A National-Scale Authentication Infrastructure (original) (raw)
Related papers
The Journal of Supercomputing, 2010
Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.
Single Sign-On And Authorization For Dynamic Virtual Organizations
IFIP International Federation for Information Processing
The vision of the Grid is to support the dynamic establishment and subsequent management of virtual organizations (VO). To achieve this presents many challenges for the Grid community with perhaps the greatest one being security. Whilst Public Key Infrastructures (PKI) provide a form of single signon through recognition of trusted certification authorities, they have numerous limitations. The Internet2 Shibboleth architecture and protocols provide an enabling technology overcoming some of the issues with PKIs however Shibboleth too suffers from various limitations that make its application for dynamic VO establishment and management difficult. In this paper we explore the limitations of PKIs and Shibboleth and present an infrastructure that incorporates single sign-on with advanced authorization of federated security infrastructures and yet is seamless and targeted to the needs of end users. We explore this infrastructure through an educational case study at the National e-Science Centre (NeSC) at the University of Glasgow and Edinburgh.
Experiences of Applying Advanced Grid Authorisation Infrastructures
Lecture Notes in Computer Science, 2005
The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorisation). The Grid community have put forward numerous software proposals for authorisation infrastructures such as AKENTI [1], CAS [2], CARDEA [3], GSI [4], PERMIS [5,6,7] and VOMS [8,9]. It is clear that for the foreseeable future a collection of solutions will be the norm. To address this, the Global Grid Forum (GGF) have proposed a generic SAML based authorisation API which in principle should allow for fine grained control for authorised access to any Grid service. Experiences in applying and stress testing this API from a variety of different application domains are essential to give insight into the practical aspects of large scale usage of authorisation infrastructures. This paper presents experiences from the DTI funded BRIDGES project [10] and the JISC funded DyVOSE project [11] in using this API with Globus version 3.3 [12] and the PERMIS authorisation infrastructure.
Comparison of Advanced Authorisation Infrastructures for Grid Computing
19th International Symposium on High Performance Computing Systems and Applications (HPCS'05)
The widespread use of Grid technology and distributed compute power, with all its inherent benefits, will only be established if the use of that technology can be guaranteed efficient and secure. The predominant method for currently enforcing security is through the use of public key infrastructures (PKI) to support authentication and the use of access control lists (ACL) to support authorisation. These systems alone do not provide enough fine-grained control over the restriction of user rights, necessary in a dynamic Grid environment. This paper compares the implementation and experiences of using the current standard for Grid authorisation with Globus-the Grid Security Infrastructure (GSI)-with the Role-Based Access Control (RBAC) authorisation infrastructure PERMIS. The suitability of these security infrastructures for integration with regard to existing Grid technology is presented based upon experiences within the JISC-funded DyVOSE project.
Authentication and authorization infrastructures (AAIs): a comparative survey
Computers & Security, 2004
A very federal higher educational system with many universities and as many different student authentication systems exists in Switzerland. Initiated by the Swiss Virtual Campus and by the demand for more inter-university work and student mobility, SWITCH, the Swiss education and research network started to evaluate authentication and authorization architectures.
An authentication and authorization infrastructure: The PAPI system
Fusion Engineering and Design, 2006
PAPI is a system for providing access control to restricted information resources across the Internet. It intends to keep authentication as an issue local to the organization the user belongs to, while leaving information providers full control over the resources they offer. The authentication mechanisms are designed to be as flexible as possible, allowing each organization to use its own authentication schema, keeping user privacy, and offering information providers data enough for statistics. Moreover, access control mechanisms are transparent to the user and compatible: with the most commonly employed Web browsers (i.e., Netscape/MSIE/Mozilla/Lynx), with any HTTP based java application solution, and any operating system. This solution is being successfully used in different research organizations in Spain and Europe as a control access system to restricted resources in a transparent and single sign-on way. It is allowing mobile and external users to access to resources that are internal to organizations, contributing to remote participations in results of experiments and inter-institutional resource collaboration.
Dorian: Grid Service Infrastructure for Identity Management and Federation
19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06), 2006
Identity management and federation is becoming an ever present problem in large multi-institutional environments. By their nature, Grids span multiple institutional administration boundaries and aim to provide support for the sharing of applications, data, and computational resources in a collaborative environment. One underlying problem is to enable participating institutions to manage the identities of their own members by leveraging existing institutional identity management systems, while at the same time facilitating the participation in larger Grids through the deployment of grid-wide user credentials. Those grid-wide identities are used for features such as single sign-on, secure communication, and are the basis for authorization decisions. In this paper we will present the design and implementation of Dorian, a grid service infrastructure component that enables the federation of users across the collaboration.
An Online Credential Management Service for InterGrid Computing
2008 IEEE Asia-Pacific Services Computing Conference, 2008
Grid users and their jobs need credentials to access grid resources and services. It is important to minimize the exposure of credentials to adversaries. A practical solution is needed that works with existing software and is easy to deploy, administer, and maintain. Thus, credential management services are the wave of the future for virtual organizations such as Grid computing. This paper describes architecture of a scalable, secure and reliable on-line credential management service called SafeBox for InterGrid computing platform. SafeBox provides InterGrid users with secure mechanism for storing one or multiple credentials and access them based on need at anytime from anywhere.
Authorization Strategies for Virtualized Environments in Grid Computing Systems���
2006
Abstract The development of adequate security solutions, and in particular of authentication and authorization techniques, for grid computing systems is a challenging task. Recent trends of service oriented architectures (SOA), where users access grids through a science gateway���a web service that serves as a portal between users of a virtual organizations (VO) and the various computation resources, further complicate the authorization problem.