2004-10-15
This article is suitable for friends who are interested in grid computing and globus. The security mechanism of Globus Toolkit 3 is a majority of its characteristics. This security mechanism is basically not modified in the upcoming GT4. It is a supplement to the Web Service. A implementation of security includes: 1 Realizing two security communication between two computing grid nodes To achieve a security crossover between different organizations, therefore has a centrally managed security system. 3 Implement the user's "Single Sign-ON" (single verification), that is, accessing multiple grid resources (accessible) only needs to be verified once. Basic technology for use: Public key concept B gives A sending information, a holds 2 keys, open key KEA, and secure key KDA. B is encrypted with KEA, passed to A, and A is decrypted with KDA. The security certificate (GSI certificate) used by Globus includes the topic name (user or object of the certificate), the public key (the subject owned by the subject), the number of Identity, CA, the CA sign the certificate, the number of CAs, 4 The important concept has a certificate. The two trust the CA signing the certificate to the certificate, then the two can prove each other as the other party. (B said that he is B, A can prove that B said correctly) 5 Specific Identification Process in Globus: B Differential A. A sent his certificate to B. The information on the certificate tells B, 1 A says who (theme), the public key of 2 A, 3 CA's Identity and signature. While identifying the digital signature of the CA, it proves that the certificate is legal (the CA trusted by the CA), the following proves A really a, he sent a random message to the A, let A give the message encryption, A uses his secrecy secret The key encrypts the message, distributes B, B decrypts whether the public key of A is decrypted, see if it is still that message. Identification end. The same method, A is also identified B. Once Mutual Authentication is successful, GSI will exit to reduce the load caused by encrypted decryption, if both parties are willing, GSI can provide a shared key. It is also possible to provide a characteristic of communication integrity, which can guarantee that the eavesdropper can read communication content, but cannot modify communication content (even if it is changed, the two sides can change the message to determine the message) (this feature will increase the load, but not very big). Ensure the confidential key confidentiality, Globus Toolkit saves the key on the local hard disk, and sets a passphrase (setting GSI settings) to encrypt the confidential key. You can also save your keys on a SmartCard (suggest). Six Delegation and Single Sign-ON Delegation, with a single verification, an extension of SSL, reducing the number of Enter Passphrases by creating agents. The agent contains a new certificate (new public key, new secret key, user's Identity), this certificate is User check, not CA. The agent has a life deadline (over the globus is 1 day). This extension applies only to GSI and GSI-based software (Globus, Girdftp), Globus Project is working hard to contact Grid Forum and IETF to add this delegation mechanism to other SSL-based software.
