One of the most successful working examples of virtual organizations, computational Grids need authentication mechanisms that inter-operate across domain boundaries. Public Key Infrastructures (PKIs) provide sufficient flexibility to allow resource managers to securely grant access to their systems in such distributed environments. However, as PKIs grow and services are added to enhance both security and usability, users and applications must struggle to discover available resources-particularly when the Certification Authority (CA) is alien to the relying party. This chapter presents a successful story about how to overcome these limitations by deploying the PKI Resource Query Protocol (PRQP) into the grid security architecture. We also discuss the future of Grid authentication by introducing the Public Key System (PKS) and its key features to support federated identities.
TopAuthentication In Virtual Organizations
Computational grids provide researchers, institutions and organizations with many thousands of nodes that can be used to solve complex computational problems. To leverage collaborations among entities, users of computational grids are often consolidated under very large Virtual Organizations (VOs).
Participants in VOs need to share resources, including data storage, computational power and network bandwidth. Because these resources are valuable, access is usually limited, based on the requested resource and the requesting user's identity. In order to enforce these limits, each grid has to provide secure authentication of users and applications.
Erroneously granting access to unauthorized or even malicious parties can be dangerous even within a single organization---and is unacceptable in such large VOs.
Moreover, the dynamic nature of grid VOs requires the authentication mechanisms to be flexible enough to easily allow administrators to manage trust and quickly re-arrange resource-sharing permissions. Indeed, VOs are usually born from the aggregation of already existing organizations and constitute an umbrella that groups the participating organizations rather than replacing them. For example, large VOs like the ATLAS and CMS Large Hadron Collider collaborations may be distributed across multiple organizational and national boundaries. Authentication must allow individual organizations to maintain control over their own resources.
The Problem. When participating in a VO, an organization must solve the problem of securely identifying resource requesters that come from outside its boundaries. PKIs offer a powerful and flexible tool to solve the potential authentication nightmare. Nonetheless, grid and VO administrators are still striving to find an acceptable solution to address interoperability issues that originate from the way VOs differ in policies, infrastructures and resource control.
Consider the situation where access to grid resources is managed via a Web portal. The portal can use SSL to provide strong mutual authentication, between client and server, based on grid-approved PKI credentials. To do this, the portal administrator needs to set up the SSL Trust List to only allow credentials from approved CAs; the portal also needs to know how to validate the entire trust chain for that credential (that is, the end entity certificate presented, its issuer and the issuer's issuer, and so forth) up to the approved self-signed grid trust anchor.
To do this validation, the portal needs to know how to access services such as the location of the CA certificate and revocation data for each of these intermediate CAs. However, the portal cannot count on having pre-configured details for them. Even if it did—or if the information was packaged in each end entity certificate—this information may change over time, rendering this critical data stale. Having some way to dynamically discover service entry points of interest for grid-approved authorities (or indeed, the very authorities themselves) would solve a number of issues and would also provide for more flexible implementation options for the grid authorities, potentially lowering the costs of future service changes, and facilitating the future offering of additional services.
Our Solution Path. In order to help VOs to more efficiently address PKI interoperability issues we have started a collaboration with the TACAR project to foster the adoption of the PKI Resource Query Protocol (PRQP) which enables discovery of resources and services in inter-PKI and intra-PKI environments. Although PRQP provides a viable solution for immediate deployment, in this paper we extend this solution by advocating for the adoption of a Public Key System (PKS) in order to provide support for VO authentication over the Internet.
TopPast And Present Of Authentication In Grids
According to Ian Foster, a grid is a system that “coordinates resources that are not subject to centralized control, using standard, open, general-purpose protocols and interfaces, to deliver nontrivial qualities of service” (Foster, 2002). In order for the grid computing model to be successful, users and VOs must access a wide variety of resources using a uniform set of interfaces. Given that most resource providers have their own security policies and schemes to begin with, grids must overcome the challenge of integrating a wide variety of authentication mechanisms to achieve this kind of resource sharing. Without a common authentication layer, Virtual Organizations and resource providers are forced to adopt ad hoc schemes to achieve integrated resource sharing. However, the adoption of arbitrary schemes discourages information sharing and collaboration among researchers, and essentially makes the grid model unworkable.