| Grid security is viewed as a core and important issue in recent years. As grid environment is characterized in dynamics, variety, autonomous, and multi-level management, its security solution is more complicated and comprehensive than that of general network. In this paper the grid security solution is going to be well explored in order for protecting grid safer.Contributions of the paper are covered as following:1. A model protecting identity privacy during the time of entity authentication is suggested. Grid user could communicate and negotiate a pseudonym with trust anchor for masking DN (Distinguished Name) in EC (Entity Certificate). This will improve the randomness of subject name so that the identity privacy could be protected well. The model does not disturb the existing PKI's management of EC. On the contrary it can cooperate with it seamlessly.2. A new role-based approach for authentication is proposed. It differs from the identity-based authentication. It verifies role instead of identity to ensure the current user valid. It meets authentication as well as privacy requirement at the same time. The approach can provide a unique and random identifier for each role credential, which could be used to distinguish each user even if they hold the same role. The proposal is able to realize SSO requirement, and also it can seamlessly cooperate with role-based authorization. Rather, the approach is effectively against MITM (Man-In-The-Middle attack). The simulation summary for the approach is safe.3. A framework for grid authorization is proposed. Current typical authorization instances can not cooperate well with each other although each of them is able to provide authorization functions within their local realm. So far there are short of work to improve this situation for better embodying the expansibility of grid. The paper fully anaylzes grid authorization concept, model, sequence, as well as algorithm paramaters, and then sum up them into a five-layer hiberarchy framework according to the matching relationship among authorization function, implementation units and optional techniques. The framework clarifies the functions of each layer and makes the scheduling of authorization clear. The proposed framework can promote intercommunion of each authorization instance if they are built up in accordance with it. 4. A rule-combining approach capable of dealing with policy inconsistency is designed. Policy inconsistency might cause to have a conflict authorization decision and also it may lead to a high complexity in policy deduction. Existing method in grid environment for dealing this issue has not provided a good solution so far. An approach proposed in the paper can treate the policy to eliminate the inconsistency issue in advance, and then present a consistent authorization decision by a policy deduction algorithm, which runs in polynomial time.
|
PDF Full Text Request