Chapter 2 Grids, Security & Trust
2.3 Grid Computing & Security
2.3.4 Other Authentication & Authorisation Systems
Shibboleth
Shibboleth [153] is an architecture that supports the creation of federations within or between
institutions for web-based single sign-on. A Shibboleth Identity Provider at a user’s institution
8The name WebCom-G is used here to refer to the collaborative research and development project involving
researchers in University College Cork, Trinity College Dublin, and National University of Ireland, Galway, and to the overall products of this research. The nameWebComis used to refer to the condensed-graph–based distributed computing software developed in UCC. Outside of this thesisWebCom-G may sometimes be used more specifically to refer to the versions of the WebCom software developed in UCC during the WebCom-G project.
Chapter 2. Grids, Security & Trust 2.3. Grid Computing & Security
can provide SAML attribute assertions about the user to aService Provider, which can make use
of the attributes for authentication and authorisation. The assertions can be anonymous, so the Service Provider need not be aware of the user’s true identity.
There have been a number of efforts to integrate Shibboleth with existing grid security systems. GridShib allows Globus services to request user attributes from Shibboleth Identity Providers to make authorisation decisions [18]. Shibboleth is also used to federate institutional identity systems to issue X.509 certificates that can be used directly with grids [165].
Kerberized Certification Authority
The Kerberized Certification Authority (KCA) provides a automated mechanism for an organisa- tion with an existing Kerberos infrastructure to generate X.509 credentials for use in PKI-based authentication systems [101]. The KCA software is distributed by the NSF Middleware Initiative. The KCA consists of a secure server which communicates with a client to generate PKI cre- dentials. The KCA service is attractive for sites operating a Kerberos-based authentication in- frastructure. The user is not issued a long term private key, and proxy renewal uses the existing Kerberos infrastructure. The administrative overhead and possibility of error or deliberate attack on a separate RA is removed. Since the KCA issues only short-lived certificates, there is no need to distribute CRLs. Compared to a well run off-line service the danger of signing key compromise is increased. In the context of long-running jobs in the grid the problem arises of how to renew a proxy certificate derived from a user’s Kerberos token which is typically valid for about one day.
Virtual Smart Cards
The SLAC Virtual Smart Card system [88], provides an on-line credential store analogous to a physical smart card. As it is often unwise to trust users to keep private keys secure it is argued that they should not be given the private key. VSC can provide stronger security guarantees with a central restricted-access server than individual untrustworthy users, and it allows users to generate proxy certificates from anywhere that has access to the VSC server. The disadvantages are that the private keys are concentrated in one place, therefore giving a single point of failure, and the authentication for the whole system is only as strong as the authentication with the VSC server, so this must be of high quality, e.g. a well-administered Kerberos set-up.
A-Select
The A-Select Authentication System [1] is a framework for user authentication with web applica- tions. It supports multiple Authentication Service Providers including Radius and LDAP as well as others, for example, based on authentication with Internet banking services.
2.3. Grid Computing & Security Chapter 2. Grids, Security & Trust
KeyNote
Trust management [23, 21] is an approach to security which unifies the specification of security policies, trust relationships and credentials. A credential directly represents the subject’s authori- sation as delegated by some authority, and it will be respected if that authority is recognized by local policy. This is in contrast to a traditional identity-based access-control approach where access is granted based on who is making a request, and the local access control policy for that request. In such cases it is often necessary to know in advance about all possible users. In a trust management system cryptographic keys are used to identify authorisers and licensees. An authoriser creates a credential containing the licensee’s public key and the appropriate authorisation attributes, and signs it with his private key.
KeyNote [22, 24] is an implementation of a trust management system. It provides a compliance checker which is used to verify credentials against the local security policy, and a simple appli- cation programming interface. The KeyNote compliance checker provides a standard mechanism for verifying credentials against policy, taking this task away from the application programmer. Credentials and policies (collectively assertions) have a simple, expressive format. The only differ- ence between a credential and a policy assertion is that a local policy is unconditionally trusted. Assertions are created and managed independent to the application, separating the security policy from the application functionality.
PERMIS
PERMIS (for Privilege and Role Management Infrastructure Standards Validation) provides
policy-based authorisation services based on X.509 attribute certificates [40]. PERMIS supports role-based access control of resources and, like KeyNote, is a trust management system [22]. Au- thorisation policies are specified in an XML format (support for XACML is under development).
A privilege allocator defines policies and issues role assignment attribute certificates. The
privilege verification system can be used to verify PERMIS credentials presented by a user. As
part of the TrustCoM project [173] support for includingreputation information into both policies
and decisions is being added to PERMIS.
MyProxy
MyProxy is a credential store for grid proxy certificates [131]. The service allows users to delegate a proxy credential to it and assign a username and password. A user can later request that a proxy is delegated back from the MyProxy service by presenting their username and password. Proxies stored on a MyProxy server typically have a longer lifetime than those normally used (e.g. seven days rather than one day). For this reason MyProxy can be used to support proxy renewal for long-running jobs. In this case, the MyProxy server is configured to accept requests for delegation