Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction
The current situation of authentication across computer networks is
most often a
one time authorization with the server . However with distributed
systems ( Data Grids), there needs to be new secure widespread
mechanism for authorization over inter-domain , dynamic networks
(such as the Internet), where previously unknown clients and servers
must authenticate and interact with each other.
The Globus Project establish in 1997 provided tools for public key
based message authentication and protection called GSI (Grid Security
Infrastructure). It was based on X.509 certificates and delegation using
proxy certificates and has emerged as the dominant security method
for Grid Computers
Security
A distributed system is prone to attacks and threats from intruders as
well as internal users. These attacks can be summarized in two main
categories
Host Compromise
This involves corrupting information to and from a host or major case
of taking full control of the host. There are already method’s to stop
this in Hardware such as processor protection and in software security
kernels.
Communication Compromise
Eavesdropping : This is a Passive attack which is hard to detect due to
no modification only the copying. Protection from this is hard due to
this , and only measures to prevent this can be employed on the
system
Delegation
Remote processes will need to perform operations on Entity A’s behalf.
For example a program will need to delegate rights to two hosts to
access to a specific file for transfer between them
A Proxy is a token that allows one to operate with the rights and
privileges of the person/machine that granted the proxy .Proxying can
be used to minimize these risks , it allows for the use of a private key
to create the proxy credential. The proxy credential which is used to
pass on authority from the user to the program , can then act on behalf
of the initial user to access to data or devices without the need for
repeat reproducing of the private key. The program can also delegate
these permission rights to sub process’s needing to access as part of a
data call or modification. The rights it delegates can only be less or
equal to then it’s original permissions , it cannot delegate permissions
it does not have. This this ease of delegating rights brings around
security risks , for example if the program gets comprised and the
attacker gains access to the proxy credential , the attacked will have
the same credential’s as the initial user. To resolve this issue , there are
restrictions placed on delegated proxies (Restricted Proxies) to restrict
the damage of any compromised proxies. These restrictions can be
limited to individual files , with individual restrictions.
a. Restrictions