Grid Computing’s week 4 lecture took a security theme covering the Grid Security Infrastructure [GSI], Public key infrastructure , Digital certificates, Mutual authentication, My Proxy and shibboleth.
GSI (see: http://en.wikipedia.org/wiki/Grid_Security_Infrastructure) is an overlay on the transport security protocol (SSL) utilizing asymmetric encryption and the public key infrastructure to acheive:
- Authentication
- Data integrity verification
- Single sign-on
- Inter-organisation decentralized security
All grid entities (user and processes) must have a public key certificate, for more info on public key certificates see: http://en.wikipedia.org/wiki/Public_key_certificate
GSI uses the X.509 standard which included 4 primary pieces of information:
- subject name
- public key
- identity
- digital signature
An illustration of the public key infrastructure process:
Scenario 1 -> privacy, only user can decrypt incoming data
Scenario 2 -> authentication, receivers decrypt data using the sources public key this ensures the data is coming from the correct source
Certificate authorities are required to ensure validity of public and private keys that make the users digital certificate
Digital Signatures came next, note that digital signatures and digital certificates are completely different. Digital signatures are hashed messages which cannot be ‘unhashed’
Digital certificates enable secure comparison of digital signatures to ensure the origin of data.
Building on the PKI, mutual authentication can be achieved between users. Verification occurs using a random number message and reply from each user to ensure values are the same when decrypted.
Proxy Certificates enable single sign on [SSO] so user do not have to keep on re-typing their passwords. This works using a short term public-private key pair created for 12 hours or so between the user and proxy server. GSI also allows users to delegate their credentials to process for complex batch jobs to work effectively.
My Proxy is a credential management service and in some cases the Certificate Authority for Grid users. Enables remote access through another proxy. Illustration of some myProxy scenarios:
