| Certificates are the essential mechanism in grid security. Certificates consist of End Entity Certificates (EECs) and Proxy Certificates (PCs) in Grid Security Infrastructure (GSI). EEC and PC fulfill single point sign on, and delegation in grid environments. So our work in studying of the revocation mechanism of EEC and authentication of the PC chain is quiet important for the using of grid.In this Paper, we describe and analyze the main security mechanism in GSI: the content of the EEC and PC and the difference between them, besides, we also analyze the advantages and disadvantages of current certificate revocation mechanism. For the mechanism of EEC, in order to solve the problem of time delay and huge corresponding cost, we put forward a new revocation mechanism of EEC-MEECRM (m-RSA based End Entity Certificate Revocation Mechanism), and we also prove the security of MEECRM. We import a semi-trust entity SEM under the MyProxy component in MEECRM. The main action of SEM is to help valid grid users accomplish the operation of decoding and digital signature, besides, it also check the status of the EEC. Grid users can not access grid service without the help of SEM which can make MEECRM behave well on the revocation mechanism of EEC. Besides, because the credential stored in the certificate database of MyProxy is just part of the private key, so MEECRM also solve the problem of private key leak. For the authentication of the PC chain, we split the long PC chain to short PC chains in the work flow mode with the order of the son task's executing. The process of son task's executing will create more than one PC chain. This new method depresses the times of the PC authentication; finally we analyze the advantages of the new method with the experiment results. Besides, because the decrease of the PC chain's length, the length of the list which should be revoked when one of the PC is leaked will also lessen, this increases the security of the authentication of the PC chain. |
PDF Full Text Request