Scribd Logo
Upload

Welcome to Scribd!

  • Authentication For Distributed Systems

    Uploaded by

    distributed
    107 views3 pages
    Start of the Report

    Original Title

    Authentication for Distributed Systems

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Start of the Report

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    107 views3 pages

    Authentication For Distributed Systems

    Uploaded by

    distributed
    Start of the Report

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Authentication for distributed systems

    Introduction
    The current situation of authentication across computer networks is
    most often a
    one time authorization with the server . However with distributed
    systems ( Data Grids), there needs to be new secure widespread
    mechanism for authorization over inter-domain , dynamic networks
    (such as the Internet), where previously unknown clients and servers
    must authenticate and interact with each other.

    The Globus Project establish in 1997 provided tools for public key
    based message authentication and protection called GSI (Grid Security
    Infrastructure). It was based on X.509 certificates and delegation using
    proxy certificates and has emerged as the dominant security method
    for Grid Computers

    Security
    A distributed system is prone to attacks and threats from intruders as
    well as internal users. These attacks can be summarized in two main
    categories

    Host Compromise
    This involves corrupting information to and from a host or major case
    of taking full control of the host. There are already method’s to stop
    this in Hardware such as processor protection and in software security
    kernels.

    Communication Compromise
    Eavesdropping : This is a Passive attack which is hard to detect due to
    no modification only the copying. Protection from this is hard due to
    this , and only measures to prevent this can be employed on the
    system

    Modification : This is the deletion, modifying or insertion of messages


    in a network. This is an active attack

    Replaying of Messages : This is a combination of Modification and


    Eavesdropping however is looked on as an active attack

    As well as security proxy based authentication tackles another two key


    issues of setting tasks in a distributed system
    Single Sign On
    If Entity A want’s to enter his password / keypass once into a terminal
    than leave the program running with all needed task’s or request
    answered silently , the program needs to be given the rights of Entity A
    to perform the need operations. A token ( proxy session) can forfill this
    need

    Delegation
    Remote processes will need to perform operations on Entity A’s behalf.
    For example a program will need to delegate rights to two hosts to
    access to a specific file for transfer between them

    A Proxy is a token that allows one to operate with the rights and
    privileges of the person/machine that granted the proxy .Proxying can
    be used to minimize these risks , it allows for the use of a private key
    to create the proxy credential. The proxy credential which is used to
    pass on authority from the user to the program , can then act on behalf
    of the initial user to access to data or devices without the need for
    repeat reproducing of the private key. The program can also delegate
    these permission rights to sub process’s needing to access as part of a
    data call or modification. The rights it delegates can only be less or
    equal to then it’s original permissions , it cannot delegate permissions
    it does not have. This this ease of delegating rights brings around
    security risks , for example if the program gets comprised and the
    attacker gains access to the proxy credential , the attacked will have
    the same credential’s as the initial user. To resolve this issue , there are
    restrictions placed on delegated proxies (Restricted Proxies) to restrict
    the damage of any compromised proxies. These restrictions can be
    limited to individual files , with individual restrictions.

    Parts to the restricted proxy


    1) A signed certificate by the grantor listing :

    a. Restrictions

    b. Listing Encryption Key to me used for the end server to verify


    proxy

    2) Proxy Key ( Corresponding to the above Encryption key) used by the


    grantee to prove proper possession of the proxy

    Grantor Grantee End Server


    Protection Proxy Key + Certificate
    If the user knows in advance it will need to make multiple call’s to an
    application or machine , it can obtain a session token. This allows
    unlimited call’s , it can be limited by an expiry date (TTL).A proxy
    credential is a technique used for security to allow entity A to grant
    another Entity rights to perform actions (as a proxy ) on behalf of entity
    A
    Verifying the proxy

    You might also like