Research on Security Architecture and Protocols of Grid Computing System1

FANG Xiangming YANG Shoubao GUO Leitao ZHANG Lei

Computer Science Department, University of Science and Technology of China, Hefei 230026, P.R.China Email: xmfang@mail.ustc.edu.cn,

syang@ustc.edu.cn,

ltguo@mail.ustc.edu.cn leizh@mail.ustc.edu.cn

Abstract. This paper analyzes security problems existing in Grid Computing System and describes the security mechanism in Grid Computing System. After briefly introducing the security abstract of grid computing system at Grid Security Basic Layer, several protocols are defined at Grid Security Protocol Layer based on security architecture model. Broker protocols are then thoroughly discussed. Keywords. Grid Computing System, Security Abstract, Grid Security Protocols, Broker

1. Introduction
With the development of application requirements for high-performance computing, it is impossible to solve super large-scale issues using a single high-performance computer or a single computer cluster. Therefore, it is needed to connect distributed heterogeneous high-performance computer, computer cluster, large-scale database server and large-scale file server with high-speed interconnection network and integrate them into a transparent virtual high-performance computing environment. This environment is named Grid Computing System[1-3].

This paper is supported by the National Natural Science Foundation of China under Grant No.60273041 and the National 863 High-Tech Program of China under Grant No. 2002AA104560.

2. Security in Grid Computing System

Essentially, security assurance of the Internet provides two kinds of security services: access control service, which protects various resources from being used by violate user and prevents resources abused from authorized user; Secure communication service, which provides mutual authentication, and message protection as well, such as message integrity and confidentiality. But these services cannot solve all the security problems in Grid Computing System. Security of Grid Computing System should solve the following problems: user masquerade, server masquerade, data wiretapping and sophisticating, remote attack, resource abusing, malicious program, and system integrity. Grid Computing System is a complicated, dynamic and wide-area system, adding restricted authorization on user cannot be solved by the current technologies. So developing new security architecture is necessary. By now, GSI (Globus Security Infrastructure) mous schemas. Based on the analysis of GSI, we present five-layered security architecture[7] on considering the designation and accomplishment of Grid security project. The security architecture that we have already briefly depicted at GCC2002 is shown as Fig. 1.
[4-6]

is one of the most fa-

Fig. 1. Security architecture of the Grid computing system

Our security architecture is a good schema for Grid research because of its good scalability and its ability of adapting to the dynamic system environment. In succession, we place our emphases on the Grid Security Basic Layer and Grid Security Protocol Layer, which are of great importance in grid security architecture.

3. Grid Security Basic Layer

Grid Security Basic Layer provides user and resource mapping policy, including general mapping rules. In this layer, the Grid Computing System is abstracted to the elements as Objects, Subjects, Security Policies, Trust Domains, Operations, Authorization, etc. The security of Grid Computing System can be regarded as the relationships among the basic elements, which gives an effective way to realize users restrictive authorization. Definitions of Basic Elements First of all, some definitions are given in the following. Object is resource or process of Grid Computing System. Object is protected by security policy. Resource may be file, memory, CPU, equipment, etc. Process may be process running on behalf of user, process running on behalf of resource, etc. O denotes Object. Subject is user, resource or process of Grid Computing System. Subject may destroy Object. Resource may be file, memory, CPU, equipment, etc. Process may be process running on behalf of user, process running on behalf of resource, etc. S denotes Subject. Security Policy is a set of policies of Grid Computing System. Security Policy protects Object against Subject. P denotes Security Policy. Trust Domain is a logical, administrative region of Grid Computing System. Trust Domain has clear border. D denotes Trust Domain. Operation is a set of instructions by which Subject access or use Object. OP denotes Operation. Authorization is the process by which Security Policy is acted on Subject. There are two kinds of results of Authorization. One is Subject passed Security Policy and the other is not. A denotes Authorization. Representation of Basic Elements Representation of Object: There are two kinds of Object in Grid Computing System, which are Global Object OG and Local Object OL. A Global Object is the abstraction of one or many Local Objects. Global Objects and Local Objects exist in Grid Computing System at the same time. Representation of Subject: There are two kinds of Subject in Grid Computing System, which are Global Subject S G and Local Subject SL. A Global Subject is the

abstraction of one or many Local Subjects. Global Subjects and Local Subjects exist in Grid Computing System at the same time. Representation of Security Policy: There are two kinds of Security Policy in Grid Computing System, which are Global Security Policy PG and Local Security Policy PL. Global Security Policy is the abstraction of all Local Security Policy. Global Security Policy and Local Security Policy exist in Grid Computing System at the same time. Representation of Trust Domain: There are two kinds of Trust Domain in Grid Computing System, which are Global Trust Domain DG and Local Trust Damian DL. Global Trust Domain is the abstraction of all Local Trust Domains. Global Trust Domain and Local Trust Domain exist in Grid Computing System at the same time.Trust Domain of Grid Computing System consists of three elements: Objects existing in this Trust Domain, Subjects existing in this Trust Domain and Security Policy which protect Objects against Subjects. Trust Domain can be denoted by D=({O},{S},P), D denotes Trust Domain, {O} denotes the set of all Objects existing in this Trust Domain, {S}denotes the set of all Subjects existing in this Trust Domain, and DG=({OG},{SG},PG), and Local Trust Domain can be

P deby

notes Security Policy of this Trust Domain. Global Trust Domain can be denoted by denoted DLi=({OLi},{SLi},PLi) I=1,2,3 Representation of Operation: Operation of Grid Computing System may be executed in many Local Trust Domains. Operation cannot be executed until Subjects passed Security Policy (Authorization) of corresponding Trust Domain. Security Abstract of Grid Computing System The Grid Computing System is abstracted to the elements such as Objects, Subjects, Security Policies, Trust Domains, Operations, Authorization, etc. Grid Computing System is composed of four parts: Global Trust Domain, Local Trust Domain, Operations and Authorizations. It can be denoted by G=(DG,{Dli},{OPj},{AK}) i=1,2,3 j=1,2,3 k=1,2,3 G denotes Grid Computing System, DG denotes Global Trust Domain, {DLi}denotes the set of all Local Domain, {OPj} denotes the set of all Operations, {A K} denotes the set of all Authorizations. The security of Grid Computing System can be regarded as the relationship among the basic elements. That is to say, user access and use resources can be abstracted as

Subject operate Object, this can be denoted by SOP>O. Checking the relationship of Subject, Object and Security Policy, we can examine whether Subject can operate Object, and also can tell whether user can access resource.

4. Grid Security Protocol Layer

We define seven protocols[8] at Grid Security Protocol Layer on considering the course of grid computing especially the course of resource management. These protocols are listed in table 1. Then we will thoroughly discuss broker protocols that of great importance.
Table 1. Protocol at Grid Security Protocol Layer

Name User Proxy Creation Protocol Resource Proxy Creation Protocol User Proxys Resource Application Protocol Processs Protocol Processs Protocol Broker Creation Protocol Broker Service Protocol Broker Creation Protocol Signature Application Resource Application

Representation User how to create user proxy System how to create resource proxy User proxy how to apply for resources Process how to apply for resources How to sign the processs certificate System how to create broker Broker how to allot resources coordinately

Grid computing system sets up a process, and then grants the broker certificate for this process. The process that gets the certificate can offer broker service. Broker sends broker service notification to resource proxy. Resource proxy gives broker message of resources and informs broker modification. Broker tidies up the information. Broker Creation Protocol is shown below. (1) Grid computing system set up a broker certificate, and then sends the certificate that hasnt been signed to the CA.

(2) CA sign the broker certificate by using its own certificate then send it to the grid computing system. (3) After receiving the certificate, grid computing system creates a process that hold this new signed certificate. The process then becomes a broker. Broker Service Protocol All resource proxies send information of resources in charge to broker. So the broker can see the whole resources of grid computing system while the proxy can only see parts of resources. When user requires a large quantity of resources, the broker must offer its information in contrast to the locality of the resource proxy. The workflow of Broker Service Protocol is shown as Fig. 2.
User Proxy
Mutual Authentication Applying for Resources Bu ild ing Up a Coordinating Assignment Scheme Mutual Authentication User Proxy ID and Application Message Check UserAuthorization Process Certificate without signature

Broker

Resource Proxy

Sign Process Certificate Process Certificate with signature Allotting Resources & Creating Process Handler of Process with signature Resource-Assignment-OK Message Updating Resource Information

Fig. 2. Workflow of Broker Service Protocol

Broker Service Protocol is illustrated below:

(1) User proxy and broker carry out mutual authentication. As a part of mutual authentication, broker should check the expiration of the certificate. (2) After mutual authentication, user proxy uses its proxy certificate add its signature to the message of applying for a lot of resources. Then user proxy sends this application to broker. (3) Having received the application, broker builds up a coordinating assignment scheme by analyzing current resources available. (4) In accordance with the assignment scheme, broker separates the full application to small pieces, which can easily be found. (5) Broker and resource proxy need mutual authentication if they are not in the same trusted domain. (6) When resources are available, broker sends resource proxy the user proxy ID and application message that have already signed by broker with its own certificate. (7) On receiving the user ID and application message, resource proxy allots the corresponding resources to the user proxy. (8) Resource proxy creates a resource-assignment-ok message signed with its own certificate and then sends this message to broker. (9) Broker updates its resource information while the resource-assignment-ok message arrives.

5. More Adaptive to Dynamic Environment

When some resources join in the Grid Computing System, the system will create a resource proxy for these resources. Resource proxy manages these resources and sends the information about these resources to a broker. Then the broker can allocate these resources to user. On the other hand, when some resources are failed or leave the Grid Computing System, the resource proxy sends an update message to the broker. The broker receives this message and will not allocate these failed or leaved resources to user. Mapping file is used to map users to resources. Mapping files are created dynamically. So this mapping measure is adaptive to dynamic environment. When the scale of Grid Computing System is not large, one resource proxy is enough to manage all the resources; when the scale of Grid Computing System is increasing, two or more resource proxies are needed; Secondary user proxy and multi-brokers are needed when the scale of Grid increases to a certain degree. Re-

source proxies directly manage the resources, so they can gather resources information in time. Brokers gain information of resources from resource proxies, and co-allocation these resources. Resource proxies cooperating with brokers, this make the five-layered security architecture is adaptive to dynamic environment.

6. Conclusion
This paper analyzes security problems existing in Grid Computing System and describes the security mechanism of Grid Computing System. Several protocols are defined at Grid Security Protocol Layer based on our security architecture model. Broker protocols in the schema are more adaptive to dynamic environments.

Reference
[1] Ian Foster and Carl Kesselman. The Grid: Blueprint for a New Computing Infrastructure. Morgan Kaufmann Publishers, Inc., San Francisco, California, 1999. [2] Ian Foster, Carl Kesselman, and Steven Tuecke. The Anatomy of the Grid: Enabling Scalable Virtual Organizations. International Journal of Supercomputer Applications, 2001. [3] Ian Foster. Internet Computing and the Emerging Grid. Available from http://www.nature.com/nature/webmatters/grid/grid.html. [4] The Globus Project. Available from http://www.globus.org/ [5] Ian Foster and Carl Kesselman. Globus: A Meta-computing Infrastructure Toolkit. International Journal of Supercomputer Applications, 1996. [6] Ian Foster and Carl Kesselman. The Globus Project: A Status Report. In Proc. Heterogeneous Computing Workshop. IEEE Computer Society Press, 1998. [7] Ian Foster, Carl Kesselman, Gene Tsudik, and Steven Tuecke. A Security Architecture for Computational Grids. Proc. 5th ACM Conference on Computer and Communications Security Conference, 1998. [8] Randy Butler Von Welch, Douglas Engert, Ian Foster, Steven Tuecke, John Volmer, Carl Kesselman. A National-Scale Authentication Infrastructure, 2000. IEEE Computer, 33(12),