Abstract
Credential revocation is a critical problem in grid environments and remains unaddressed in existing grid security solutions. We present a novel grid authentication system that solves the revocation problem. It guarantees instantaneous revocation of both long-term digital identities of hosts/users and short-lived identities of user proxies. With our approach, revocation information is guaranteed to be fresh with high time-granularity. Our system employs mediated RSA (mRSA), adapts Boneh’s notion of semi-trusted mediators to suit security in virtual organizations and propagates proxy revocation information as in Micali’s NOVOMODO system. Our approach’s added benefits include a configuration-free security model for end-users of the grid and fine-grained management of users’ delegation capabilities.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kohnfelder, L.M.: Towards a Practical Public-Key Cryptosystem. B.S. Thesis, supervised by L. Adleman, MIT (May 1978)
Koblitz, N.: A Course in Number Theory and Cryptography. Series: Graduate Texts in Mathematics, 2nd edn., vol. 114. Springer, Heidelberg (1994)
Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Chichester (1996)
Micali, S.: Novomodo: Scalable Certificate Revocation and Simplified PKI Management. In: Proc. of 1st Annual PKI Research Workshop (2002), available at http://www.wisdom.weizmann.ac.il/~kobbi/papers.html
Foster, I., Kesselman, C.: The GRID: Blueprint for a new Computing Infrastructure. Morgan Kauffman Publishers, San Francisco (1999)
Foster, I., Kesselman, C., Tuecke, S.: The Anatomy of the Grid: Enabling Scalable Virtual Organizations. International Journal of High Performance Computing Applications 15(3), 200–222 (2001)
Foster, I., Kesselman, C.: Globus: A metacomputing infrastructure toolkit. International Journal of Supercomputer Applications (Summer 1997)
Foster, I., Kesselman, C.: The Globus Project: A Status Report. In: Proc. IPPS/SPDP 1998 Heterogeneous Computing Workshop, pp. 4–18 (1998)
Butler, R., Engert, D., Foster, I., Kesselman, C., Tuecke, S., Volmer, J., Welch, V.: A National-Scale Authentication Infrastructure. IEEE Computer, Los Alamitos (2000)
Public Key Infrastructure Standards, http://csrc.nist.gov/pki/panel/warwick
X-509 Certificate Format, http://www.w3.org/PICS/DSig/X509_1_0.html
Burmester, M., Desmedt, Y.G.: Is Hierarchical Public-Key Certification the Next Target for Hackers? Communications of the ACM 47(8) (August 2004)
Rivest, R., Shamir, A., Adleman, A.: A Method for Obtaining Digital Signatures and Public-Key Cyptosystems. Communications of the ACM 21, pp. 120-126 (1978)
Boneh, D., Ding, X., Tsudik, G.: Fine-Grained Control of Security Capabilities. ACM Transactions on Internet Technology 4(1), 60–82 (2004)
Gemmel, P.: An Introduction to Threshold Cryptography. RSA Cryptobytes 2, 7
X.509 Internet Public Key Infrastructure Certificate and CRL Profile, IETF RFC 2459, http://www.ietf.org/rfc/rfc2459.txt
Public Key Infrastructure, Final Report; MITRE Corporation; National Institute of Standards and Technology (1994)
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP), IETF RFC 2560, http://www.ietf.org/rfc/rfc2560.txt
Gentry, C.: Certificate-based Encryption and the Certificate Revocation Problem. Cryptology ePrint Archive: Report 2003/183 (2003), http://eprint.iacr.org
Shamir, A.: Identity-based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Lynn, B.: Authenticated Identity-Based Encryption. Cryptology ePrint Archive: Report 2002/072 (2002), http://eprint.iacr.org
Sundaram, B., Nebergall, C., Tuecke, S.: Policy Specification and Restricted Delegation in Globus Proxies. In: SuperComputing Conference 2000, Dallas (November 2000)
Rivest, R.L.: Can We Eliminate Certificate Revocation Lists? In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 178–183. Springer, Heidelberg (1998)
Tuecke, S., Engert, D., Foster, I., Thompson, M., Pearlman, L., Kesselman, C.: Internet X.509 Public Key Infrastructure Proxy Certificate Profile. IETF Draft draft-ietfpkix-proxy-06.txt (2003)
Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A Security Architecture for Computational Grids. ACM Conference on Computers and Security, 83–91 (1998)
The SUCSES Project, http://sconce.ics.uci.edu/sucses/
The HPCTools Group, Department of Computer Science, University of Houston
Appenzeller, G.: Lynn. B.: Minimal Overhead IP Security using Identity-Based Encryption, http://rooster.stanford.edu/~ben/pubs
Web Services - Resource Framework, Specifications of the WS-Resource construct, http://www.globus.org/wsrf/specs/ws-wsrf.pdf
Novotny, J., Tuecke, S., Welch, V.: An Online Credential Repository for the Grid: MyProxy. In: Proc. of the Tenth International Symposium on High Performance Distributed Computing, August 2001, pp. 104–111. IEEE Press, Los Alamitos (2001)
PURSe: Portal-Based User Registration Service, http://www.grids-center.org/solutions/purse/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sundaram, B., Chapman, B.M. (2005). A Grid Authentication System with Revocation Guarantees. In: Bader, D.A., Parashar, M., Sridhar, V., Prasanna, V.K. (eds) High Performance Computing – HiPC 2005. HiPC 2005. Lecture Notes in Computer Science, vol 3769. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11602569_52
Download citation
DOI: https://doi.org/10.1007/11602569_52
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30936-9
Online ISBN: 978-3-540-32427-0
eBook Packages: Computer ScienceComputer Science (R0)