Security Issues in

Grid Computing

Reading: Grid Book, Chapter 16:

“Security, Accounting and Assurance”
By Clifford Neuman
 Security Issues
Traditional systems:
l Protect a system from its users

l Protect data of one user from compromise

In Grid systems:
l Protect applications and data from system

where computation executes

l Stronger authentication needed (for users

and code)
l Protect local execution from remote

systems
l Different admin domains/security policies
 Organization
l Authentication
qPassword-based
qKerberos authentication
qSSL authentication
qCertification authorities
l Authorization
l Integrity and Confidentiality
qSymmetric and asymmetric cryptography
qPGP (Pretty Good Privacy)
qSSL
 Organization (cont.)
l More Security Issues
qAssurance
qAccounting
qAudit
l More Security Technologies
qIPSec and IPv6
qVPN (Virtual Private Networks)
qFirewalls
qGSS-API
 Authentication
l Process of verifying identity of a participant to
an operation or request

l Principal: entity whose identity is verified

qlocal user OR user logged into remote system

l Traditional systems: authenticate client to

protect server
l Grid systems: mutual authentication required
qEnsure that resources and data not provided by
an attacker
 Authentication Methods:
Password-based Authentication
l Send unencrypted passwords:
only suitable when messages can’t be read by
untrusted processes while on network

l Instead: Prove knowledge of a password:

qDon’t send password over network
qUse password as an encryption key
qEncrypt a known but non-repeating value
qSend encrypted value to party verifying
authentication
qBoth parties must know password or trust a
third-party to distribute it
 Authentication Systems:
Kerberos
l Authentication and key distribution
protocol
qUsed with symmetric encryption systems
(both sides must share same key)
qBetter performance than systems using
public key or asymmetric cryptography
l Well-suited to frequent authentication
l Centrally administered
l Requires trusted, on-line certification
authority: Key Distribution Center (KDC)
 Using Kerberos to authenticate a
client and a server
1. Each client and server register their keys in
advance with Kerberos authentication server
2. Client wants to communicate with service
provider: sends client and service provider names
to Kerberos authentication server
3. Kerberos server randomly generates a session key
that will be used for symmetric encryption
between client and server
4. Kerberos server sends session key to client as well
as a ticket that contains client’s name and
session key, all encrypted with server’s key
 Kerberos Authentication (cont.)
5. Client caches encrypted session key and ticket,
which are valid for some period
q Reduces number of authentication requests to
server
6. Client forwards ticket to service provider AND
sends server a timestamp encrypted using the
session key
7. Server decrypts ticket and extracts session key
8. Server uses session key to decrypt timestamp and
checks that timestamp is recent
9. If client needs to authenticate server, server
encrypts the timestamp with the session key and
sends it back to client
 Authentication Systems:
Secure Sockets Layer (SSL)
l Widely-deployed: every web browser!

l Client authenticates identity of the server

l Send a session key from client to server to

set up an encrypted communication

l Server has a certificate that contains its

public key

l If client has a certificate, can authenticate

itself to the server
Using SSL to authenticate a server
1. Client web browser with SSL contacts web server
with SSL
2. Server sends public-key certificate to client
3. Client uses public key of a trusted Certificate
Authority (CA) to verify server’s certificate is valid
4. Client verifies that hostname embedded in
certificate is hostname of intended server
5. Client extracts server’s public key from certificate
6. Client uses server’s public key to encrypt a
session key for a symmetric cryptosystem
7. Client sends encrypted session key to server
8. Server uses its private key to decrypt session key
9. Client and server communicate using symmetric
cryptosystem with session key
 Certificates and
Certification Authorities (CA)
l Certification mechanism provides binding
between encryption key and authenticated
identity
l Certification authority (CA) is a third party
that certifies or validates the binding
l CA issues a certificate and signs it
l Certificate is a data object that contains:
qDistinguished name of a principal
qIn asymmetric cryptographic systems: the
public key of the principal
qOptional attributes: authorizations, group
memeberships, email addresses, alternate
names
 Certification (cont.)
l X.509 certificates:most widely used format
qWeb browsers
qSecure email services
qPublic-key-based electronic payment
systems
l Validating the binding
qVerifier must know the CA’s public key
qUses CA’s public key to validate CA’s
signature
l Hierarchy of CAs: each CA certified by
higher-level CA except for root CA(s)
l Applications and servers must know public
key of trusted root CAs
 Data Origin Authentication
l Provides assurance that a particular
message, data item or executable
originated with a particular principal
qDetermines whether program was modified
or sent by attacker
 Delegation of Identity
l Process that grants one principal the
authority to act as another individual
l Assume another’s identity to perform
certain functions

l E.g., in Globus: use the gridmap file on a

particular resource to map authenticated
user onto another’s account, with
corresponding privileges
 Reminder: Organization
l Authentication
qPassword-based
qKerberos authentication
qSSL authentication
qCertification authorities
l Authorization
l Integrity and Confidentiality
qSymmetric and asymmetric cryptography
qPGP (Pretty Good Privacy)
qSSL
 Authorization
l Process that determines whether a particular
operation is allowed
l Traditionally: based on authenticated identity of
requester and local information
q Access Control Lists (ACLs)

l Grids: determine whether access to resource is

allowed
q Might have access control lists associated with
resources, principals or authorized programs
q User-provided code must also be authenticated
 Distributed Authorization
l E.g., Distributed Computing Environment
l Systems still being developed

l Distributed maintenance of authorization

information:
q Group membership
q Access control lists

l Need to verify the authenticity of authorization

(and assurance) information
l One approach: Embed these attributes in
certificates
q Signed by trusted third-party
q “Privilege attribute certificates”
 Distributed Authorization (cont.)
l Restricted proxy: authorization certificate
that grants authority to perform operation
on behalf of grantor
qRestricted for access to particular objects
qOnly when specified restrictions are
satisfied

l Alternative: separate authorization server

l Party providing a service checks with
server whether a named principal is
authorized
 Delegation of Authority
l User or process that is authorized to
perform an operation can grant authroity
to perform the operation to another
process
l More restricted than identity delegation
l In Grids:
qUsed for tasks that run remotely on grid
that must read or write data stored across
the network
qE.g., resource manager allocates a node to
a job and delegates to job’s initator
authority to use that node
 Integrity and Confidentiality
l Protect data during transmission on
network
qAnyone connected to an open network may
observe, insert or possibly remove
messages
l Cryptography
qEncryption: scrambles data in a way that
varies based on a secret encryption key
qDecryption: unscramble data using
corresponding decryption key
qCiphertext: scrambled data
qPlaintext: original or unscrambled data
 Encrypted messages provide
integrity and confidentiality
l Protect data from eavesdroppers
qdata encrypted before transmission and
decrypted afterward

l Checksums protect data integrity

qAttach a checksum to data before enryption
qAfter decryption, receiver verifies checksum
qDetect modifications of data by someone
who doesn’t know encryption key
 Symmetric Cryptosystems
l Examples:DES (data encryption standard),
triple-DES, idea, blowfish, RC4, RC5
l Uses same key for encryption & decryption
l Both parties must share same key
l With static keys:
qUser needs different key for every other
user or service provider
qService provider maintains key for every
user
l Or, use mutually-trusted intermediary to
generate and distribute session key to both
parties
qE.g., Kerberos Key Distribution Center
 Symmetric Encryption
Key Distribution Using Kerberos
1. Each client and server register their keys with
Kerberos authentication server in advance
2. Client wants to communicate with service
provider: sends client and service provider names
to Kerberos authentication server
3. Kerberos server randomly generates a session key
that will be used for symmetric encryption
between client and server
4. Kerberos server sends session key to client as well
as a ticket that contains client’s name and
session key, all encrypted with server’s key
 Key Distribution Using
Kerberos (cont.)
5. Client caches encrypted session key and ticket,
which are valid for some period
q Reduces number of authentication requests to
server
6. Client forwards ticket to service provider AND
sends server a timestamp encrypted using the
session key
7. Server decrypts ticket and extracts session key
8. Server uses session key to decrypt timestamp,
checks that it is recent
9. If client needs to authenticate server, server
encrypts the timestamp with the session key and
sends to client
 Asymmetric Cryptography
l Also Public Key cryptography (PKI)
l E.g., RSA or DSA (digital signature algorithm)

l Uses a pair of keys for encryption and decryption

q Knowledge of one key does not reveal the other

l Public key: published and available to anyone

l Private key: secret, known to only one party

l Advantage: can disseminate public key freely

l Disadvantage: significantly worse
performance than symmetric encryption
q Because of performance, rarely used in isolation
q Used in combination with symmetric encryption
 Using Asymmetric Encryption to
Exchange a Symmetric Key
1. Sender generates a symmetric session key
and an associated checksum
2. Sender encrypts key and checksum using
recipient’s public key and sends them to
recipient
3. Recipient decrypts key and checksum
using its private key
4. Recipient verifies checksum is correct and
extracts session key
5. Communication proceeds using symmetric
encryption with the session key
 Using Asymmetric Encryption to
Exchange Symmetric Key (cont.)
l Pay asymmetric performance penalty at
startup but not on every block transferred
l Relies on each party knowing public keys
or relying on trusted third party (CA) to
verify public keys
l Otherwise, attacker could replace public
key with different public key that has a
private key known by attacker
 Encryption with
PGP (Pretty Good Privacy)
l Provides integrity, authentication and
confidentiality for email and data files
l Sender:
qComputes a message digest (similar to a
checksum)
qEncrypts original message using symmetric
cryptography with a message key
qEncrypts the message digest with
asymmetric cryptography using the private
key of the sender
Ø Provides a digital signature (integrity)
qEncrypts the message key with asymmetric
cryptography using recipient’s public key
PGP (Pretty Good Privacy) (cont.)
l Recipient:
qDecrypts message digest using public key
of sender
qDecrypts message key using its own
private key
qUses message key to decrypt original
message
qVerifies the correctness of message using
digest
 Digital Signatures
l Does not require encryption of original
message
l Message digest
qComputationally infeasible for another
message to produce the same digest
qEncrypted
qAttached to message
qCan detect if message was altered during
transmission
l Provides a digital signature
 Reminder: Organization
l More Security Issues
qAssurance
qAccounting
qAudit
l More Security Technologies
qIPSec and IPv6
qVPN (Virtual Private Networks)
qFirewalls
qGSS-API
 More Security Issues: Assurance
l Service requester has requirements for:
q performance, security, reliability
l Does candidate service provider meet these
requirements?

l Form of authorization (“accreditation”) used to

validate service provider

l Grid example: check assurance credentials when

selecting nodes for computation:
q Do they meet performance, reliability, or security
requirements?

l Assurance schemes: not widely deployed

More Security Issues: Accounting
l Means of tracking, limiting or charging for
consumption of resources
l Critical for fair allocation of resources
l Tied in with authorization

l In the grid: accounting is critical

q Need a means of payment
Ø Correctly charge user at time a resource is consumed
q Need an incentive to make resources available

l Grids require a distributed mechanism to maintain

quotas across systems
q Prevent users from exceeding resource limits by
spreading use across machines

l Grid accounting schemes still being developed

 More Security Issues: Audit
l Record operations performed by a system and
associate actions with principals
q Problems: Find out what went wrong
q Security breaches: Intrusion detection
l In a grid: audit mechanism must be distributed

l Intrusion Detection
q Need log of events for later or concurrent analysis
q Protect confidentiality of audit data
Ø Vulnerable to modification, deletion or denial of service

l Grid applications will affect intrusion detection

algorithms
q Normal grid activities may look similar to certain
network attacks
 More Security Technologies:
IPSec and IPv6
l Transport layer protection for
confidentiality and integrity

l When communication established between

two network hosts:
qUse key distribution to exchange key for
symmetric encryption
l Key distribution may use Kerberos, PKI, …

l Keys are associated with hosts, not with

applications or users
 More Security Technologies:
Virtual Private Networks (VPNs)
l Use transport-layer confidentiality and integrity
l Share physical infrastructure of internet
l Communication only between participating nodes
l Protected from disclosure to/modification by nodes
that are not participants

l Used when impractical to integrate security at

application layer
l Since they operate at tranport layer, cannot:
q Authenticate end users
q Understand application-level objects that need
protection
q Support security policies that distinguish users &
application objects
 More Security Technologies:
Firewalls
l Provide a barrier at boundary of organization’s
network
q Only specifically authorized communication may pass
through
q Prevent many attacks on hosts within organization

l In grids: less useful

q Grid applications will often require communication
through firewall

l Need to integrate IPSec and VPN technologies at

network boundaries with firewalls
q Messages on internal network remain unprotected
q Encrypt/decrypt messages as they leave/enter VPN
at the firewall
 More Security Technologies:
GSS-API
l Generic Security Services Application
Programming Interface

l Facilitates integration of security at

application layer

l Applications make calls to authentication,

confidentiality and integrity services
qCalls are independent of underlying security
services