An alternative way of accessing the grid is making headway in the Polish grid community, getting rid of a time consuming process. It’s designed to give researchers within the community another choice when accessing the grid.
A web portal and virtual file system now makes the process of requesting and managing grid credentials simpler, according to the researchers, from the Wroclaw Centre for Networking and Supercomputing and the Academic Computer Centre CYFRONET, which are both part of PL-Grid, the National Grid Infrastructure of Poland.
X.509 certificates are the passports of the grid and combine a digital certificate (public key) and a password protecting a key for accessing the grid (private key). Even though certificates are secure, some users find the process of obtaining and using them confusing and long winded. There are currently several initiatives trying to deal with this issue, such as the UK's National Grid Service Certificate Wizard.
Normally, grid users within the Polish community have to request a digital certificate from their national or regional issuing authority, or Certification Authority (CA) and then they have to prove their identity to a local representative of a Certification Authority. This requires a face to face meeting with a representative and presenting a passport or photo ID. Identify verification is then confirmed by a trusted third party, who must know the user personally. This chain of personal contacts can be tedious and time consuming. However, for institututions such as CERN, users who require a grid certificate do not need to show their passport if they're already in the Human Resources database.
Now, Polish researchers use a new system called the Simple CA; about 70% of PL-grid users use Simple CA.
“We've resigned from face-to-face meeting requirements for user identity verification. Instead we use a special remote procedure, including e-mail contact with the user and phone contact with his institute,” said Bartlomiej Balcerek, a security officer at the Wroclaw Centre for Networking and Supercomputing. His colleague, Marcin Teodorczyk presented their work at the Cracow Grid Workshop in early November 2011.
However, the Polish researchers plan to make their system available to users who require Polish grid resources only and not for access to international grids. This is because international grid certificate authorities rely on strict legal verification with passports and the use of audit logs, to reliably trace a user's digital identity in case, for example, the name on a certificate changes.
“Our system improves usability. Our users complained a lot about identity vetting with passport verification. In PL-Grid we don't perceive passport verification as essential. Also, Simple CA procedure has been well-thought-out and in our opinion isn't much weaker than the traditional one, at least in the PL-Grid environment,” said Marcin Teodorczyk, a security officer at the Wroclaw Centre for Networking and Supercomputing.
In any case, Poland already has a Certification Authority that gives researchers access to international grid resources. It's fully accredited and approved by the International Grid Trust Federation (IGFT), which is an international body that establishes a set of common practices, policies and procedures to reliably identify grid subscribers and resources around the World.
The internationally recognized Polish Certificate Authority is managed by the Poznan Supercomputing and Network Center. It has globally trusted identities using verifiable and auditable processes and is available to users in PL-Grid that work in an international context.
Regarding Simple CA, Balcerek and his colleagues initially faced criticism from other security people within the Polish grid community about the certification policies they were adopting for Simple CA and the fact that their system was moving away from a face-to-face identification process to a digital one.
Simple CA’s remote identity verification procedure enables users to quickly register up to grid services. A user fills in a questionnaire and replies to one e-mail to obtain his or her certificates.
“We have a PL-Grid Operator, a person who does a user's identity verification. Basically, she compares the data stored in the [Center of Data Processing] OPI Database of Polish scientists, with the data specified by the user. We use this database in identity verification procedure. Next, the operator contacts a user's institute by phone and the user by e-mail. The database is not connected in any way with the Polish Grid Project and has its own verification procedures,” said Balcerek.
In addition, “we've developed KeyFS, which is a tool to distribute a user's credentials between grid user interfaces, and it automatically sets them up with gLite [a grid middleware] and SSH [Secure Shell, a network protocol for secure data communication much like HTTPS for web browsers].”
KeyFS, which is a virtual file system currently being tested, maps a user’s credentials stored on a database to a grid user interface. “A user doesn't have to convert and copy a X.509 credential to his or her interface anymore,” said Marcin Teodorczyk, a security officer at the Wroclaw Centre for Networking and Supercomputing.
According to Teodorczyk, in some instances KeyFS is more secure than the current system. “KeyFS cares that user credentials are encrypted properly and that they have appropriate access rights, which is not always true when a user manages a certificate themselves,” he said.
“After a user receives a certificate, they can choose to store their public and private keys on a central database for later use by KeyFS. The private key is encrypted and secured with a password known only by the user. KeyFS then distributes those credentials to all grid user interfaces for use with gLite and SSH almost immediately. All that a user has to do is set up their private key on his (client) side for secure access with SSH. Our work makes it more convenient to become a grid user and access grid services.” This also means grid administrators have less work to do when managing X.509 certificates.
Now, the main challenge the researchers face is moving the KeyFS system from a test environment to a real one. “The Polish National Grid Infrastructure has many sites and administrators. It is necessary to train them on KeyFS installation and maintenance,” said Teodorczyk.
Even though the Simple CA system provides PL-Grid users with another choice when accessing grid resources within Poland, members of the International Grid Trust Federation doubt the system will be used outside the Polish grid community.
“It is not possible right away to say whether the overall international community would find this level of identity assurance acceptable for production purposes, although it has apparently found some success within a portion of the user community,” said Alan Sill, a member of the The Americas Grid Policy Management Authority that represents the International Grid Trust Federation in North, South and Central America.
“Our users are informed about this, and can decide if they want to use it or go through IGTF accredited procedures and obtain a worldwide valid certificate,” said Teodorczyk.
International grid authorities rely on the highest level of identification verification. The International Grid Trust Federation helps coordinate these standards from requests by the organizations of countries that provide resources to users of international grids.
“It's required by our relying parties. If you have to deal with long-term access controls, for example on data, it is important to be sure that the same name in the certificate will always belong to the same person, and is never assigned to anybody else. When this 'uniqueness requirements' fails, your resources are left vulnerable and data potentially compromised.
This long-term traceability can only be trusted if there are proper audit logs, which is why the IGTF for the current assurance levels requires traceability and proper audit logs. For communities that are ‘tight-knit’ and know each other well, these 'out-of-band' controls on authentication can compensate for fewer audit requirements,” said David Groep of the National Institute for Sub-atomic physics, in the Netherlands and current chair of the IGTF.
Today, the IGTF and Open Grid Forum have several activities in place to build identity federation bridges, in cooperation with other federated identity management systems, and commercial Certification Authorities to develop standards and protocols to extend the current systems.