| With the rapid development of Internet, computer network today has spread all over of the world. Each kind of information of its makes ones have too much to watch , and at the same time , the problem of how to get the information that we need promptly, how to put fully using the calculate resource in the network in their free time and how to raise the network resource efficiently has come to us. It is said that the average utilization rate of computer resource on the world still do not reach 10%, almost all of the organizations own plenty of free calculate resource , they are spreading around the world. At the same time, a lot of application field need very strong calculate ability, however, either individual or the organizations that engage in the fields can not offer actual ability demanded. The actual condition of using the calculating resource and the demand of people for calculating ability tell us: On the one hand there are plenty of calculation resources in idle state; On the other hand there are also a lot of application problems not to be solved because of no enough calculation resource to use. And now, the technology of Internet has been mature and use widely, people have produced an idea that we can use existing network infrastructure to integrate the global calculate resource so as to realize the "super computer". This is the Grid technology. The goal of Grid is to make the grid user access grid resource easily. On grid, people can access the long-ranged grid node and use the information on them without using traditional network tools such as telnet and ftp, and share the various calculation resources. The purpose of grid is to offer a unification and simple environment to share the resource of grid to users, no matter location far or near ,no matter the equipments same or different, the resource that shared includes computer hardware resource , also software resource , still includes grid equipment , instrument as well as kinds of experts who work at these resources. The management platform of science and technology is the key item of the national department of science and technology. According to the goal to the project design and realization, grid technology will be the reasonable solving schema of this platform. And how to promise the secure of the platform however is very crucial to the whole systematic design. No doubt, grid technology is ripening and standardized gradually, and how to guarantee the security of grid application is one of the splendid parts of each kind of realization of grid. No matter Globus, or the hottest WEB-Service recently, they are all exhibiting their realization around this topic extra and now they are presenting the situation: reach the same goal by different routes. Globus group and IBM put forward a security architecture for Open Grid Service Architecture.It looks a very complicated mode, and related with Web Service closely. It is a certain natural result. In fact, Globus GT3 is the typical realization of OGSA. It needs to explain that since OGSA is 3 generation grid technology, it has combined Web service architecture and grid service architecture perfectly, adopted plenty of new technologies such as: WSDL,SOAP,XML etc.. And the security architecture for OGSA utilizes the advantages of XML language to accomplish messages encrypted with SOAP together increasing the security of using grid greatly. As a realization of OGSA, Globus displays grid application for us successfully. GSI is the critical component of GT3 tools which is the realization for grid security and developed by the Globus project group. Globus also uses GSS API put forward by IETF to integrate bottom safety communication, solving its transplantability. Figure 2 GSS API applied in Globus No matter open grid service architecture or the traditional Web service, especially GT3 --the typical realization of OGSA, regards transmit layer protocol SSL as its basic bottom protocol. Globus will blend Web service much more and SSL will be also a important protocol for a long time. SSL, with the application of PKI and X509, a kind of digital certificate guarantee technology, aims at ensuring the confidentiality and completeness ofinformation transmission. SSL, usually in the form of Web Server, is mainly used in point-to-point information transmission to provide confidential, reliable transmission channels for two information entities. SSL is an Internet-based security protocol that can guarantee confidentiality. It is laid on the dependable transport layer and has nothing to do with specific protocols of application layers. Encryption algorism, consultations on communications secret key and the authentication of server are all done by SSL automatically. After SSL connection is created, the application layer doesn't need to do anything because all the data will be encrypted by SSL automatically.It provides an interface similar to TCP to the protocol of application layer. To the developer of the application layer, SSL is completely transparent. SSL socket can be used to replace the traditional TCP socket. With the application of SSL, HTTP protocol is called HTTPS and LDAP is called LDAPS. SSL protocol guarantees data security between two communicating applications (a client and a server), but it is only designed for basic identity authentication. To restrict the rights of the user, we need to do extra work in the application of SSL. ACL is a successful example. PMI (Privilege Management Infrastructure) is a better solution to the problem of the restriction of the user's rights. PMI makes it clear for the users what they are allowed to do by Attribute Certificate. PMI, an important component of National Information Security Structure(NISI), aims at providing authorization management service to the users and application. To be specific, it has the abilities to map the user with his certain right. In addition, it also provides authorization and visit control mechanism consistent with actually applied processing model and irrelevant to the development and management of application systems. PMI helps to simplify the procedure of the development and maintenance of application systems. PMI incorporates the information of the rights with Attribute Certificate, so the management of lifecycle of rights is realized through themanagement of Attribute Certificate. The process of application, issuance, nullification and validation for Attribute Certificate is also the process of application, issuance, nullification and validation for rights. With the use of Attribute Certificate, the management of rights no longer depends on concrete application. Furthermore, the use of Attribute Certificate is also favorable to the distributed application. PMI is the expansion and extension PKI. The standard for Attribute Certificate is 509 V4. The standard for identity certificate is X509 V3. The coordinated use of two certificates can form a complete security system which helps to solve all security problems in internet application. PKI can tell who the user is while PMI proves what kind of rights the user has and how. PMI need PKI to provide identity authentication. PMI comes up with a new kind of infrastructure for information protection. The integration of PKI with directory services provides the users with specific rights at the system level, gives a definition and description of rights management and completely provides the process needed by authorization service. PMI, based on PKI, aims at providing rights management and authorization service to users and applications. PMI also takes charge over providing application-related authorization service management to business application systems, mapping the user with his certain right, providing authorization and visit control mechanism consistent with actually applied processing model and irrelevant to the development and management of application systems, simplifying the procedure of the development and maintenance of visit control and rights management systems and cutting management cost and complexity. In my essay, after introduction of SSL technology and analysis of its defects, I point out how to improve SSL with PMI technology. The integration of Attribute Certificate to SSL protocol makes both identity authentication and right restriction possible. In this way, low-level security communication protocol supports both X509 and attribute certificate. I also explain in detailhow to realize and improve SSL protocol with Java. Then I come up with an improved version of SSL based solely on Java, a protocol that can be applied in the development of network security application. With right restriction involved, SSL can be applied not only in WEB-based service, but also in other application systems which provide network-based service, especially the systems which provide cross-regional service to large numbers of customers--Grid. To develop the system with Java can help the spread and application of the technology because most of the internet-based applications are developed with Java.
|
PDF Full Text Request