Information Technology Reference
In-Depth Information
PAST AND PRESENT OF
AUTHENTICATION IN GRIDS
CAs is maintained by the IGTF and distributed
to relying parties throughout the world.
Grid CAs issue users a PKI certificate, includ-
ing a public key linked to the private key con-
trolled by the grid subscriber. These certificates
may either be long-lived (typically issued by
classic grid CAs) or short-lived (typically issued
by online CAs such as SWITCH (SWITCH,
2008) or MyProxy-based CAs (NCSA, 2008))
depending on the use case. The IGTF maintains
different authentication profiles to manage CAs
with different qualities of service, for the benefit
of relying parties.
A resource provider or virtual organization
relies on these CAs to be able to identify a given
user. As such, if an end entity is able to present a
valid certificate that is signed by a CA trusted by
the relying party, the entity can be authenticated
(of course, the end entity also needs to prove
knowledge of the private key). GSI authentication
is mutual (GLOBUS, 2008)—if a user wishes to
access a service, both the user and the service
must be able to present signed certificates to each
other. The respective signing authorities must be
trusted by the entity on each side of the transac-
tion. Allowing the user and the service to have
certificates signed by different CAs is the key to
establishing cross-realm trust in grids. This also
eases usability and scalability—the user need
maintain only a single individual credential (single
point of identity) no matter how many services
she wishes to use. In order to improve usability, a
user of grid services can sign a
Proxy Certificate
(PC)
on his or her own behalf.
In general these proxies contain a slightly
modified version of the user's identity (to indicate
that it is a proxy certificate), a new public key,
and a very short lifetime. These proxy credentials
can then be used to access applications, or further
delegated to application servers to perform actions
on behalf of that user, without having to expose
the user's original long-lived credential and pri-
vate key—thus practicing the security principle
of “least privilege.”
According to Ian Foster, a
grid
is a system that
“coordinates resources that are not subject to
centralized control, using standard, open, gen-
eral-purpose protocols and interfaces, to deliver
nontrivial qualities of service” (Foster, 2002). In
order for the grid computing model to be success-
ful, users and VOs must access a wide variety of
resources using a uniform set of interfaces. Given
that most resource providers have their own se-
curity policies and schemes to begin with, grids
must overcome the challenge of integrating a wide
variety of authentication mechanisms to achieve
this kind of resource sharing. Without a common
authentication layer, Virtual Organizations and
resource providers are forced to adopt ad hoc
schemes to achieve integrated resource sharing.
However, the adoption of arbitrary schemes dis-
courages information sharing and collaboration
among researchers, and essentially makes the grid
model unworkable.
The Grid Security Infrastructure (GSI) has
become the de facto security layer in scientific,
research and academic grids. It provides applica-
tions, VOs and resource providers with a secure
and standard means to perform authentication
across organizational boundaries. GSI is built
on top of a PKI layer and uses standard X509
v3 certificates for authenticating principals
and granting access to local resources. Several
major grid infrastructures, including Open Sci-
ence Grid (OSG), European Grid Infrastructure,
TeraGrid and Earth Systems Grid (ESG) rely on
GSI for managing authentication between users
and services.
In a distributed environment, it is important
to maintain traceability back to the individual
entity matching a given certificate. The task of
identifying users is distributed across various
grid CAs throughout the world. These CAs are
accredited and audited by the International Grid
Trust Federation and its three regional Policy
Management Authorities. A list of accredited
Search WWH ::
Custom Search