Improving the Security Performance in Computer Grids
Security in computational Grids is mainly based on Grid Security Infrastructure (GSI) for authentication and Virtual Organization Membership Service for authorization. Although these mechanisms provide the required level of security, they lack in performance due to their dependence on public key cryptography. In our proposed security architecture we use a Kerberos-based approach (symmetric cryptography) to establish common secrets between grid services (exposed as web services) and clients. The architecture does not nullify GSI and VOMS, but allows a full mapping of GSI-VOMS to Kerberos credentials. The security architecture was designed to meet the specific quality of service (QoS) for nearly real-time control of distributed instruments that belong to different organizations by minimizing the impact of security processing. It is based on GSI and VOMS certificates for the initial login, translates them into Kerberos credentials for authentication and provides message level security implementing the OASIS Kerberos Token Profile. The security performance of our implementation, as shown in our measurements, outperforms the one when X509 Token Profile is used.
Unable to display preview. Download preview PDF.
- R. Alfieri et al., “VOMS, an authorization system for virtual organizations”, Presented at the 1st European Across Grids Conf., Santiago de Compostela, Spain, Feb. 14, 2003.Google Scholar
- Apache AXIS – http://ws.apache.org/axis/
- Apache WSS4J – http://www.ws.apache.org/wss4j.Google Scholar
- C. Coarfa, P. Druschel and D.S. Wallach, “Performance analysis of TLS web servers”, 9th Network and Systems Security Symposium, pp. 553–558, 2002.Google Scholar
- GRIDCC Project web site – www.gridcc.orgGoogle Scholar
- Heimdal Kerberos Server – http://www.pdc.kth.se/heimdal/.
- IETF RFC 1510 – The Kerberos Network Authentication Service (V5).Google Scholar
- IETF RFC 1508 – Generic Security Service Application Program Interface.Google Scholar
- IETF RFC 2459 – Internet X.509 Public Key Infrastructure Certificate and CRL Profile.Google Scholar
- IETF RFC 3820 – Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile.Google Scholar
- IETF RFC 4556 – Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).Google Scholar
- A. Moralis, A. Lenis, M. Grammatikou, S. Papavassiliou, V. Maglaris, “A distributed Kerberized access architecture for real time grids”, 4th International Workshop on Security in Information Systems WOSIS, 2006.Google Scholar
- R. Needham, M. Schroeder, “Using encryption for authentication in large networks of computers”, Communications of the ACM, Vol. 21, no. 12, pp. 993–999, Dec. 1978.Google Scholar
- Oasis WS Security Standards – http://www.oasis-open.org/specs/index.php#wssv1.1
- Open Grid Forum – http://nfdump.sourceforge.net/.
- L. Pearlman, V. Welch, I. Foster, K. Kesselman, S. Tuecke, “A community authorization service for group collaboration”, IEEE Workshop on Policies for Distributed Systems and Networks, 2002.Google Scholar
- The European Policy Management Authority for Grid Authentication in e-Science – http://www.eugridpma.org/
- W3C Web Services Activity – http://www.w3.org/2002/ws/Google Scholar
- WS Security Kerberos Token Profile – http://www.oasis-open.org/committees/download. php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdfGoogle Scholar
- WS-Security X509 Token Profile – http://www.oasis-open.org/committees/download. php/16785/wss-v1.1-spec-os-x509TokenProfile.pdfGoogle Scholar