Security

A Security Architecture for Computational Grids∗
Ian Foster1 Carl Kesselman2 Gene Tsudik2 Steven Tuecke1

1 Mathematics and Computer Science 2Information Sciences Institute
Argonne National Laboratory University of Southern California
Argonne, IL 60439 Marina del Rey, CA 90292
{foster,tuecke}@mcs.anl.gov {carl,gts}@isi.edu

Abstract that collectively span many administrative domains. Fur-
thermore, the dynamic nature of the grid can make it im-
State-of-the-art and emerging scientific applications require possible to establish trust relationships between sites prior
fast access to large quantities of data and commensurately to application execution. Finally, the interdomain security
fast computational resources. Both resources and data are solutions used for grids must be able to interoperate with,
often distributed in a wide-area network with components rather than replace, the diverse intradomain access control
administered locally and independently. Computations may technologies inevitably encountered in individual domains.
involve hundreds of processes that must be able to acquire re- In this paper, we describe new techniques that overcome
sources dynamically and communicate efficiently. This pa- many of the cited difficulties. We propose a security pol-
per analyzes the unique security requirements of large-scale icy for grid systems that addresses requirements for single
distributed (grid) computing and develops a security policy sign-on, interoperability with local policies, and dynamically
and a corresponding security architecture. An implemen- varying resource requirements. This policy focuses on au-
tation of the architecture within the Globus metacomputing thentication of users, resources, and processes and supports
toolkit is discussed. user-to-resource, resource-to-user, process-to-resource, and
process-to-process authentication. We also describe a se-
1 Introduction curity architecture and associated protocols that implement
this policy. Finally, we present a concrete implementation of
Large-scale distributed computing environments, or “com- this architecture and discuss our experiences deploying this
putational grids” as they are sometimes termed [4], cou- architecture on a large grid testbed spanning a diverse col-
ple computers, storage systems, and other devices to enable lection of resources at some 20 sites around the world. This
advanced applications such as distributed supercomputing, implementation is performed in the context of the Globus
teleimmersion, computer-enhanced instruments, and distri- system [5], which provides a toolkit, testbed, and set of ap-
buted data mining [2]. Grid applications are distinguished plications that can be used to evaluate our approach. How-
from traditional client-server applications by their simulta- ever, we believe that the proposed techniques are general
neous use of large numbers of resources, dynamic resource enough to make them applicable outside the Globus con-
requirements, use of resources from multiple administrative text.
domains, complex communication structures, and stringent In summary, this paper makes four contributions to our
performance requirements, among others. understanding of distributed system security:
While scalability, performance and heterogeneity are de-
sirable goals for any distributed system, the characteristics 1. it provides an in-depth analysis of the security problem
of computational grids lead to security problems that are not in computational grid systems and applications;
addressed by existing security technologies for distributed 2. it includes the first detailed formulation of a security
systems. For example, parallel computations that acquire policy for grid systems;
multiple computational resources introduce the need to es-
tablish security relationships not simply between a client 3. it proposes solutions to specific technical issues raised
and a server, but among potentially hundreds of processes by this policy, including local heterogeneity and scal-
∗ ability; and
This work was supported in part by the Mathematical, Informa-
tion, and Computational Sciences Division subprogram of the Office
of Computational and Technology Research, U.S. Department of En-
4. it describes a security architecture that uses these so-
ergy, under Contract W-31-109-Eng-38; by the Defense Advanced Re- lutions to implement the security policy, and it demon-
search Projects Agency under contract N66001-96-C-8523; and by the strates – via large-scale deployment – that this archi-
National Science Foundation. tecture is workable.

2 The Grid Security Problem

We introduce the grid security problem with an example
illustrated in Figure 1. This example, although somewhat
To appear in the 5th ACM Conference on Computer and contrived, captures important elements of real applications,
Communication Security such as those discussed in Chapters 2–5 of [4].

1

single, fully connected logical entity, low-level commu-
nication connections (e.g., TCP/IP sockets) may be
Site A Site B Kerberos Site C created and destroyed dynamically during program ex-
Data
physicist ecution.
Data Data
A. Physicist ssh
ap
• Resources may require different authentication and au-
thorization mechanisms and policies, which we will
have limited ability to change. In Figure 1, we indi-
1. Request data analysis
cate this situation by showing the local access control
2. Contact resource broker
policies that apply at the different sites. These include
Kerberos, plaintext passwords, Secure Socket Library
Site D
(SSL), and secure shell.
SSL
3. Initiate task farm guest29 • An individual user will be associated with different lo-
cal name spaces, credentials, or accounts, at different
Data
Site G
plaintext
ap6
4. Access parameter values sites, for the purposes of accounting and access con-
trol. At some sites, a user may have a regular account
plaintext (“ap,” “physicist,” etc.). At others, the user may use
bcollab
a dynamically assigned guest account or simply an ac-
Data
plaintext
count created for the collaboration.
Site F Site E aphysicist
• Resources and users may be located in different coun-
tries.
Figure 1: Example of a large-scale distributed computation:
user initiates a computation that accesses data and comput- To summarize, the problem we face is providing security
ing resources at multiple locations. solutions that can allow computations, such as the one just
described, to coordinate diverse access control policies and
to operate securely in heterogeneous environments.
We imagine a scientist, a member of a multi-institutional
scientific collaboration, who receives e-mail from a colleague 3 Security Requirements
regarding a new data set. He starts an analysis program,
which dispatches code to the remote location where the data Grid systems and applications may require any or all of the
is stored (site C). Once started, the analysis program deter- standard security functions, including authentication, access
mines that it needs to run a simulation in order to compare control, integrity, privacy, and nonrepudiation. In this pa-
the experimental results with predictions. Hence, it contacts per, we focus primarily on issues of authentication and ac-
a resource broker service maintained by the collaboration (at cess control. Specifically, we seek to (1) provide authentica-
site D), in order to locate idle resources that can be used for tion solutions that allow a user, the processes that comprise
the simulation. The resource broker in turn initiates com- a user’s computation, and the resources used by those pro-
putation on computers at two sites (E and G). These com- cesses, to verify each other’s identity; and (2) allow local
puters access parameter values stored on a file system at yet access control mechanisms to be applied without change,
another site (F) and also communicate among themselves whenever possible. As will be discussed in Section 4, au-
(perhaps using specialized protocols, such as multicast) and thentication forms the foundation of a security policy that
with the broker, the original site, and the user. enables diverse local security policies to be integrated into
This example illustrates many of the distinctive charac- a global framework.
teristics of the grid computing environment: In developing a security architecture that meets these
requirements, we also choose to satisfy the following con-
• The user population is large and dynamic. Partici- straints derived from the characteristics of the grid environ-
pants in such virtual organizations as this scientific ment and grid applications:
collaboration will include members of many institu- Single sign-on: A user should be able to authenticate
tions and will change frequently. once (e.g., when starting a computation) and initiate com-
• The resource pool is large and dynamic. Because indi- putations that acquire resources, use resources, release re-
vidual institutions and users decide whether and when sources, and communicate internally, without further au-
to contribute resources, the quantity and location of thentication of the user.
available resources can change rapidly. Protection of credentials: User credentials (passwords,
private keys, etc.) must be protected.
• A computation (or processes created by a computa- Interoperability with local security solutions: While our
tion) may acquire, start processes on, and release re- security solutions may provide interdomain access mecha-
sources dynamically during its execution. Even in nisms, access to local resources will typically be determined
our simple example, the computation acquired (and by a local security policy that is enforced by a local security
later released) resources at five sites. In other words, mechanism. It is impractical to modify every local resource
throughout its lifetime, a computation is composed of to accommodate interdomain access; instead, one or more
a dynamic group of processes running on different re- entities in a domain (e.g., interdomain security servers) must
sources and sites. act as agents of remote clients/users for local resources.
Exportability: We require that the code be (a) exportable
• The processes constituting a computation may com- and (b) executable in multinational testbeds. In short, the
municate by using a variety of mechanisms, including exportability issues mean that our security policy cannot
unicast and multicast. While these processes form a directly or indirectly require the use of bulk encryption.

2

Uniform credentials/certification infrastructure: Inter- 1. The grid environment consists of multiple trust do-
domain access requires, at a minimum, a common way of mains.
expressing the identity of a security principal such as an ac- Comment: This policy element states that the grid se-
tual user or a resource. Hence, it is imperative to employ curity policy must integrate a heterogeneous collection
a standard (such as X.509v3) for encoding credentials for of locally administered users and resources. In general,
security principals. the grid environment will have limited or no influence
Support for secure group communication. A computation over local security policy. Thus, we can neither require
can comprise a number of processes that will need to coordi- that local solutions be replaced, nor are we allowed to
nate their activities as a group. The composition of a process override local policy decisions. Consequently, the grid
group can and will change during the lifetime of a compu- security policy must focus on controlling the interdo-
tation. Hence, support is needed for secure (in this context, main interactions and the mapping of interdomain op-
authenticated) communication for dynamic groups. No cur- erations into local security policy.
rent security solution supports this feature; even GSS-API
has no provisions for group security contexts. 2. Operations that are confined to a single trust domain
Support for multiple implementations: The security pol- are subject to local security policy only.
icy should not dictate a specific implementation technology. Comment: No additional security operations or ser-
Rather, it should be possible to implement the security pol- vices are imposed on local operations by the grid se-
icy with a range of security technologies, based on both pub- curity policy. The local security policy can be imple-
lic and shared key cryptography. mented by a variety of methods, including firewalls,
Kerbero,s and SSH.
4 A Grid Security Policy
3. Both global and local subjects exist. For each trust
Before delving into the specifics of a security architecture, it domain, there exists a partial mapping from global to
is important to identify the security objectives, the partic- local subjects.
ipating entities, and the underlying assumptions. In short, Comment: In effect, each user of a resource will have
we must define a security policy, a set rules that define the se- two names, a global name and a potentially different
curity subjects (e.g., users), security objects (e.g., resources) local name on each resource. The mapping of a global
and relationships among them. While many different secu- name to a local name is site-specific. For example, a
rity policies are possible, we present a specific policy that ad- site might map global user names to: a predefined local
dresses the issues introduced in the preceding section while name, a dynamically allocated local name, or a single
reflecting the needs and expectations of applications, users, “group” name. The existence of the global subject
and resource owners. To our knowledge, the following dis- enables the policy to provide single sign-on.
cussion represents the first such grid security policy that has
been defined to this level of detail. 4. Operations between entities located in different trust
In the following discussion, we use the following termi- domains require mutual authentication.
nology from the security literature:
5. An authenticated global subject mapped into a local
• A subject is a participant in a security operation. In subject is assumed to be equivalent to being locally
grid systems, a subject is generally a user, a process authenticated as that local subject.
operating on behalf of a user, a resource (such as a Comment: In other words, within a trust domain, the
computer or a file), or a process acting on behalf of a combination of the grid authentication policy and the
resource. local mapping meets the security objective of the host
• A credential is a piece of information that is used to domain.
prove the identity of a subject. Passwords and certifi- 6. All access control decisions are made locally on the
cates are examples of credentials. basis of the local subject.
• Authentication is the process by which a subject proves Comment: This policy element requires that access
its identity to a requestor, typically through the use control decisions remain in the hands of the local sys-
of a credential. Authentication in which both par- tem administrators.
ties (i.e., the requestor and the requestee) authenticate
themselves to one another simultaneously is referred to 7. A program or process is allowed to act on behalf of a
as mutual authentication. user and be delegated a subset of the user’s rights.
Comment: This policy element is necessary to support
• An object is a resource that is being protected by the the execution of long-lived programs that may acquire
security policy. resources dynamically without additional user inter-
• Authorization is the process by which we determine action. It is also needed to support the creation of
whether a subject is allowed to access or use an object. processes by other processes.

• A trust domain is a logical, administrative structure 8. Processes running on behalf of the same subject within
within which a single, consistent local security policy the same trust domain may share a single set of cre-
holds. Put another way, a trust domain is a collec- dentials.
tion of both subjects and objects governed by single Comment: Grid computations may involve hundreds
administration and a single security policy. of processes on a single resource. This policy compo-
nent enables scalability of the security architecture to
With these terms in mind, we define our security policy large-scale parallel applications, by avoiding the need
as follows: to create a unique credential for each process.

3

for extended period of time (i.e., days or weeks), the user

,,
may wish to allow a computation to operate without inter-
Protocol 1:
vention. Hence, we introduce the concept of a user proxy
Long-lived

, ,,
Creation of a Host computer
credential
that can act on a user’s behalf without requiring user inter-
User Proxy
User vention.
CU Temporary
User Proxy credential
Protocol 4 : CUP Definition 5.1 A user proxy is a session manager process
Creation of a global- given permission to act on behalf of a user for a limited
to-local mapping period of time.
Protocol 2:
Allocation of a
remote resource The user proxy acts as a stand-in for the user. It has
its own credentials, eliminating the need to have the user

, ,
Site 1 Global-to-local Site 2 on-line during a computation and eliminating the need to
mapping table Global-to-local have the user’s credentials available for every security op-
Resource Proxy mapping table Resource Proxy eration. Furthermore, because the lifetime of the proxy is

, ,
CRP Process Protocol 3: Process CRP under control of the user and can be limited to the dura-
CP Resource allocation
from a process
CP tion of a computation, the consequences of its credentials
Local policy Local policy
and mechanisms and mechanisms
being compromised are less dire than exposure of the user’s
Process Process credentials.
CP CP Within the architecture, we also define an entity that
represents a resource, serving as the interface between the
grid security architecture and the local security architecture.
Figure 2: A computational grid security architecture.
Definition 5.2 A resource proxy is an agent used to trans-
late between interdomain security operations and local in-
We note that the security policy is structured so as not tradomain mechanisms.
to require bulk privacy (i.e., encryption) for any reason.
Export control laws regarding encryption technologies are Given a set of subjects and objects, the architecture is
complex, dynamic and vary from country to country. Con- determined by specifying the protocols that are used when
sequently, these issues are best avoided as a matter of design. subjects and object interact. In defining the protocols, we
We also observe that the thrust of this policy is to enable will use U, R, and P to refer to a user, resource, and process,
the integration of diverse local security policies encountered respectively, while UP and RP will denote a user proxy and
in a computational grid environment. resource proxy, respectively. Many of the following proto-
cols will rely on the ability to assert that a piece of data
5 Grid Security Architecture originated from a known source, X, without modification.
We know these conditions to be true if the text is “signed”
The security policy defined in Section 4 provides a context by X. We indicate signature of some text text by a subject
within which we can construct a specific security architec- X by SigX {text}. This notation is summarized in Table 1.
ture. In doing so, we specify the set of subjects and objects
that will be under the jurisdiction of the security policy and Table 1: Notation used in the rest of the paper
define the protocols that will govern interactions between U, R, P user, resource, process
these subjects and objects. Figure 2 shows an overview of UP, RP user proxy, resource proxy
our security architecture. The following components are de- CX credential of subject X
picted: entities, credentials, and protocols. The thick lines SigX {text} “text” signed by subject X
represent the protocols described later in the paper. The
curved line separating the user from the rest of the figure The range of interactions that can occur between entities
signifies that the user may disconnect once the user proxy in a computational grid is defined by the functionality of the
has been created; the dashed lines represent authenticated underlying grid system. However, based on experience and
interprocess communication. the current grid systems that have been built to date, it is
We are interested in computational environments. Con- reasonable to assume that the grid system will include the
sequently, the subjects and objects in our architecture must following operations:
include those entities from which computation is formed. A
computation consists of many processes, with each process • allocation of a resource by a user (i.e., process cre-
acting on behalf of a user. Thus, the subjects are users ation),
and processes. The objects in the architecture must include
• allocation of a resource by a process, and
the wide range of resources that are available in a grid en-
vironment: computers, data repositories, networks, display • communication between processes located in different
devices, and so forth. trust domains.
Grid computations may grow and shrink dynamically,
acquiring resources when required to solve a problem and (We use the term allocation to denote the operations re-
releasing them when they are no longer needed. Each time quired to provide a user with access to a resource. On some
a computation obtains a resource, it does so on behalf of systems, this will involve interaction with a scheduler to ob-
a particular user. However, it is frequently impractical for tain a reservation [3].) We must define protocols that control
that “user” to interact directly with each such resource for UP-RP, P-RP, and P-P interactions. In addition, the intro-
the purposes of authentication: the number of resources in- duction of the user proxy means that we must establish how
volved may be large, or, because some applications may run the user and user proxy (U-UP) interact.

4

Within our architecture, we meet the above requirement a limited lifetime certificate which is then signed by the user
by allowing a user to “log on” to the grid system, creating a to indicate that this certificate represents, or is a proxy for,
user proxy using Protocol 1. The user proxy can then allo- the user. What distinguishes our architecture from these ap-
cate resources (and hence create processes) using Protocol 2. proaches is the way that a user proxy interacts with the re-
Using Protocol 3, a process created can allocate additional source proxy to achieve single sign-on and delegation, which
resources directly. Finally, Protocol 4 can be used to define is discussed in the next section.
a mapping from a global to a local subject.
We now describe each of these protocols in more detail. 5.2 Resource Allocation Protocol
We note that to minimize problems with export controls,
the protocols are all designed to rely on authentication and In discussing resource allocation, we decompose the problem
signature techniques, not encryption. Furthermore, our de- into two classes: allocation of resources by a user proxy and
scriptions do not talk about specific cryptographic methods. allocation of resources by a process. As process allocation
In fact, as we shall see below, our implementation uses the is a generalization of user proxy allocation, we will start our
Generic Security Services application programming interface discussion with allocation by a user proxy.
to achieve independence from any specific security technol- Recall that operations on resources are controlled by
ogy. an entity, called a resource proxy, which is responsible for
scheduling access to a resource and for mapping a compu-
5.1 User Proxy Creation Protocol tation onto that resource. The resource proxy is used as
follows. A user proxy requiring access to a resource first de-
Recall that a user proxy is an entity within our architecture termines the identity of the resource proxy for that resource.
that acts on behalf of a user. In practice, the user proxy is a It then issues a request to the appropriate resource proxy.
special process started by the user which executes on some If the request is successful, the resource is allocated and a
host local to that user. The main issue in the user proxy process created on that resource. (The procedure would be
creation protocol is the nature of credentials given to the similar if our goal was simply to allocate a resource, such as
proxy and how the proxy can obtain these credentials. network or storage, with which no process was to be asso-
A user could enable a proxy to act on her behalf by giv- ciated. However, for brevity, we assume here that process
ing the proxy the appropriate credentials (e.g., a password creation always follows resource allocation.)
or private key). The proxy could then use those creden- The request can fail because the requested resource is
tials directly. However, this approach has two significant not available (allocation failure), because the user is not
disadvantages: it introduces an increased risk of the creden- a recognized user of the resource (authentication failure),
tials being compromised and does not allow us to restrict the or because the user is not entitled to use the resource in
time duration for which a proxy can act on the user’s behalf. the requested mode (authorization failure). As discussed
Instead, a temporary credential, CU P , is generated for the above, it is up to the resource proxy to enforce any local
user proxy; the user indicates her permission by signing this authorization requirements. Depending on the nature of the
credential with a secret (e.g., private key). CU P includes the resource and local policy, authorization may be checked at
validity interval as well as other restrictions imposed by the resource allocation time or process creation time, or it may
user, e.g., host names (where the proxy is allowed to operate be implicit in authentication and not be checked at all.
from) and target sites (where the proxy is allowed to start We define as Protocol 2 the mechanism used to issue a re-
processes and/or use resources.) quest to a resource proxy from a user proxy. The verification
The actual process of user proxy creation is summarized in Step 3 may require mapping the user’s credentials into a
in Protocol 1. As a consequence of this protocol, the user local user id or account name if the policy of the resource
proxy can use its temporary credential to authenticate with proxy is to check for authorization at resource allocation
resource proxies. time. Alternatively, authorization checks can be delayed
until process creation time. The mechanism by which this
mapping is performed is discussed in Section 5.4. Notice
1. The user gains access to the computer from which the user that the ability to have a resource proxy create credentials
proxy is to be created, using whatever form of local authenti- on behalf of the process it creates relies on a process and its
cation is placed on that computer. resource proxy executing in the same trust domain.
2. The user produces the user proxy credential, CU P , by using
their credential, CU , to sign a tuple containing the user’s id, the
name of the local host, the validity interval for CU P , and any The protocol creates a temporary credential for the newly
other information that will be required by the authentication created processes. This credential, CP , gives the process
protocol used to implement the architecture (such as a public
key if certificate-based authentication is used):
both the ability to authenticate itself and the identify of
the user on whose behalf the process was created. A sin-
CU P = SigU {user-id, host, start-time, end-time, auth-info, gle resource allocation request may result in the creation of
...} .
multiple processes on the remote resource. We assign all
3. A user proxy process is created and provided with CU P . It is such processes the same credential, as allowed by security
up to the local security policy to protect the integrity of CU P
on the computer on which the user proxy is located.
policy element 8. An advantage of this decision is that in
the situation when a user allocates resources on large par-
Protocol 1: User proxy creation
allel computers, scalability is enhanced. A disadvantage is
that it is not possible to use credentials to distinguish two
processes started on the same resource by the same alloca-
The concept of a user proxy is not unique to our archi- tion request. However, we do not believe that this feature
tecture. For example, Kerberos generates a limited-lifetime is often useful in practice.
ticket to represent a user. Various public key systems [7, 12], The existence of process credentials enables us to imple-
use techniques similar to ours in which temporary creden- ment a range of additional protocols that allow a process to
tials (i.e., a public and private key pair) are used to generate control access to incoming communication operations on a

5

1. The user proxy and resource proxy authenticate each other us- • A user must be able to encode and embed arbitrary
ing CU P and CRP . As part of this process, the resource proxy policy into each process so as to support individual
checks to ensure that the user proxy’s credentials have not ex- criteria for resource allocation.
pired.
2. The user proxy presents the resource proxy with a signed re- • A security breach or a compromise at a remote site can
quest in the form Sig U P {allocationspecif ication}. result in malicious and fraudulent resource allocation
3. The resource proxy checks to see whether the user who signed purportedly on behalf of an unsuspecting user.
the proxy’s credentials is authorized by local policy to make
the allocation request. The creation of process specific credentials in protocol
4. If the request can be honored, the resource proxy creates a 3 results in a delegation of a set of rights from the user to
RESOURCE-CREDENTIALS tuple containing the name of the the process. The use of delegation for distributed authen-
user for whom the resource is being allocated, the resource tication has been addressed in the security literature (e.g.,
name, etc.
[7]). What sets our approach apart from delegation-based
5. The resource proxy securely passes the RESOURCE- authentication schemes is the role played by the resource
CREDENTIALS to the user proxy. (This is possible from
step 1.) proxy. Approaches such as those proposed by [7] require
that additional inter-resource trust relationships be estab-
6. The user proxy examines the RESOURCE-CREDENTIALS re-
quest, and, if it wishes to approve it, signs the tuple to produce lished to enable delegation between processes running on
CP , a credential for the requesting resource. those resources. In our protocols, authentication is always
7. The user proxy securely passes CP to the resource proxy. (This between a user proxy and a resource proxy. Consequently,
is again possible due to step 1.) our single sign-on protocol leverages the existing trust rela-
8. The resource proxy allocates the resource and passes the new tionship between a user and a resource that was established
process(es) CP . (The latter transfer relies on the fact that the when the user was initially granted access to the resource.
resource proxy and process are in the same trust domain.)
Protocol 2: Resource allocation (and process creation) 5.4 Mapping Registration Protocol
A central component of the security policy and the resulting
architecture is the existence of a “correct” mapping between
per-subject basis. For example, one can use the process cre-
a global subject and a corresponding local subject. We
dentials to authenticate a sending process to a destination
achieve this conversion from a global name (e.g., a ticket or
process, negotiate a session key, and then sign all point-
certificate) into a local name (e.g., login name or user ID) by
to-point communication, guaranteeing the identity of the
accessing a mapping table maintained by the resource proxy.
sender. The authentication process is simple, since we need
While a mapping table can be created by the local system
simply to check that the other process’ credentials are valid,
administrator, this approach imposes a certain administra-
i.e., in the same group.
tive burden and introduces the possibility for error.1 Hence,
we have developed a technique that allows a mapping to be
5.3 Resource Allocation from a Process Protocol added by a user.
While resource allocation from a user proxy is necessary to The basic idea behind this technique, presented as Proto-
start a computation, the more common case is that resource col 4, is for a user to prove that he holds credentials for both
allocation will be initiated dynamically from a process cre- a global and local subject. This is accomplished by authen-
ated via a previous resource allocation request. Protocol 3 ticating both globally and directly to the resource using the
defines the process by which this can be accomplished. local authentication method. The user then asserts a map-
ping between global and local credentials. The assertion is
coordinated through the resource proxy, since it is in a posi-
tion to accept both global and local credentials. In the first
1. The process and its user proxy authenticate each other using
CP and CU P .
two steps, we show the different activities performed by user
as it authenticates globally (1.a and 1.b) and to the resource
2. The process issues a signed request to its user proxy, with the
form
(2.a and 2.b).
SigP {“allocate”, allocation request parameters }
3. If the user proxy decides to honor the request, it initiates a Matching MAP-SUBJECT-P and MAP-SUBJECT-UP
resource allocation request to the specified resource proxy using requests must be issued from both the user proxy and map-
Protocol 2. ping process. This ensures that the same user is in posses-
4. The resulting process handle is signed by the user proxy and sion of both global and local credentials. If the results of
returned to the requesting process. the mapping protocol are stored in a database accessible to
Protocol 3: Resource allocation from a user process the resource proxy, then the user need execute the mapping
protocol only once per resource. The duration of time for
which a mapping remains valid is determined by local sys-
Admittedly, this technique lacks scalability because of its tem administration policy. However, we would hope that a
reliance on a single user proxy to forward the request to the mapping will remain in place for the lifetime of either the
resource proxy. However, this protocol offers the advantage global credentials or the user’s local account.
of both simplicity and fine-grained control. While the former Part of the mapping protocol requires that the user log
is self-evident, fine-grained control requires some elabora- into the resource for which the mapping is being created.
tion. Consider the obvious alternative of allowing a process This requires that a user authenticate themselves to the
(running remotely on behalf of a user) to allocate further re- local system. Consequently, the mapping protocol is only
sources and create other processes unilaterally. This would 1
However, as will be discussed in Section 6.3, some sites actually
have two limitations: want to manage the mapping table explicitly as part of their account
creation process. Such sites consider protocol 4 as an optional feature.

6

1.a User proxy authenticates with the resource proxy.
1.b User proxy issues a signed MAP-SUBJECT-UP request to re-
source proxy, providing as arguments both global and resource Protocol 1 Protocol 2 Protocol 3 Protocol 4
subject names.
2.a User logs on to the resource using the resource’s authentication
method and starts a map registration process. GSS-API
2.b Map registration process issues MAP-SUBJECT-P request to
resource proxy, providing as arguments both global and re-
source subject names.
plaintext SSL Kerberos ...
1. Resource proxy waits for MAP-SUBJECT-UP and MAP-
SUBJECT-P requests with matching arguments.
2. Resource proxy ensures that map registration process belongs Figure 3: Use of GSS-API in Globus
to the resource subject specified in the map request.
3. If a match is found, resource proxy sets up a mapping and sends
acknowledgments to map registration process and user proxy. smart-cards. This separation of protocol and mechanism is a
4. If a match is not found within MAP-TIMEOUT, resource proxy desirable property in an implementation as well, since it en-
purges the outstanding request and sends an acknowledgment hances the overall portability and flexibility of the resulting
to the waiting entity.
system.
5. If acknowledgment is not received within MAP-TIMEOUT, re- To achieve the desired separation, GSI is implemented
quest is considered to have failed.
on top of the Generic Security Services application program-
Protocol 4: Mapping global to local identifier.
ming interface (GSS-API) [16]. As the name implies, GSS-
API provides security services to callers in a generic fashion.
These services can be implemented by a range of underlying
as secure as the local authentication method. Clearly, re- mechanisms and technologies, allowing source-level porta-
sources with strong authentication (for example based on bility of applications to different environments.
Kerberos [14], S/KEY, or Secure Shell [22]) will result in a GSS-API allows us to construct GSI simply by transcrib-
more secure mapping. ing the grid security protocols into GSS calls. We can then
exploit various grid-level security mechanisms without al-
6 An Implementation of the Grid Security Architecture tering the GSI implementation. The relationship between
Globus and GSS-API is shown in Figure 3.
In this section, we describe the Globus Security Infrastruc- GSS-API is oriented toward two-party security contexts.
ture (GSI), an implementation of our proposed grid secu- It provides functions for obtaining credentials, performing
rity architecture. GSI was developed as part of the Globus authentication, signing messages, and encrypting messages.
project [5], whose focus is to GSS-API is both transport and mechanism independent.
• understand the basic infrastructure required to sup- Transport independence means that GSS-API does not de-
port the execution of wide range of computational grid pend on a specific communication method or library. Rather,
applications, each GSS-API call produces a sequence of tokens that can
be communicated via any communication method an ap-
• build prototype implementations of this infrastructure, plication may choose. Currently, GSI uses raw TCP sock-
and ets and the Nexus communication library [6] to move to-
• evaluate applications on large-scale testbeds. kens between processors, although other transports can be
easily used as well. Mechanism independence means that
As part of the Globus project, we have built GUSTO, a the GSS does not specify the use of specific security proto-
testbed that spans over twenty institutions and couples over cols, such as Kerberos, SESAME, DES, or RSA public key
2.5 teraflops of peak compute power. This testbed has been cryptography. In fact, a GSS-API implementation may sup-
used for a range of compute- and communication-intensive port more than one mechanism and use negotiation-specific
application experiments. mechanisms when the parties in the GSS operation initially
As specified by our security architecture, GSI provides contact one another.
support for user proxies, resource proxies (the Globus re- GSS-API bindings have been defined for several mech-
source allocation manager (GRAM) [3]), certification au- anisms. To date, we have worked with two: one based on
thorities, and implementations of the protocols described plaintext passwords, and one based on X.509 certificates. (In
above. We describe here selected aspects of this implemen- addition, a proof-of-concept Kerberos V5 implementation
tation, focusing on our use of the Generic Security Services has been recently completed.) The plaintext password im-
application programming interface (GSS-API), the Secure plementation was designed to support system debugging and
Socket Layer (SSL), and our experiences deploying the im- small-scale deployment, while the certificate-based imple-
plementation in a large testbed. mentation is used for wide-area “production” use. The flex-
ibility of our GSS-API implementation allows us to switch
6.1 Use of the Generic Security Services Application Pro- between public key and plaintext versions of Globus without
gramming Interface changing a single line of Globus code.
Remark: While the use of GSS-API has proven to be a
The protocols defined above are expressed in terms of ab- significant benefit, the interface is not without limitations.
stract security operations, such as signature and authenti- GSS-API does not offer a clear solution to delegation2 , nor
cation, rather than in terms of specific security technologies, does it provide any support for group contexts. The former
such as DES or RSA. Hence, these protocols can be imple- is needed to allow temporary and limited transfer of user’s
mented by using any of a number of modern security tech- rights to a process in the event that the user trusts the site
nologies and mechanisms, such as shared secrets and tick-
2
ets (e.g., Kerberos), public key cryptography (e.g., SSL), or The delegation flag in the gss init sec context() notwithstanding.

7

(and resource) hosting this process enough to forgo an au- in this paper are workable. Particularly interesting in this
thentication/authorization handshake with the user proxy regard is the experience of installing resource proxies at var-
each time a new process needs to be created. Group con- ious sites. Because it runs as root, resource proxy code was
text management is needed to support secure communica- subject to careful review by security administrators at differ-
tion within a dynamic group of processes belonging to the ent sites. The result to date has been unanimous approval.
same computation (or even the same user).
7 Related Work
6.2 Support for Public Key Technology in GSI
We distinguish among two main classes of related work:
The GSI implementation currently uses the authentication traditional distributed systems security solutions and tech-
protocols defined by the Secure Socket Library (SSL) pro- niques geared specifically towards large, dynamic, and high-
tocol [10]. At first glance, this may seem like an odd choice, performance computing environments. Not surprisingly, there
since SSL defines a communication layer while GSS explic- has been comparatively little work in the latter area.
itly does not. However, in principle, it is possible to separate There are many general-purpose solutions for distributed
the authentication and communication components of SSL. systems security. Notable examples are Kerberos, DCE,
To avoid confusion between the SSL authentication proto- SSH, and SSL. We now review them in brief.
col and the SSL communication library, we use the term Kerberos has been widely used since the mid-1980s.
SSL Authentication Protocol or SAP to refer specifically to Although it has evolved considerably during that time, the
the authentication elements of SSL. We refer to our GSS current MIT release still relies heavily on conventional cryp-
implementation using SAP as GSS/SAP. tography and the on-line AS/TGS combination. Recently,
The use of SAP was motivated by several factors. First, optional Kerberos extensions have been proposed to support
there exists a high-quality, public-domain implementation of the use of public key cryptography for certain tasks, includ-
the SSL protocol (SSLeay), developed outside of the United ing initial user login (PKINIT) [20], interdomain authentica-
States and hence avoiding export control issues. Second, tion and key distribution (PKCROSS) [19], and peer-to-peer
SSLeay is structured in a way that allows a token stream authentication (PKTAPP) [17]. We note that the last two
to be extracted easily, thus making the GSS implementa- have not progressed past Internet Drafts (expired) and no
tion straightforward. Third, SSL is widely adopted as the implementations are available. Although these extensions
method of choice for authentication and secure communi- make Kerberos more attractive (since public key cryptogra-
cation for a broad range of distributed services, including phy lends itself to greater security and scalability), Kerberos
HTTP servers, Web browsers, and directory services [11]. still remains a fairly heavyweight solution best suited for in-
By combining GSS/SAP with TCP sockets, we can, in fact, tradomain security.
reconstitute the entire SSL protocol. Consequently, a com- DCE is a mature product developed by the Open Group
putation can use GSI to access not only Globus services, but with the security component derived largely from Kerberos.
also generic Web services. DCE authorization service is much richer and more effective
than that of plain Kerberos. In addition to security ser-
6.3 Deployment vices, DCE includes a time service, a name service, and a
GSI has been deployed in GUSTO, a grid testbed spanning file system. All this is both a blessing and a curse: a bless-
some 20 sites [5] in four countries. GUSTO includes NSF su- ing since DCE sites get a bundled solution, and a curse,
percomputer centers, DOE laboratories, DoD resource cen- since it is hard to use only selected components of DCE.
ters, NASA laboratories, universities, and companies. Furthermore, because of its Kerberos legacy, DCE is based
The initial deployment in late 1997 was limited to the on conventional, shared-key cryptography with trusted third
password implementation of GSI and involved installation parties (TTPs) such as authentication, ticket granting, au-
of the GRAM resource proxy described previously and the thorization, and credential servers. Interdomain security is
establishment of a globusmap file that describes the global- possible albeit with some complications: on-line presence of
to-local mapping applicable at a particular site. Since Pro- TTPs in all domains is assumed. The latest DCE release
tocol 4 above has not yet been implemented, this file is does support the option of using public keys for initial lo-
currently maintained manually by site administrators. (We gin. However, the AS/TGS are still assumed to be on line,
note that, in practice, site administrators often seem to want and public key cryptography is not used for peer-to-peer
to maintain this file manually, using it as a form of access authentication. Moreover, MIT Kerberos and DCE are not
control list.) The GRAM resource proxy runs as root so compatible, in particular, where public key use is concerned.
as to implement the appropriate mapping for each incoming SSH has been developed as a replacement for (mostly
request. UNIX-flavored) remote login, file transfer, and remote exe-
As mentioned earlier, GSS/SAP is intended to be the cution commands. It is geared primarily for the client-server
default method for Globus applications. After obtaining ex- model. Unlike DCE/Kerberos, SSH is fully public key en-
port approval and license in early 1998, GSS/SAP imple- abled; that is, all authentication and session key distribution
mentation has been deployed on a wide-scale (both national is public key based. SSH supports X.509v3, PGP, and SPKI
and international) basis starting in Spring 1998. The pass- certificate formats. Also unlike DCE/Kerberos, SSH is ori-
word implementation is no longer in production use. ented toward interdomain communication security. This is a
We are also operating a Globus certification authority definite plus. However, SSH is essentially an all-or-nothing
to support certificate generation for users and resources. solution. It provides a secure pipe between the connection
To date, resource proxies have been developed that provide end-points and leaves out important elements such as autho-
gateways to local Kerberos and cleartext/rsh authentication rization and delegation. SSH does not provide a well-defined
mechanisms. API and does not allow decoupling of communication and
Our (admittedly limited) experience with GSI deploy- security services. In addition, SSH’s use of bulk encryption
ment offers some confidence that the techniques proposed is problematic with respect to the overall performance.
SSL is Netscape’s secure communication package. It

8

is used primarily for securing HTTP-based Web traffic, al- 8 Conclusions and Future Work
though the software is general enough to secure any type of
above-transport-layer traffic. SSL supports X.509v3 certifi- We have described a security architecture for large-scale
cates and uses public key cryptography (RSA) for authen- distributed computations. This architecture is immediately
tication and key distribution (the latter can be done with useful and, in addition, provides a firm foundation for inves-
either RSA or Diffie-Hellman). Like SSH, SSL is a “secure tigations of more sophisticated mechanisms. We have also
pipe” solution. Communication and security services are in- described an implementation of this architecture; this im-
tertwined; SSL assumes a stream-oriented transport layer plementation has been deployed on a national-scale testbed.
protocol underneath, for example, TCP. However, we note Our architecture and implementation address most of the
that SSL allows authenticated, yet nonencrypted, commu- requirements introduced in Section 3. The introduction of
nication. a user proxy addresses the single sign-on requirement and
We now turn to more recent and more specialized solu- also avoids the need to communicate user credentials. The
tions aimed at large-scale, wide-area distributed computing. resource proxy enables interoperability with local security
CRISIS is the security component of Web-OS, an oper- solutions, as the resource proxy can translate between inter-
ating system developed for use in wide area distributed com- domain and intradomain security solutions. Because encryp-
puting [21, 1]. Web-OS and Globus are similar in that both tion is not used within the associated protocols, export con-
aim to provide seamless access to files and computational re- trol issues and hence international use are simplified. Within
sources distributed throughout a wide-area network. CRI- the implementation, the use of GSS-API provides for porta-
SIS, like GSI, employs SSL for point-to-point secure data bility. Group communication is one major requirement not
transfer and X.509 for certificates. addressed.
CRISIS is both a more intrusive and a more complete The security design presented addresses a number of
security architecture. Although it supports local site auton- scalability issues. The sharing of credentials by processes
omy insofar as policy, it does not accommodate local security created by a single resource allocation request means that
mechanisms. As mentioned earlier, one of our primary goals the establishment of process credentials will not, we expect,
is to provide a thin layer of homogeneity to tie together dis- be a bottleneck. The fact that all resource allocation re-
parate and, often incompatible, local security mechanisms. quests must pass via the user proxy is a potential bottle-
On the other hand, CRISIS encompasses more than just neck; this must be evaluated in realistic applications and,
authentication; it also includes extensive access control pro- if required, addressed in future work. One major scalabil-
visions, caching of credentials, and a secure execution envi- ity issue that is not addressed is the number of users and
ronment, Janus [8]. resources. Clearly, other approaches to the establishment
Unlike Globus, CRISIS does not treat a process as a re- of global to local mappings will be required when the num-
source or an entity. This is an important difference because ber of users and/or resources are large: on example is the
our security architecture allows processes to act indepen- use-condition approaches to authorization [13]. However, we
dently, for example, to request access to other resources or believe the current approach can deal with this.
start another process elsewhere. This makes a running pro- We hope to develop the techniques described in this pa-
cess a temporary principal and, at the same time, a resource per in four major directions: more flexible policy-based ac-
jointly owned by the user it belongs to and the local host cess control mechanisms, based for example on use condi-
site. tions [13]; representation and implementation of interdo-
A further distinction is that we view a grid computation main access control policies; secure group communication,
as a dynamic group of peer processes running on different building for example on work in the CLIQUES project [18];
resources in different sites. (Therefore, security in dynamic and delegation mechanisms to support scalability to large
peer groups is a fundamental issue.) Because of its origins, numbers of resources and users.
CRISIS is a more Web-oriented architecture that, although
quite suitable for remote execution, is not aimed at (or suit- Acknowledgments
able for) a typical grid computation.
The Legion ([9, 15] project also has goals similar to We gratefully acknowledge Doug Engert’s assistance with
those of Globus, focusing on object-based software technolo- the development of the SSL implementation of the Globus
gies for application in grid systems. An object-oriented ar- security architecture, Stuart Martin’s contributions to the
chitecture provides much flexibility with respect to, in par- implementation of the Globus Resource Allocation Manager,
ticular, security mechanisms. Every object (e.g., file) con- and Bill Johnston’s comments on a draft of the paper. We
tains a number of “hooks” allowing security services to be also thank the anonymous referees for their insightful cri-
added/extended on a very granular level. However, Legion tique.
defines a rather high-level security model without an actual
architecture and protocols. In fact, the Globus toolkit can
be used to construct an implementation of the Legion’s se-
curity model.
To summarize, existing distributed computing security
technologies are concerned primarily with problems that
arise in client-server computing and do not adequately ad-
dress the issues of creating N -way security contexts, very
large (as well as diverse) user and resource sets, or local
mechanism/policy heterogeneity.

9

References [16] J. Linn. Generic security service application program
interface, version 2. Internet RFC 2078, January 1997.
[1] E. Belani, A. Vahdat, T. Anderson, and M. Dahlin.
The CRISIS wide area security architecture. In Usenix [17] A. Medvinsky and M. Hur. Public key utilizing tickets
Security Symposium, January 1998. for application servers. Internet draft, January 1997.

[2] C. Catlett and L. Smarr. Metacomputing. Communi- [18] M. Steiner, G. Tsudik, and M. Waidner. CLIQUES:
cations of the ACM, 35(6):44–52, 1992. A new approach to group key agreement. In IEEE
ICDCS’98, May 1998.
[3] K. Czajkowski, I. Foster, C. Kesselman, S. Martin,
W. Smith, and S. Tuecke. A resource management [19] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Som-
architecture for metacomputing systems. Technical re- merfeld, A. Medvinsky, and M. Hur. Public key cryp-
port, Mathematics and Computer Science Division, Ar- tography for cross-realm authentication in Kerberos.
gonne National Laboratory, 1998. Internet draft, November 1997.

[4] I. Foster and C. Kesselman, editors. Computational [20] B. Tung, J. Wray, A. Medvinsky, M. Hur, and J. Tros-
Grids: The Future of High Performance Distributed tle. Public key cryptography for initial authentication
Computing. Morgan Kaufmann, 1998. in Kerberos. Internet draft, November 1997.

[5] I. Foster and C. Kesselman. The Globus project: A [21] A. Vahdat, P. Eastham, C. Yoshikawa, E. Belani,
progress report. In Heterogeneous Computing Work- T. Anderson, D. Culler, and M. Dahlin. WebOS: Oper-
shop, March 1998. ating system services for wide area applications. Tech-
nical Report UCB CSD-97-938, U.C. Berkeley, 1997.
[6] I. Foster, C. Kesselman, and S. Tuecke. The Nexus
approach to integrating multithreading and communi- [22] T. Ylonen, T. Kivinen, and M. Saarinen. SSH protocol
cation. Journal of Parallel and Distributed Computing, architecture. Internet draft, November 1997.
37:70–82, 1996.
[7] M. Gasser and E. McDermott. An architecture for prac-
tical delegation in a distributed system. In IEEE Sym-
posium on Research in Security and Privacy, pages 20–
30, May 1990.
[8] I. Goldberg, D. Wagner, R. Thomas, and E. Brewer.
A secure environment for untrusted helper applications
— conﬁning the wily hacker. In Proc. 1996 USENIX
Security Symposium, 1996.
[9] A. Grimshaw, W. Wulf, J. French, A. Weaver, and P.
Reynolds, Jr. Legion: The next logical step toward a
nationwide virtual computer. Technical Report CS-94-
21, University of Virginia, 1994.
[10] K. Hickman and T. Elgamal. The SSL protocol. Inter-
net draft, Netscape Communications Corp., June 1995.
Version 3.0.
[11] T. Howes and M. Smith. A scalable, deployable di-
rectory service framework for the internet. Technical
Report CITI TR-95-7, CITI, University of Michigan,
July 1995.
[12] D. H¨hnlein. Credential management and secure sin-
u
gle login for SPKM. In ISOC Network and Distributed
System Security Symposium, March 1998.
[13] W. Johnston and C. Larsen. A use-condition centered
approach to authenticated global capabilities: Security
architectures for large-scale distributed collaboratory
environments. Technical Report 3885, LBNL, 1996.
[14] J. Kohl and C. Neuman. The Kerberos network authen-
tication service (v5). Internet RFC 1510, September
1993.
[15] M. Lewis and A. Grimshaw. The core Legion ob-
ject model. In Proc. 5th IEEE Symp. on High Per-
formance Distributed Computing, pages 562–571. IEEE
Computer Society Press, 1996.

10

Security

More Related Content

What's hot (19)

Viewers also liked (8)

Similar to Security (20)

Security