Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

Published byNeal West Modified over 8 years ago

Similar presentations

Presentation on theme: "1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti."— Presentation transcript:

1 1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti

2 2 Presentation Contents Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Grid: an architecture for group collaboration; Meaning of “Security” and “Privacy” in this work; Grid security features; Grid security: open issues; A new approach in structuring the Grid: addresses security problems; easily introduces privacy features; Conclusion remarks: New CAS features; TAPAS vs. Grid.

3 3 Grid: generalities (1/2) Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Grid: Protocol architecture to address the resource sharing among dynamical collections of individuals, institutions and resources flexible; secure; coordinated; without any assumption about trust relationships. Virtual Organization (VO): a set of individuals and institutions defined by such sharing rules.

4 4 Grid: generalities (2/2) Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Interoperability is a key issue on the Grid: Grid connectivity protocols protocols are built on TCP/IP. Grid communities (VOs) are: Scalable: low administration cost; Flexible: policies can dinamically change; Structurable: can realize complex policies.

5 5 Security and Privacy Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid To improve security, we will address the fairness property: Fairness: A system is fair if it is impossible for a malicious party to gain advantages over honest ones. Privacy is a personal concept: Privacy: An entity must be able to make or serve requests setting aside its real identity details that do not matter with service specifications.

6 6 Grid: security issues Achieving Security and Privacy on the Grid Grid security features are based on Globus GSI Single sign-on; Delegation: (restricted) proxy credentials; Integration with local security solutions; User-based trust relationships the user is the minimal unit to define policy rules. and CAS system Trusted third party to manage global policy; Keeps track of community users, groups and resources; Allows VOs to be scalable, flexible and structurable. Nicola Mezzetti - TAPAS Workshop 2002 - Bologna

7 7 Resource request Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Anyone representing the community can get an identity and instantiate a CAS server. A user asks the CAS for a capability to perform a set of actions: he/she will get the capability if the request is compliant with global policy. That capability can be used to ask for a service: the user authenticates him/herself to a provider; the request will be honoured if compliant both with the capability rights and with the resource provider’s local policy.

8 8 Grid and security: open issues Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Responsibility consistence is the feature proper of a system that adopts security measures to prevent attacks and abuses. A resource provider could receive unchecked service requests: 1.Fairness property could loose validity; 2.The system is not responsibility consistent. The system is not really scalable (e.g. join of two VOs into a larger one). Solution: Capabilities policy-compliance must be verified both when they are generated and when they get to the provider’s physical organization.

9 9 Figure 1 Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid

10 10 The new CAS structure Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Responsibility consistence can be addressed by: 1.Each physical organization must keep a local server, the community server (CS), to know allowed inbound requests and the ones that can be generated; 2.Each CS must also keep track of resources shared by the organization it represents; 3.VO Connectivity Server (VOCS) is used to bring connectivity among CSs; it can neither generate capabilities nor implement any policy rule. These rules change the older CAS structure from a flat one into a hierarchical one (generic n-ary tree).

11 11 Figure 2 Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid

12 12 How to introduce privacy Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Privacy features on client-side can be achieved by anonymizing proxy certificates: a user belongs to a security group of a particular physical organization, other details can be hidden. On server-side privacy can be achieved by hiding resources details into the Community Authorization System. Using virtual circuit paradigm helps hiding details about communication through the whole CAS.

13 13 How the request protocol changes Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid To request for a capability, a user: 1.Authenticates himself to local CS using proxy certificate; 2.Asks for a capability; 3.If the request is policy compliant, that user will get anonymous capability. To ask for a service, that user: 1.Authenticates himself to local CS; 2.Asks for a service presenting anonymous capability; 3.If compliance checks succeed, the request is routed through the CAS system.

14 14 CAS Routing Protocol Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid A client sends the request to its local CS. If the request can be satisfied by a local provider: the request is passed from the CS to the server, else the local CS passes it up to higher VOCS, that can: try to match the request with a provider in its subtree, pass the request up to higher level VOCS. If a request reaches the root VOCS without finding a suitable provider, that request is not satisfable.

15 15 Conclusion remarks: new CAS features Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Improved scalability: multi-level virtual organizations; low costs for resource addings; Flexibility; Structurability; Improved security: no more inter-organization attacks; Privacy: both on client and provider side.

16 16 Conclusions: improved scalability Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid

17 17 Conclusion remarks: TAPAS vs. Grid Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Different engineering techniques: TAPAS is well modelled by the use of UML and its extentions; Different environment: TAPAS is component-oriented; each resource is controlled by a component; Different Trust model: TAPAS ASP can be seen as a Trusted Third Party (TTP); TAPAS contract are made by SLA.

Download ppt "1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Similar presentations

Ads by Google