Analysis of the technology scheme of security authentication in grid computing environment

With the rapid development of Internet, hundreds of thousands of high performance computers have been spread, how to better expand and utilize these network resources has become an important research direction, which is the development foreground of grid computing.

As a new generation of distributed computing methods, grid computing the main difference from the traditional distributed computing is that, in the absence of centralized control mechanism, large-scale sharing of computing resources can meet the requirements of high performance computing, and this large-scale sharing of computing resources is dynamic, flexible, secure and cooperative.

Grid security is a key problem in grid computing. We all know that security and convenience are a combination of contradictions. Because it is necessary to ensure the security of grid computing, we must try to facilitate the interaction and use of users and various services. In the design of grid security mechanism, the dynamic principal feature and complexity of grid computing environment should be considered especially. To ensure the mutual identification between different subjects in the grid computing environment and the confidentiality and integrality of communication among the main bodies. Based on the above reasons, in the grid computing environment, the security problem is more extensive than the network security problem in the general sense. In a grid environment, clients are located in different geographical spaces and organizations, to ensure the security of communication between grid entities (users, resources and programs), to prevent tampering, and to achieve interoperability in the organization's security mechanisms. It is necessary to have a unified grid security infrastructure, GSI (Grid infrastructure) is an integrated solution to security problems in grid computing.

GSI Solution provides grid environment certification

GSI provides a range of security protocols, security services, Security SDK, and command-line programs for the grid computing environment. GSI can provide security authentication in grid computing environment, support secure communication between main bodies in grid computing environment, protect the subject from counterfeiting and data leakage, provide confidentiality, integrity and playback protection for grid communication, and provide grid users with single sign-on and authorization. In addition, GSI can also be used to authenticate the identity of the grid entity to determine what operations the entity is allowed to perform. These security technologies can effectively guarantee the security and convenience of grid computing environment.

GSI is the core of ensuring the security of grid computing. It supports the implementation of User agent, resource agent, authentication organization and protocol. It provides a range of security protocols up and down to support a variety of security mechanisms and technologies. GSI uses Gss-api (Generic Security Service Application programming Interface) as its secure programming interface. Provides a common security service that supports the portability of applications at the source level. It provides the functions of obtaining certificates, performing security authentication, signing messages and encrypting messages on the basis of the security authentication and secure communication operation between subjects.

The implementation of the GSI conforms to the IETF-proposed standard for security systems (GSS-API), which focuses on the transport layer and application layer of the network, and emphasizes the integration with the existing distributed security technologies. On the basis of public key encryption system, the existing network security technology is fully utilized to extend some functions, so that GSI can support single sign-on. Thus, the Grid computing environment provides a consistent security interface, which facilitates the development and use of the grid.

Implementing a grid security policy must focus on interaction between domains and mapping between domains. Operations within a single trusting domain are available through the Kerberos and SSH methods. For each trusting domain, you must have an image that is global to the local principal. Operations between entities located in different trusting domains are required to identify each other. When an authenticated global principal image is a local principal, it is regarded as a local authentication equivalent to the local principal. In a common computing environment, principals and objects must contain all the calculated entities within the group. A calculation consists of many processes, each of which represents a user. The objects include a wide range of resources available for use in the grid environment.

The security policy based on GSI is embodied in three aspects, such as universal Security Service programming Interface GSS-API, security authentication management and user agent realization. In GSI, the problem of security authentication is mainly solved.

GSI through the creation of user agents, proxy allocation resources, process allocation resources, mapping permissions four kinds of security operation Protocol, fully embodies the grid solution. Global naming (certificates) and proxy certificates allow users to authenticate all access resources only once. Agent certificates and delegation technology allow a process to access resources on behalf of the user. On the basis of GSI security policy and single sign-on mechanism, a grid security system is constructed, which embodies the identification of users, resources and processes, which supports the identification of users to resources, resources to processes, processes to resources, processes to processes. and the interaction with local policies and dynamic requests for different resources.

GSI's Safety certification

Security authentication is a process of authenticating both the requester and the recipient, and is a successful security authentication on SSL, which verifies the legality of a request connection and provides a session key for subsequent communication between the two parties. GSI Security certification is based on the user's private key to create a proxy, so as to provide users with authentication methods. If the user does not create this agent, it cannot commit the job or transmit the data. (Programming Entry Network)

A key to GSI certification (certificates) is the certification certificate. Each user and service in the grid computing environment requires authentication certificates to authenticate themselves, and the GSI certificate is in the X.509 certificate format. The principal name (subject name) is the person or other object that is used to explicitly authenticate the certificate. The subject's public key is from the certification center of the X.509 certification signing certificate. The identity records the name of the certification center. The signing certificate of the Certification Center digital signature is available to confirm the legality of the Certification center.

Before mutual authentication, both sides should trust each other's certification center. Both parties have certificates of each other's certification center to ensure that the certificates signed by the certification center are legitimate. Both parties have obtained certificates, and trust each other's certification center, then the two sides can identify each other's identity, which is mutual identification (mutual authentication) process. GSI uses the SSL (Secure Sockets Layer) protocol as its mutual authentication protocol.

Authentication is the basis of secure communication

Grid security is a key problem in grid computing. Grid computing is characterized by the integration of existing standard protocols into grid computing, which integrates protocol and technology in grid computing. Grid system and the application of each user and service, requires all security standards, including security authentication, security identity mutual authentication, communication encryption, private key protection and a single sign-on, can be in the grid computing environment through authentication certificate to authenticate identity. Provides a better authentication solution that enables users to prove each other's identity by including the user's computing process and the resources used by the process.

Authentication is the basis for the formation of security policy, it can make each local security policy is set as a global framework. Thus, it is more advantageous to realize secure communication between grid entities.