Abstract
The scale and power of Grid infrastructures makes them an inviting target for attack. Even if the Grid software is secure the Grid infrastructure is vulnerable via operating system vulnerabilities and misconfiguration. One of the worst results of the exploit of these vulnerabilities is user proxy credential compromise. This paper describes a pragmatic and simple way, using proxy certificate extensions, to mitigate the damage in case of credential compromise. The potential damage is limited by restricting the range of hosts that the credentials can be used to open connections to and be accepted from. This paper also describes a way to help investigate credential delegation problems.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Berners-Lee, T., et al.: Uniform Resource Identifier (URI): Generic Syntax. IETF RFC (January 2005), http://www.ietf.org/rfc/rfc3986.txt
Cooper, D., et al.: RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF RFC (May 2008), http://www.ietf.org/rfc/rfc5280.txt
Demchenko, Y., Mulmo, O., Gommans, L., de Laat, C., Wan, A.: Dynamic security context management in Grid-based application. Future Generation Computer Systems 24(5) (May 2008)
Groep, D.: OID for Proxy Delegation Tracing, International Grid Trust Federation OID registry (February 28, 2008), http://www.eugridpma.org/documentation/OIDProxyDelegationTracing.pdf
Goss-Walter, T., Letz, R., Kentemich, T., Hoppe, H.-C., Wieder, P.: An Analysis of the UNICORE Security Model, Open Grid Forum, Grid Final Document (July 18, 2003), http://www.ogf.org/documents/GFD.18.pdf
Hahkala, J., Mikkonen, H., Silander, M., White, J.: Requirements and Initial Design of a Grid Pseudonymity System. In: Proceedings of the 2008 High Performance Computing & Simulation Conference (HPCS 2008), Nicosia, Cyprus, June 3-6 (2008)
ITU-T: X.509 Information Technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks (August 2005), http://www.itu.int/rec/T-REC-X.509-200508-I
Kouril, D., Basney, J.: A Credential Renewal Service for Long-Running Jobs. In: Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, November 13-14, 2005, pp. 63–68 (2005)
Snelling, D., van den Berge, S., Li, V.: Explicit Trust Delegation: Security for Dynamic Grids. Fujitsu Scientific & Technical Journal (FSTJ) - Special Issue on Grid Computing 40(2) (December 2004)
Tuecke, S., et al.: RFC 3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, IETF RFC (June 2004), http://www.ietf.org/rfc/rfc3820.txt
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hahkala, J., White, J., Frohner, Á. (2009). Proxy Restrictions for Grid Usage. In: Abdennadher, N., Petcu, D. (eds) Advances in Grid and Pervasive Computing. GPC 2009. Lecture Notes in Computer Science, vol 5529. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01671-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-01671-4_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01670-7
Online ISBN: 978-3-642-01671-4
eBook Packages: Computer ScienceComputer Science (R0)