Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
On-demand Restricted Delegation: A Framework for Dynamic, Context-Aware, Least-Privilege Delegation in Grids
KTH, Skolan för datavetenskap och kommunikation (CSC), Centra, Parallelldatorcentrum, PDC. (Parallelldatorcentrum (PDC))
2009 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

In grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current grid systems,delegation is either performed dynamically, in an unrestricted manner, or by a secure but static method. Unfortunately, the former compromises security and the latter cannot satisfy the requirements of dynamic grid application execution. Therefore, development of a delegation framework that enables a restricted and flexible delegation mechanism becomes increasingly urgent as grids are adopted by new communities and grow in size. The main barriers in development of such a mechanism are the requirements for dynamic execution of grid applications, which make it difficult to anticipate required access rights for completing tasks in advance.

Another significant architectural requirement in grids is federated security and trust. A considerable barrier to achieving this is cross-organizational authentication and identification. Organizations participating in Virtual Organizations (VOs) may use different security infrastructures that implement different protocols for authentication and identification; thus, there exists a need to provide an architectural mechanism for lightweight, rapid and interoperable translation of security credentials from an original format to a format understandable by recipients.

This thesis contributes the development of a delegation framework that utilizes a mechanism for determining and acquiring only required rights and credentials for completing a task, when they are needed. This is what we call an on-demand delegation framework that realizes a bottom-up delegation model and provides a just-in-time acquisition of rights for restricted and dynamic delegation.

In this thesis, we further contribute the development of a credential mapping mechanism using off-the-shelf standards and technologies. This mechanism provides support for an on-the-fly exchange of different types of security credentials used by the security mechanisms of existing grids.

Ort, förlag, år, upplaga, sidor
Stockholm: Universitetsservice US AB , 2009. , s. xi, 62
Serie
Trita-CSC-A, ISSN 1653-5723 ; 2009:01
Nyckelord [en]
Grid Security, Restricted and Context-Aware Delegation, Delegation Protocol, On-demand Delegation, Dynamic Trust Federation, Grid Interoperability, Credential Mapping
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
URN: urn:nbn:se:kth:diva-9930ISBN: 978-91-7415-219-7 (tryckt)OAI: oai:DiVA.org:kth-9930DiVA, id: diva2:159603
Disputation
2009-02-16, Sal F3, Flodis, KTH, Linstedsvägen 26, Stockholm, 13:00 (Engelska)
Opponent
Handledare
Anmärkning
QC 20100622Tillgänglig från: 2009-02-09 Skapad: 2009-02-09 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
Delarbeten
1. Toward An On-demand Restricted Delegation Mechanism for Grids
Öppna denna publikation i ny flik eller fönster >>Toward An On-demand Restricted Delegation Mechanism for Grids
Visa övriga...
2006 (Engelska)Ingår i: 2006 7TH IEEE/ACM INTERNATIONAL CONFERENCE ON GRID COMPUTING, New York: IEEE , 2006, s. 152-159Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Grids are intended to enable cross-organizationalinteractions which makes Grid security a challenging and nontrivialissue. In Grids, delegation is a key facility that canbe used to authenticate and authorize requests on behalf ofdisconnected users. In current Grid systems there is a tradeoffbetween flexibility and security in the context of delegation.Applications must choose between limited or full delegation: onone hand, delegating a restricted set of rights reduces exposure toattack but also limits the flexibility/dynamism of the application;on the other hand, delegating all rights provides maximumflexibility but increases exposure. In this paper, we propose anon-demand restricted delegation mechanism, aimed at addressingthe shortcomings of current delegation mechanisms by providingrestricted delegation in a flexible fashion as needed for Grid applications.This mechanism provides an ontology-based solutionfor tackling one the most challenging issues in security systems,which is the principle of least privileges. It utilizes a callbackmechanism, which allows on-demand provisioning of delegatedcredentials in addition to observing, screening, and auditingdelegated rights at runtime. This mechanism provides supportfor generating delegation credentials with a very limited andwell-defined range of capabilities or policies, where a delegatoris able to grant a delegatee a set of restricted and limited rights,implicitly or explicitly.

Ort, förlag, år, upplaga, sidor
New York: IEEE, 2006
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9931 (URN)10.1109/ICGRID.2006.311010 (DOI)000245376900020 ()2-s2.0-46149103695 (Scopus ID)978-1-4244-0343-1 (ISBN)
Konferens
7th IEEE/ACM International Conference on Grid Computing. Barcelona, SPAIN. SEP 28-29, 2006
Anmärkning
QC 20100621Tillgänglig från: 2009-02-09 Skapad: 2009-02-09 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
2. Dynamic, Context-Aware, Least-Privilege Grid Delegation
Öppna denna publikation i ny flik eller fönster >>Dynamic, Context-Aware, Least-Privilege Grid Delegation
2007 (Engelska)Ingår i: 8th IEEE/ACM International Conference on Grid Computing, New York: IEEE , 2007, s. 209-216Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Performing delegation in large scale, dynamic and distributed environments with large numbers of shared resources is more challenging than inside local administrative domains. In dynamic environments like Grids, on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility and dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. This issue has not yet been adequately addressed by current Grid security mechanisms and is becoming a very challenging and crucial issue for future Grid development. Therefore, providing an effective delegation mechanism which meets the requirements of the least privilege principle is becoming an essential need. Furthermore, we are witnessing a phenomenal increase in the automation of organizational tasks and decision making, as well as the computerization of information related services, requiring automated delegation mechanisms. In order to meet these requirements we introduce an Active Delegation Framework which extends our previous work on on-demand delegation, making it context-aware. The framework provides a just-in-time, restricted and dynamic delegation mechanism for Grids. In this paper we describe the development of this framework and its implementation and integration with the Globus Toolkit.

Ort, förlag, år, upplaga, sidor
New York: IEEE, 2007
Nyckelord
Decision making, Mechanisms, Problem solving
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9932 (URN)000253412400012 ()2-s2.0-47249133315 (Scopus ID)978-1-4244-1559-5 (ISBN)
Konferens
8th IEEE/ACM International Conference on Grid Computing, GRID 2007;Austin, TX;19 September 2007 through 21 September 2007
Anmärkning
QC 20100621Tillgänglig från: 2009-02-09 Skapad: 2009-02-09 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
3. Workflows in Dynamic and Restricted Delegation
Öppna denna publikation i ny flik eller fönster >>Workflows in Dynamic and Restricted Delegation
2009 (Engelska)Ingår i: 2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), New York: IEEE , 2009, s. 17-24Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Delegation is a key facility in dynamic, distributed and collaborative environments like e rids and enables an effective use of a wide range of dynamic applications. Traditional delegation frameworks approach a top-down model of delegation for delegating rights from a superior to a subordinate in advance before a delegate starts off a delegated task. However, a top-down model of delegation cannot meet all the requirements of dynamic execution of distributed applications, as in such environments. required access rights for completing a task cannot easily be anticipated in advance. Delegating fewer rights than required for completing a task may cause the task execution to fail while delegating more rights than needed may threaten abuse by malicious parties. It is therefore reasonable and more robust to utilize a mechanism that allows determining and acquiring only required rights and credentials for completing a task, when they are needed. This is what we call an on-demand delegation framework, which realizes a bottom-up delegation model and provides a just-in-time acquisition of rights for a restricted and dynamic delegation. In this paper we elaborate the concept of bottom-up delegation and describe how an on-demand delegation framework can leverage workflows to meet the requirements of the least privileges principle. We also discuss the vital need for dynamic and adaptive scientific workflows to support an on-demand delegation framework. We present three different models or bottom-up delegation, which cover a wide range or usage scenarios in Grids and dynamic collaborative environments. Using a standard RBAC authorization model and a graph-based workflow model (DAG), we define and analyze a formal model of our proposed bottom-up delegation approach.

Ort, förlag, år, upplaga, sidor
New York: IEEE, 2009
Nyckelord
Access rights, Authorization model, Collaborative environments, Distributed applications, Dynamic applications, Dynamic execution, Formal model, Graph-based, Just in time, Least privilege, On-Demand, Required rights, Scientific workflows, Task executions, Top down models, Usage scenarios, Work-flows, Workflow models, Management, Security of data
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9933 (URN)10.1109/ARES.2009.92 (DOI)000270612000003 ()2-s2.0-70349667785 (Scopus ID)978-1-4244-3572-2 (ISBN)
Konferens
4th International Conference on Availability, Reliability and Security, Fukuoka Inst Technol, Fukuoka, JAPAN, MAR 16-19, 2009
Anmärkning
QC 20100621Tillgänglig från: 2009-02-09 Skapad: 2009-02-09 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
4. Grid Delegation Protocol
Öppna denna publikation i ny flik eller fönster >>Grid Delegation Protocol
2004 (Engelska)Ingår i: Workshop on Grid Security Practice and Experience, 2004, s. 81-91Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

We propose a delegation protocol based on the WS-Trust specification, which is applicablefor a wide range of Grid applications. The protocol is independent of underlying securitymechanisms and is therefore applicable to all security mechanisms of common use in Gridenvironments, such as X.509 proxy certificates, Kerberos based delegation, and SAML assertions.We emphasize that this is work in progress. In this paper, we document our thoughtsand current strategy, and we solicit comments and feedback on our approach.

Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9935 (URN)
Anmärkning
NQC Tillgänglig från: 2009-02-10 Skapad: 2009-02-10 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
5. Security Credential Mapping in Grids
Öppna denna publikation i ny flik eller fönster >>Security Credential Mapping in Grids
2009 (Engelska)Ingår i: 2009 INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY (ARES), New York: IEEE , 2009, s. 481-486Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Federating security and trust is one of the most significant architectural requirements in grids. In this regard, one challenging issue is the cross-organizational authentication and identification. Organizations participated in Virtual Organizations (VOs) may use different security infrastructures that implement different authentication and identification protocols. Thus, arises an architectural need to provide a mechanism for a lightweight, rapid and interoperable translation of security credentials from an original format to a format understandable by recipients. In this paper, we describe the development and the implementation of an architecture for credential mapping in grids using off-the-shelf technologies and standard specifications. Our open-source implementation of this architecture provides support for an on-the-fly exchange for different types of security credentials used by diverse grid security infrastructures'.

Ort, förlag, år, upplaga, sidor
New York: IEEE, 2009
Nyckelord
Grid security infrastructure, Identification protocol, Off-the-shelf technologies, On-the-fly, Open source implementation, Security credentials, Security infrastructure, Virtual organization
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9936 (URN)10.1109/ARES.2009.93 (DOI)000270612000066 ()2-s2.0-70349676193 (Scopus ID)978-1-4244-3572-2 (ISBN)
Konferens
4th International Conference on Availability, Reliability and Security, Fukuoka Inst Technol, Fukuoka, JAPAN, MAR 16-19, 2009
Anmärkning
QC 20100621Tillgänglig från: 2009-02-10 Skapad: 2009-02-10 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
6. Dynamic Trust Federation in Grids
Öppna denna publikation i ny flik eller fönster >>Dynamic Trust Federation in Grids
Visa övriga...
2006 (Engelska)Ingår i: Trust Management, Proceedings / [ed] Stolen, K; Winsborough, WH; Martinelli, F; Massacci, F, 2006, Vol. 3986, s. 3-18Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Grids are becoming economically viable and productive tools. They provide a way of utilizing a vast array of linked resources such as computing systems, databases and services online within Virtual Organizations (VO). However, today's Grid architectures are not capable of supporting dynamic, agile federation across multiple administrative domains and the main barrier, which hinders dynamic federation over short time scales is security. Federating security and trust is one of the most significant architectural issues in Grids. Existing relevant standards and specifications can be used to federate security services, but do not directly address the dynamic extension of business trust relationships into the digital domain. In this paper we describe an experiment which highlights those challenging architectural issues and forms the basis of an approach that combines a dynamic trust federation and a dynamic authorization mechanism for addressing dynamic security trust federation in Grids. The experiment made with the prototype described in this paper is used in the NextGRID(1) project to define the requirements of next generation Grid architectures adapted to business application needs.

Serie
Lecture notes in computer science, ISSN 0302-9743 ; 3986
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:kth:diva-9937 (URN)10.1007/11755593_2 (DOI)000238108800002 ()2-s2.0-33745908270 (Scopus ID)978-3-540-34295-3 (ISBN)
Konferens
4th International Conference on Trust Management Location: Pisa, Italy, Date: MAY 16-19, 2006
Anmärkning
QC 20111006Tillgänglig från: 2009-02-10 Skapad: 2009-02-10 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
7. Streamlining Grid Operations: Definition and Deployment of a Portal-based User Registration Service
Öppna denna publikation i ny flik eller fönster >>Streamlining Grid Operations: Definition and Deployment of a Portal-based User Registration Service
Visa övriga...
2006 (Engelska)Ingår i: Journal of Grid Computing, ISSN 1572-9814, Vol. 4, nr 2, s. 135-144Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Manual management of public key credentials can be a significant and often off-putting obstacle to Grid use, particularly for casual users. We describe the Portal-based User Registration Service (PURSE), a set of tools for automating user registration, credential creation, and credential management tasks. PURSE provides the system developer with a set of customizable components, suitable for integration with portals, that can be used to address the full lifecycle of Grid credential management. We describe the PURSE design and its use in portals for two systems, the Earth System Grid data access system and the Swegrid computational Grid. In both cases, the user is entirely freed from the need to create or manage public key credentials, thus simplifying the Grid experience and reducing opportunities for error. We argue that this capturing of common use cases in a reusable ‘solution’ can be a model for how Grid ease-of-use can be addressed in other domains as well.

Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-9938 (URN)10.1007/s10723-006-9047-3 (DOI)2-s2.0-33746528675 (Scopus ID)
Anmärkning
QC 20100621Tillgänglig från: 2009-02-10 Skapad: 2009-02-10 Senast uppdaterad: 2018-01-13Bibliografiskt granskad

Open Access i DiVA

fulltext(751 kB)697 nedladdningar
Filinformation
Filnamn FULLTEXT02.pdfFilstorlek 751 kBChecksumma SHA-512
c8208bbddeafc1414fc8113c717d1cba3c041df2dcead04391950bd213d6c0a771735c099611db429418215176c35d10469fa530dcfa5ce7e37b7231b7142cff
Typ fulltextMimetyp application/pdf

Sök vidare i DiVA

Av författaren/redaktören
Ahsant, Mehran
Av organisationen
Parallelldatorcentrum, PDC
Datavetenskap (datalogi)

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 700 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 1614 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf