key) is used for user authentication. This
approach reduces the chances of theft and reuse by the attacker.
I. ONE-TIME PASSWORD TECHNOLOGY(OTP)
Currently there are various ways to attack computer systems in networks. Some types of attacks are
guessing weak and inappropriate passwords, testing all possible states and dictionary attacks. One way
to avoid this problem is to use disposable passwords or dynamic (One Time Password) as passwords.
One of the main advantages of dynamic passwords as compared to traditional password is their
robustness against attacks, Because each password is used only in one work session, there is no
possibility of hearing and reuse of password, so it is more important than static passwords and is suitable
for high security applications in the virtual world. One Time Password or OTP is one of the authentication
methods. Authentication is done in three ways, namely:
1. What You Know Authentication (such as a password)
2. What You Have Authentication (eg, token or card)
3. What You Are Authentication (eg, corneal scans or fingerprinting)
The first authentication method has long been used and in this manner there is always concerns about
disclosing and forgetting the password. The third type of authentication being used vastly but it does not
operate in virtual environment, because in this way the user needs different equipment such as cameras,
scanners, as well as fingerprint, that is not possible for all users. But the second authentication method
that is the main topic of this paper provides the best method and producer tool to generate OTP to us.
This method is usually used with the first method of authentication and called two-factor Authentication
[40]. Devices that could produce disposable password is called OTP Token and have various varieties.
A. Categorizing types of OTP Token
In order to generate disposable passwords a tool called OTP Token is used. This tool can either used as
hardware or software for the user. In Two-factor authentication simultaneously two factor is used for
user authentication [40]. One of these factors can be fixed password and other factor usually is a device,
software or a tool that the user owns. The second factor can be used in two forms: hardware and
software. The hardware form is usually took the form of hardware devices that have a unique ID and each
person should have one of these devices that is different from the rest. The software form also, as the
name suggests is a unique software program that give to the user and is different with other users
software. (Nayeb and Sharifi, 1391).
B. System Features
Software architecture:
OTP Tokens are not independent system and What they do is completed with other systems, in other
words passwords that they are generated is checked by another system, called AA Server (Authentication,
Authorization Server) or central authentication server. Overview of the software architecture of this
system is shown in the following figure:
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
84 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
Figure 3. The software architecture(OTP Token System)
1. Authentication Server (AA Server) and its features
AA server is a centralized authentication system that performs authentication of all users centralized.
This system has the capability to communicate with other systems such as the Internet banking and
could authenticate users of these systems. Thus, these systems may also transfer their user
authentication to AA Server. The overall structure of the system is as follows:
Figure 4. Central Authentication System(AA Server)
Authentication server capabilities includes the following :
User Authentication
Members Management
assigning OTP Token to the user
changing OTP Token settings
Synchronization of OTP Token with server
2. System Security
Because of using the password created by the user only once the other users logging to the system by
previous password to steal information or access to the information is not possible.
C. Methods to Produse OTP
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
85 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
Note that as we intended in this paper to control secure access to grid networks with workflow, user
authentication and verification, we need mention production methods of OTP. As can be seen in Fig. 5, to
generate OTP the following methods performed: Scratch List: The easiest mode of OTP that the list of codes is given in the paper to the client that the
server is informed of these codes and client use those codes either in order or with index.
Short Time: In this method, the server and client are shared with one or more passwords and disposable
code produced with the help of this code and the current time. The main problem is that in this method
server and the client should be synchronized with each other. It should be noted that the procedure is
similar to Token.
Challenge / Response: This method improves the previous method in which instead of using time, a
unique number generated by the server (Challenge) is used [41][42].
Figure 5. Authentication methods[42]
Here, we use Challenge / Response and Hash Algorithm to generate the OTP or one-time password. In the
authentication process there is only one value that its sameness is to be checked between the two
systems, so we use one-way encryption algorithm of Hash.
All of these algorithms are one-way, so main information could not be obtained from the original data
source after coding of information and it could be decoded only if these codes are in hand [43].
The hash used primarily to ensure that both sides are using the same encryption key, without requiring
the key to be exchanged between the two sides. The most popular methods of Hashing are:
_Message Digest algorithm 5 (MD5)
_Secure Hash Algorithm (160 bits) (SHA_1)
_SHA_256
_SHA_384
_SHA_512
II. PROPOSED SOLUTION
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
86 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
In this paper, for authentication we use software type (software pattern) that is unique to produce
disposable password. User register through the site or by entering his personal details and according to
input data (unique) such as name, surname, date of birth, and ... and with using the SHA1 (based on [44]
and [45]) password generated and stored in the database server. Using the Software Pattern has this
advantage that any software can be used only for a single user. In this proposed method, user that need to
enter grid network or use resources firstly enter in a workflow and with password that is produced by
OTP security mechanism and Hash algorithm (Fig. 6) checked by workflow or central authentication
system and if confirmed by the identity authentication center, the user is allowed to enter to system and
indirectly will access the desired data through a single server.
Figure 6. Production process & Authentication One-time password
In this method the user for receiving grid network services, or by introducing himself to the appropriate
agency, after confirming the identity and authenticity of the user, a software pattern and a unique ID is
assigned to the user. This ID has encrypted with Hash algorithms and provided to the user along with
software pattern. For each network user login, user enters his ID code and receives a Challenge from
server. By Challenge code and software pattern and with using the Hash, disposable password that is a
symmetric disposable key is generated; This password is authenticated via workflow by AA Server that is a
centralized authentication and if user authenticated he allowed to enter into grid network and user passed
to server unit. Here the user passed his request to server unit and unit gives requested resources or data
to the user. Thus access to grid network and resources is indirectly and through the central authentication
system. This produce a secure channel to access resources and data and will increase the safety and
efficiency of grid networks.
III. CONCLUSION
In this paper the most important mechanisms and solutions of security in grid computing classified into
five main categories and reviewed, which are Resources Level, Service Level, Authentication &
Authorization Level, Information Level and Management Level Solutions. This review can help everybody
for researching in grid computing security and the results of proposed new method are:
Authentication of user performed by OTP that is a disposable symmetric OTP and each entering to system
is different from previous enters and leakage of it will not cause any breach in the system. Grid network
entry and access to resources takes place after authentication by authentication center. Using Hash
algorithm to encrypt the password on OTP process, it has the added bonus that with leakage of it basic
information could not be obtained. To fix it, simply change the hash function. These things results more
complex grid network and resources access by intruders. This method covers all the security services such
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
87 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
as confidentiality, integrity, authentication and Non-repudiation and prevents any security threat. All above
cases contribute to increasing safety and efficiency in the grid networks.
IV. REFERENCES
[1] A. Bendahmane, M. Essaaidi, A. El-Moussaoui, and A. Younes, “Grid computing security
mechanisms: Stateof- the-art,” in Intern. Conf. on Multimedia Computing and Systems., Apr. 2009,
pp. 535–540.
[2] Ian Foster and Carl Kesselman. The Grid: Blueprint for a New Computing Infrastructure.
Morgan Kaufmann Publishers, Inc., San Francisco, California, 1999.
[3] Ian Foster, Carl Kesselman, and Steven Tuecke. The Anatomy of the Grid: Enabling Scalable
Virtual Organizations. International Journal of Supercomputer Applications, 2001.
[4] Ian Foster. Internet Computing and the Emerging Grid. Available from
http://www.nature.com/nature/webmatters/grid/grid.html.
[5] A.R. Butt, A. Sumalatha, N.H. Kapadia, Grid computing portals and security issues, Journal of Parallel
and Distributed Computing 63 (10) (2003) 1006–1014.
[6] M. Humphrey, M.R. Thompson, K.R. Jackson, Security for grids, Proc. of IEEE 93 (3) (March 2005)
644–652
[7] E.Cody, R.Sharman, R.H.Rao, S.Upadhyaya, “Security in grid computing: A review and
synthesis,” Decision Support Systems 44 (2008) 749—764.
[8] A. Chien, B. Calder, S. Elder, ENTROPIA: architecture and performance for an Enterprise
desktop grid system, Journal of Parallel and Distributed Computing 65 (5) (2003) 597—610.
[9] B. Calder, A. Chien, J. Wang, D. Yang. The Entropia Virtual Machine for Desktop Grids. In Intl.
Conf. on Virtual Execution Env, Chicago (IL), 2005.
[10] VMWare&. www.vmware.com, accessed on l3th July, 2006.
[11] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, A. Warfield.
Xen and the Art of Virtualization. In ACM Proc. Syrup. On Operating Systems Principles (SOSP),
NY, pp. 164-177, 2003.
[12] Virtuozzo Team. A Complete Server Virtualization and Automation Solution.Virtuozzo White
Paper and Data Sheet, 2005.
[13] VServer. http://linux-vserver.org/Documentation, accessed on l3th July, 2006.
[14] N.G. Duffield, P. Goyal. Greenberg, P. Mishra, K.K. Ramakrishnan, J.E. van der Merive. A flexible
model for resource management in virtual private networks. In Proc. of the Conference on
Applications, Technologies, Architectures, and Protocols. Computer Communication, ACM Press,
pp. 95—108, 1999.
[15] T.D. Yao. Adaptive F irewalls for the Grid. Master’s Thesis, Technical University of Denmark, 2005.
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
88 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
[16] N.G. Duffield, P. Goyal. Greenberg, P. Mishra, K.K. Ramakrishnan, J.E. van der Merive. A flexible
model for resource management in virtual private networks. In Proc. of the Conference on
Applications, Technologies, Architectures, and Protocols. Computer Communication, ACM Press,
pp. 95—108, 1999.
[17] T.D. Yao. Adaptive Firewalls for the Grid. Master’s Thesis, Technical University of Denmark,
2005.
[18] J. Allen. State of The Practice: Intrusion Detection Technologies. Carnegie Mellon, SEI, Tech,
Report CMU/SEI-99-TR-028, ESC-99- 028, 2000.
[19] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Technical report 99-15,
Dept. of Computer Engineering, Chalmers University of Technology, Goteborg (Sweden), 200
[20] S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Technical report 99-15,
Dept. of Computer Engineering, Chalmers University of Technology, Goteborg (Sweden),
2000.Snort. http://www.snort.org, accessed on 13th July, 2006.
[21] S. Kenny, B. Coghlan. Towards a Grid wide Intrusion Detection System. In Proc. European Grid
Conference (EGC), Prague, 2005.
[22] M.F. Tolba, M.S. Abdel-Wahab, I.A. Taha, A.M. Al-Shishtawy. GIDA: Toward Enabling Grid Intrusion
Detection System. In Proc. Conference on Cluster Computing and Grid (CCGrid), Cardiff(Wales),
2005.
[23] www.oracle.com/technology/products/bi/odm/pdf/odm based intrusiondetectionaper
1205.pdf, accessed on l3th July, 2006.
[24] T. Ryutov, C. Neumann, L. Zhou. Integrated Access Control and Intrusion Detection (IACID)
Framework for Secure Grid Computing. Tech. Report., University of Southern California, 2005.
[25] A.Chakrabarti. Grid Computing Security, Springer Berlin Heidelberg New York, 2007.
[26] www.globus.org, accessed on 13th July 2006.
[27] O. Komievskaia, P. Honeyman, B. Doster, K. Coffman. Kerberized Credential Translation: A
Solution to Web Access Control. In Proc. USENIX Security Symposium, Washington, pp. 235-249,
2001.
[28] Dagorn, N., Bernard, N., and Varrette, S. Practical Authentication in Distributed Environments. In
IEEE International Computer Systems and Information Technology Conference (ICSIT’05)
(Sheraton Hotel— Alger, July 19—21 2005), IEEE, Ed. Still waiting for precisions on proceedings.
[29] L. Pearlman, V. Welch, I. Foster, C. Kesselman, S. Tuecke. A Community Authorization Service for
Group Collaboration. In Proceedings of the IEEE 3rd International Workshop on Policies for
Distributed Systems and Networks, Monterey (CA), pp 50-59, 2002.
International Journal of Advance Foundation and Research in Computer (IJAFRC)
Volume 1, Issue 4, April 2014. ISSN 2348 - 4853
89 | © 2014, IJAFRC All Rights Reserved www.ijafrc.org
[30] R. Alfieri, R. Cecchini, V. C iaschini, L. dell’Agnello, A. Frohner, A. Gianoli, K. Lorentey, F. Spataro.
VOMS: an Authorization System for Virtual Organizations. In I st European Across Grids
Conference, Santiago e Compostella (Spain), 2003.
[31] A. Chakrabarti, A. Damodaran. Enterprise Authorization and Licensing Service. Infosys Tech.
Report, 2006.
[32] M. Thompson, A. Essiari, S. Mudumbai. ACM Transactions on Information and System Security, (TI
SSEC), vol. 6, issue 4, pp: 566- 588, 2003.
[33] D. Chadwick, O. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. In
ACM SACMAT, Lake Tahoe (CA), pp. 135-140, 2002.
[34] E. MALER, P. MISHRA, and R. PHILPOTT Eds. The OASIS Security Assertion Markup Language
(SAML) v1.1. Standard, Organization for the Advancement of Structured Information Standards
(OASIS), September 2003.
[35] T. Moses (Ed). eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard,
2005, available at http://docs.oasisopen. org/xacml/2.0/access control-xacml-2.0-core-spec-
os.pdf, accessed on l3th July, 2006.
[36] Varrette, S., and Roch, J.-L. Certification logicielle de Calcul Global avec de’pendances sur grille.
In Proceedings des 15 ’ewes rencontres francophones du paral1e’lisme (RenPar’ 15) (La-Colle-
Sur-Loup, France, 15—17 October 2003), M. Auguin, F. Baude, D. Lavender, and M. Riveill,
Eds., pp. l69—176.
[37] Hirasuna, S.; Slominski, A.; Fang, L.; Gannon, D., "Performance comparison of security
mechanisms for grid services", in Proc. 5th IEEE/ACM International Workshop on Grid
Computing, pp. 360 364, Nov. 2004
[38] Sandhu R, Bell are M, Ganesan R. Password-enabled PKI: virtual smart- cards versus virtual soft
tokens. Proceedings of the 1st Annual PKI Research Workshop. Gaithersburg, MD, April 2002.
[39] F. Aloul, S. Zahidi ,W. El-Hajj, ”Two FactorAuthentication Using Mobile Phones” ,Proceedings OF
IEEE International Conference on Mobile Technology, 2009.
[40] M. AlZomai, A. Jøsang, A. McCullagh, E. Foo: “Strengthening SMS-Based Authentication through
Usability”, 2008 International Symposium on Parallel and Distributed Processing with
Applications
[41] Thomas Weigold, Thorsten Kramp, and Michael Baentsch, “Remote Client Authentication”, IEEE
Security & Privacy journal Published by the IEEE Computer Society, 2008.
[42] Gupta, Alok, " Digital signature: use and modification to achieve success in next generational e-
business processes “, February 2003.
[43] N.R. Potlapally, S. Ravi, A. Raghunathan,” Analyzing the energy consumption of security
protocols”, Princeton University, ACM Digital Library, 2003.