Credential Management Enforcement and Secure Data Storage in gLite

Credential Management Enforcement and Secure Data Storage in gLite

Francesco Tusa (Università degli Studi di Messina, Italy), Massimo Villari (Università degli Studi di Messina, Italy) and Antonio Puliafito (Università degli Studi di Messina, Italy)
Copyright: © 2010 |Pages: 22
DOI: 10.4018/jdst.2010090805
OnDemand PDF Download:
$37.50

Abstract

This article describes new security solutions for Grid middleware, and specifically faces the issues related to the management of users’ and servers’ credentials, together with storing and secure data transmission in the Grid. Our work, built on Grid Security Infrastructure (GSI), provides new capabilities (i.e. smart card Grid access, and strong security file storage XML-based) to be used on top of different Grid middlewares, with a low level of changes. This work is currently implemented on gLite and accomplishes the access to Grid resources in a uniform and transparent way. These improvements enable the Grid computing toward the new processing model known as business services.
Article Preview

Introduction

In the last years, a huge amount of scientific computations has been performed on the Grid, thus addressing the always increasing demand for computational and storage power, and offering an infrastructure available to the scientists 24 hours-a-day. The geographically spread resources of Grid can be virtually exploited as a traditional computing system by means of a specific middleware that hides much of the complexity, giving the user impression that all the resources are available as a coherent computer center (Foster, Kesselman, & Tuecke, 2001).

Both gLite (The Enabling Grids for E-sciencE project: http://ssicilia.unime.it/, 2009) and security. We focus on this latter aspect, proposing both an encrypted file storage and a user credential management system, based on smart card devices and crypto-tokens. This article aims to build an additional security layer on top of the existing security infrastructure: the integrations involve accounting mechanisms on the User Interface1 (UI), storage encryption on the Storage Elements2 (SE) and data computing on the Worker Nodes3 (CE).

According to the existing authentication mechanisms of gLite, both the user X.509 certificate (i.e. the RSA public key together with the related user identity) and the related RSA private key are stored on the UI home directory on two different files: the first one contains the public key and the related user credentials while the second one holds the user private key. Both files are encoded using the Privacy Enhancement for Internet Electronic Mail (PEM) format (Linn, 1993). Thus, the user private key plays a crucial role and the fact it is stored on the file system implies that it could be potentially stolen and then employed by insider attackers (e.g. malicious system administrator). According to the traditional GSI authentication model, in order to gain access to a grid resource, a user has to employ his own RSA key-pair for generating a temporary proxy certificate (Tuecke, Welch, Engert, Pearlman, & Thompson, 2004). Once this latter is generated, it has to be digitally signed (Brincat, 2001) through the RSA private key associated to the user himself.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing