VIEWS: 4 PAGES: 17 POSTED ON: 8/8/2012
An Authorization System for Grid Applications Thesis Presentation 5th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc. Mikko Pitkänen Place: 3 months in CERN, Geneva and other time in HIP, Espoo Agenda Background Objectives and Methodology Grid Introduction Grid Security VOMS Conclusion Future Study Background CERN- European Laboratory for Particle Physics Built in 1954, research area is widely ranged World Wide Web is developed from CERN Large Hardron Collider (LHC) Project: Powerful particle accelerator brings protons and ions into head-on collisions. LHC will need a lot of computing power as it can produce 40 million collisions per second, and will be 10 petabytes per year. Requirement for computing power equivalent to 100,000 of today’s fastest PC processors. LHC Computing Grid Project in CERN- LCG HIP- Helsinki Institute of Physics EGEE project Largest European Grid project is coordinated at CERN Objective and Methodology Objective The objective is to study the Grid security systems, expecially focusing on Grid Authorization System VOMS- Vitual Organziation Membership Service Methodology Literature survey over alternative solutions and architectures Studying current design architecture Studying current implementation by looking into source code repositories Grid Introduction Grid is emerged as a new field of distributed computing, which focuses on the resource sharing securely among dynamic number of people and organizations. Grid can be a resource sharing infrastructure,a computing infrastructure or the next generation Internet. Grid Security Grid Security is a critical aspect of Grid service. Security: Authentication and Authorization Authentication: ID of the person Authorization: User’s ability to perform operations Grid Security Techniques Grid Security Infrastructures (GSI) EDG Java Security Security Basics(1) Cryptography and Public Key Infrastructure (PKI) Symmetric-key encryption Asymmetric-key encryption Security Basics(2)--Certificates X509v3 Certificate –driving license Most commonly used PKI standard. Certificate Authority (CA) Certificate contains public key information that is signed by the CA. Attribute Certificate, like Visa, binds a set of attributes of the user or other authorization information for the user. Grid Security Infrastructure (GSI) Provides fundamentals services for Grid Security. Authentication: Makes use of Certificates User Certificate Server Certificate Mutual communications, the client and server exchange its certificate to make the authentication. An Example of User Certificate Certificate: Data: Version: 1 (0x0) Serial Number: 150 (0x96) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, O=HIP, OU=TECH, CN=112 Test CA Validity Not Before: Jul 16 08:51:21 2004 GMT Not After: Jul 23 08:51:21 2004 GMT Subject: C=CH, O=HIP, OU=TECH, CN=Xiao Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c1:da:2e:5c:01:00:67:86:7c:b6:d0:69:43:f9: 0c:06:7b:83:85:35:19:6c:ea:ad:0c:ff:c5:4e:f3: 09:83:e4:39:08:63:df:4c:ab:43:4b:50:35:26:a4: 1b:42:f8:db:97:0c:4e:f1:55:93:10:d4:28:d7:eb: 86:58:3f:7c:6b Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 59:86:1c:fc:ab:38:3c:bb:6c:06:02:e9:50:7a:00:35:c7:0f: 25:3b:f8:b1:f9:fa:5b:4a:95:99:03:a5:56:19:c0:5e:b7:a0: fb:5f:df:e7:26:50:d2:b1:b1:c5:1a:c4:d9:be:05:68:71:24: 0e:42:12:59:b6:c4:90:a0:ef:8d:8e:bc:46:31:8c:c1:f7:65: 1b:d7:dc:cb:51:07:3d:bb:a2:39:5b:5f:82:7c:06:64:82:e1: 14:2d:d9:75:bd:bf:ee:2d:38:3a:ac:11:fb:91:12:79:f5:d4: a8:dd:0a:15:7f:e2:04:45:9b:5f:c4:dc:dd:ef:2c:a9:ae:6b: 23:8c Authorization in GSI Makes use of Grid-mapfile Maps the user to a local unix account VOMS Short for Virtual Organization Member Service A centralized service that is used to manage the authorization in Virtual Organization(VO) scope. Developed by EGEE Problem with Current grid-mapfile, not scalable as the number of users increase. Thus strong requirement for VOMS. Overview on Glite VOMS Environment VOMS architecture User Server User Client Administration Client Administration Server Use Case 1. The client (user) and the VOMS server authenticate each other by using the normal Grid certificates. 2. The client sends the request to the VOMS server. 3. The Server checks the user certificate and the request. 4. The Server signs the information that is retrieved from VOMS database based on the user request and sends the signed information back to the client. Here the VOMS server signature is used to verify that a trusted VOMS service has provided the authorization information that will be attached to the user’s proxy. 5. The client then checks the information received from the server. 6. The client application creates a proxy certificate on behalf of the user containing the information received from the VOMS server added as an extension to the user’s X509 certificate. Conclusions 1. Java solution for VOMS 2. Shibboleth based AAI combined with VOMS and Grid Future Studies 1. Secure Resource Sharing techniques, scalablility and reliability for the system 2. Usability of Grid Thank You!
Pages to are hidden for
"An Authorization System for Grid Applications"Please download to view full document