Upload
ijcsis
View
221
Download
0
Embed Size (px)
Citation preview
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 1/6
Secure Framework for Mobile Devices to Access Grid
Infrastructure
Kashif Munir Computer Science and Engineering Technology Unit
King Fahd University of Petroleum and Minerals
HBCC Campus, King Faisal Street, Hafr Al Batin 31991
e-mails: [email protected]
Lawan Ahmad MohammadComputer Science and Engineering Technology Unit
King Fahd University of Petroleum and Minerals
HBCC Campus, King Faisal Street, Hafr Al Batin 31991
e-mails: [email protected]
Abstract---Mobile devices are gradually becoming prevalent in ourdaily life, enabling users in the physical world to interact with the
digital world conveniently. Mobile devices increasingly offer
functionality beyond the one provided by traditional resources
processor, memory and applications. This includes, for example,
integrated multimedia equipment, intelligent positioning systems,
and different kinds of integrated or accessible sensors. For future
generation grids to be truly ubiquitous we must find ways to
compensate for the security limitations inherent in these devices as
they interact with grid infrastructure in order to leverage available
resources to authorized users. This paper looks into design
architecture for mobile computing environment. Focus is given to
security framework that will enhance the performance of grid
computing in terms of secure design, architecture and accessibility.
Keywords: Autonomic computing, middleware technologies, Grid
computing, mobile computing
I. INTRODUCTION
Grid computing has made rapid strides during the last few
years from their first use in the scientific computing domain to
enterprise grids deploying commercial applications. Grid
computing permits participating entities connected via networks
to dynamically share their resources. Its increasing usage and
popularity in the scientific community and the prospect of
seamless integration and interaction with heterogeneous devices
and services makes it possible to develop further complex and
dynamic applications for the grid. Grid is already beingsuccessfully used in many scientific applications where huge
amounts of data have to be processed and/or stored. Such
demanding applications have created, justified and diffused the
concept of grid among the scientific community. As the amount
of potential grid users is really enormous, the accumulated data
processing and storage requirements are at least comparable.
Wireless devices laptops and Personal Digital Assistants (PDAs),
with currently limited resources (low processing power, finite
battery life and constrained storage space), and would benefit
from the opportunity of using a considerable amount of
resources made available by all the other devices connected to
the network [1]. In particular, mobile users might be the futu
users of this new technology. Moreover, we have nomadic use
who travel and work only seldom at their offices.
Mobile grid enables both the mobility of the use
requesting access to a fixed grid and the resources that a
themselves part of the grid. Both cases have their ow
limitations and constraints that should be handled [2]. In the fi
case the devices of the mobile users act as interfaces to the gr
enabling job submission, monitoring and management of t
activities in an „anytime, anywhere‟ mode, while the gr
provides them with a high reliability, performance and cos
efficiency. Physical limitations of the mobile devices ma
necessary the adaptation of the services that grid can provide
the users‟ mobile devices. In those cases mobile grid has t
meaning of „gridifying‟ the mobile resources. In the second caof having mobile grid resources, we should underline that th
performances of current mobile devices are significant
increased. Laptops and PDAs can provide aggregat
computational capability when gathered in hotspots, forming
Grid on site. This capability can advantage the usage of gr
applications even in places where this would be imaginar
Grids and mobile grids can be the ideal solution for many larg
scale applications that are of dynamic nature and requi
transparency for users. Grid will increase the job throughput a
performance of the involved applications and will increa
utilization rate of resources by applying efficient mechanism
for resource management in the vast amount of its resources.
will enable advanced forms of cooperative work by allowing t
seamless integration of resources, data, services and ontologie
However, the efficient management of such a large computi
platform is a considerably complicated issue and it is
constantly increasing complexity because of increasing numbe
of heterogeneous devices and components being added to it [3
Arguably, the current level of the system complexity h
reached such a level of complexity that it threatens the securi
of the grid. A promising approach to handle this or reduce su
reduces is the employing of suitable security policy a
authentication scheme. Also, as the environment of a mob
device changes, the application behavior needs to be adjusted
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
238 http://sites.google.com/site/ijcsis/ISSN 1947-5500
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 2/6
adapt itself to the changing environment. Hence, the mobile
clients usually need to have the ability to interact with various
networks, services, and security policies as they move from one
place to another.
In this paper, we discuss the issues involved in mobile
access to grid services and then present grid computing
environment architecture based on middleware which provides
support and management infrastructure for delegation of jobs tothe grid, a light-weight security model, offline processing,
adaptation to network connectivity issues etc. The proposed
system enables heterogeneous mobile devices to access grid
services in a secure manner and also suggests security policy
applications and security management infrastructure for
accessing grid resources.
II. ARCHITECTURE
The grid middleware is integrated with functions that
facilitate the management of data mining and data transfer [4].
We use a mobile agent environment that manages the user(mobility, profile, etc.) and the issues related with the
heterogeneity of the devices. First of all, let us analyze the
interfacing between the user (wireless) and the wired zone. A
fixed agent (Personal Agent) will be present in every mobile
device (PDA, Laptop). The Personal Agent will have the task of
managing the wireless device, by monitoring resources (battery,
memory, CPU, display, etc.) and position (through GPS, for
instance) within the wireless area. When a user enters the
wireless area, an agent (User Agent) is created in the
corresponding Access Point. This agent will represent the user
while he/she remains connected to the network. The User Agent
will be able to communicate with the Personal Agent present in
the device, in order to obtain all the information needed. Anytime the user moves (by changing his/her Access Point) the user
agent will follow him/her, by migrating to the new Access Point.
The User Agent will therefore act as an intermediary between
the mobile device and the grid resources present in the wired
area. As we can see in Figure 1 each node of the Grid network
will consist of a three-level architecture. The lowest one is the
level that provides the grid basic services (resource management,
security, distributed access). If the Globus middleware is used,
the main services will be: the Globus Resource Management
Architecture (GRAM), the Grid Security Infrastructure (GSI),
the Grid Information Service (GIS), and the Globus Access to
Secondary Storage (GASS).
A. Discovery
Discovery is the process of finding Web services with
given capability. In general, discovery requires that W
services advertise their capabilities with a registry, and th
requesting services query the registry for Web services wi
particular capabilities. The role of the registry is both to stothe advertisements of capabilities, and to perform a mat
between the request and the advertisements. In this section, w
will describe how Ontology Web Language for Services (OW
S) can be used to add capability matching to Univers
Description, Discovery and Integration (UDDI), the de-fac
standard discovery registry for Web Services. The autonom
middleware which enables mobile devices to access gr
services is managed by employing a Universal Descriptio
Discovery and Integration, or UDDI [5] registry whose goal
to create an Internet wide network of registries of Web service
The composition of the current web services may not provi
sufficient facilities to represent an autonomic behavior or
integrate them seamlessly with other autonomic componenbut with the advent of semantic web service technologies li
Ontology Web Language for Services, or OWL-S [6],
becomes possible to provide a fundamental framework f
representing and relating devices and services with their polici
and describing about their functionalities and capabilities.
As the middleware service is in place and information
exposed, other devices would be able to discover and provi
support to use the API in the UDDI specification (UDDI versi
3.0.2) [5] which is defined in XML, enclosed in a SOA
envelope and sent over HTTP. SOAP is fundamentally
stateless, one-way message exchange paradigm, but applicatio
can create more complex interaction patterns (e.grequest/response, request/multiple responses, etc.) by combini
such one-way exchanges with features provided by
underlying protocol and/or application-specific informatio
SOAP is silent on the semantics of any application-specific da
it conveys, as it is on issues such as the routing of SOA
messages, reliable data transfer, etc. However, SOAP provid
the framework by which application-specific information m
be conveyed in an extensible manner. Also, SOAP provides
full description of the required actions taken by a SOAP node
receiving a SOAP message (SOAP Version 1.2 Part 0) [7].
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
239 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 3/6
Figure 1. Self Organized middleware Architecture for enabling mobile devices to access
Grid services
III. Proposed Grid Security Infrastructure
In this section, we provide an overview of the security
operation for secure access to resources. A user sends a message
to the center for authorization to access a resource. The message
may consist of header and content payload. In addition to
message being encrypted, it should also be signed forconfidentially and integrity. Associated with very secure
resources is a secret key generated and maintain by a
Certification Authority (CA). The secret key associated with a
resource is distributed securely to all interesting entities in the
system. A user in need of the resource should encrypt the
content payload of the message with this key. To ensure
integrity of the payload, a user signs the encrypted payload; this
involves computing the message digest of the encrypted payload
and encrypting this hashed value with an asymmetric key.
When the CA received the message, it can validate it based on
the signature to verify the source and to confirm message
integrity and then proceed to decrypt the encrypted payload
using the previously distributed secret key. A message
comprises a set of message headers (MH) and the message
payload (MP): M=MH+MP. We secure both the headers and the
body of the message. We do not need confidentiality for the
headers, but we do need tamper evidence. In the case of the
message payload, we need both confidentiality and tamper-
evidence. Finally, the message header associated with message
is MH = SU(MP).
The CA is a specialized node within the system which is
responsible for managing information pertaining to secure
resources. There can be more than one CA within the system,
and a given CA may manage more than one resource
However, a given secure resource can be managed by only o
CA. A given CA performs four core functions. First, the CA
responsible for the generation of the secret symmetric key that
used for encrypting and decrypting content payloads. Secon
the CA maintains the list of authorized entities to access give
recourses. In addition to this, the CA maintains authorizatiinformation related to each of these entities. A
communications between the entities and the CA need to b
secure. To ensure this, all exchanges between the entities a
CA are encrypted using the following rule. First, a secr
symmetric key is generated at the sender, and then used
encrypt the content payload. Second, depending on the directi
of the communication this secret key is then secured using th
CA‟s or the entity‟s public personal-key. Only the entity or t
CA that is in possession of the corresponding private persona
key is able to decrypt the secret key that was used for encrypti
the content payload. This method leverages both symmetric an
asymmetric key encryptions. Specifically, asymmetr
encryptions have higher overheads for large payloads. B
restricting the use of asymmetric encryptions (and subseque
decryptions) to operate on only the secret key, which wou
typically be a 256-bit AES key [8], we have worked around t
high overhead constraint for asymmetr
encryptions/decryptions.
The following notations were used in our proposed system
Notation: Meaning:
K Secret key shared between U and CA
U User
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
240 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 4/6
PKU Public key for user U
SKU Secret key for user U
RS Secure resource server
KR Symmetric key shared between CA and RS
SU Signature operation for user U
C Cipher text
E Encryption operation
D Decryption operation
V Verification operation
H Hashing algorithm
TS Time Stamp
KUR Session key to be shared by U and RS
(generated by CA)
The encryption operation E using a symmetric key K ov
message M resulting in a cipher-text C is represented
C=E K (M) and the corresponding decryption operation D
represented as DK (C ) = M. The signing operation S, by
entity U , using a hashing algorithm H over a message M
represented as follows: SU(M) = E(SKU[H(M)]). T
corresponding verification operation V using the signing entity
public key is represented as follows: V U (M) = D(PKU[SU(M)The verification is a success if the result is H(M). Figure
below shows the authentication process required before a user
allowed to access resources.
U Rs CA
KR{EK(SU[M], TS)}
EK(SU[M], TS)
KR{ KUR, TS, [EK(KUR)]}
EK(KUR)
KUR [(M), TS]
KUR [(M), TS]
Authorization sent to RS
Retrieve resources from Rs
Figure 2. User Authentication Process to Access Resources
Summary of the steps:
1. U RS: E K (SU [M], T S) - U forwards request to
access resources
2. RS CA: KR{EK(SU[M], TS)}- RS encrypts and
forwards the details to CA
3. CA RS: KR{ KUR, TS, [EK(KUR)]} - CA
encrypted the information with the key it shares
with RS and U respectively .
4. RS U: EK(KUR) i.e. RS forwards the partencrypted with the key shared between U and CA
to U. The message contains the shared key to be
used between U and RS (generated by CA)
5. U RS: KUR [(M), TS] - RS verifies the key used
since it has a copy of the same key. It forwards the
message to CA for final authorization to ensure the
freshness of the message from the time
stamp.After this step, the authentication process is
completed.
A. Security Policy
Mobile security policies are necessary for a safe mobile gr
computing environment and it is very important that a securi
policy be in place before any decisions are made as to specif
solutions. While basic security measures should always,
course, be operational, too often major and otherwise expensi
upgrades are made before a real need for them has bee
established. A security policy therefore serves as a vital focpoint for any enterprise or organization. A security policy can
defined as a document that defines how a given enterpri
approaches the security of its IT resources. The scope may
very broad involving physical security, network securit
information security, and mobile device security. In general
security policy defines what information is to be treated
sensitive (and therefore protected), who should have access
this information and under what conditions, and what to
when security is compromised (or even suspected of bei
compromised). From a physical security perspective, it shou
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
241 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 5/6
define who may have access to IT-specific areas of a given
installation or building and how these areas are to be secured.
The following five elements from figure 1 are most
important with respect to the proposed mobile grid security:
Mobile Device Security - This part of the policy
defines how security is maintained on mobile devices
outside the perimeter and otherwise outside theprotection of the physical enterprise. It also refers to
securing data that resides on the device as well as
securing the device itself from malware. It might
restrict the ability of a user to install an application on
the device, for example, and it might specify that
mobile devices are to be backed up or virus-checked or
that a particular firewall configuration might be
required.
Transmission Security - A data transmission security
policy defines identity verification of the sender and
the receiver and protects data from being modified by a
third party as it transits the wireless network. This can
be achieved by encrypting the data using reliableencryption algorithm with an encrypted SSL tunnel. A
cryptographic shared key system can be used to
authenticate the sender and receiver.
Wireless Network Security - There are two key
elements to the solution here, strong authentication and
the encryption of sensitive data wherever it is stored.
Note again that while a security policy will not usually
define the actual solution in any given case, it will
mention, for example, that two-factor and/or mutual
authentication is required and that a VPN must be used
when accessing the enterprise network remotely. It
might even restrict the choice of a specific network to
certain approved carriers.Middleware/Gateway Security - Gateway security
policy should define the measures to be taken for
preventing sensitive or inappropriate data being sent
outside the organization or to unauthorized users inside
the organization. This may involves; 1. Content
scanning of email messages and attachments to control
and block sensitive information, by identifying, for
example, social security numbers, or keywords relating
to confidential corporate information. 2. Content
scanning of web traffic to ensure spyware Trojans and
other malware are not downloaded onto the user‟s
devices. 3. Preventing the download of particular file
types and preventing users from disguising andobfuscating unauthorized file types in emails. 4.
Controlling access to particular websites and
applications. 5. Controlling and blocking the
unauthorized use of IM and FTP traffic. 6. Protecting
against “drive- by downloads” which secretly place
spyware on the user‟s devices when they visit a website.
Information Security - This defines what information
should be treated as sensitive. This may be approach
similar to that used by the government, which is to
have multiple levels of security with fewer people or
groups having access as the classification level rises. In
our proposed design, this policy resides in the databa
based on role based access control as shown in figure
This policy might also restrict access to certa
applications to authorized users only.
Each of these areas can be affected by some kind of securi
breach, and the security policy defines what to do when
potential (or realized) security problem occurs. For example,
lost handset might involve little more than a phone call to thteam that will remotely "zap" (erase) any sensitive data on th
unit, while unusual network activity might involve shutting o
remote access and waking an emergency response team.
general, the mobile grid computing security policy shou
endeavor to address the following key issues:
Protect sensitive data – It must impleme
administrative, technical, and physical safeguards
protect sensitive nonpublic corporate and person
information of its customers.
Identify vulnerabilities and monitor the secu
posture – It must have an ability to gather and analy
data on new threats and vulnerabilities, actual attackand the effectiveness of their security controls.
Alert key personnel to trouble - It must have an abil
to identify that a material event (e.g., negative
affecting shareholder value or the customer) h
occurred, assess the affect on the company a
customer, take remedial action, and notify appropria
parties such as customers, regulators, shareholders, e
The Securities and Exchange Commission h
specified a “48-hour” response. Other regulato
bodies have specified a “reasonable” amount of time.
Data integrity controls to protect corporate
customer data – It must implement processes, policie
and controls to ensure information has not been alterin an unauthorized manner and that systems are fr
from unauthorized manipulation that will compromi
accuracy, completeness, and reliability.
CONCLUSION
In this paper we identified the potential of enabling mobi
devices access to the Grid in a secure manner. We focused o
providing solutions particularly when mobile devices intend
interact with Grid services or resources. The architecture of
self organized middleware is presented which facilitates impli
interaction of mobile devices with Grid infrastructure. It handl
secure communication between the client and the serviprovider. As the grid Security Infrastructure is based on publ
key scheme typically RSA. However key sizes in the RS
scheme are large and thus computationally heavy on handhe
devices such as PDA's, mobile phones, smart phones etc. Sin
smaller keys are nowadays considered insecure. For access
the Grid, Elliptic Curve Cryptography (ECC) based public k
scheme can be used in conjunction with Advanced Encryptio
Standard (AES). This provides the same level of security
RSA while the key sizes are a smaller. Communication betwee
the user and middleware is based on security policies specifie
in the user profile. According to this policy different levels
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
242 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure
http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 6/6
security can be used. e.g. some users might just require
authentication, and need not want privacy or integrity of
messages.
REFERENCES
[1]. Bruneo, D., Scarpa, M.,. Zaia, A., & Puliafito, A. (2003).
Communication Paradigms for Mobile Grid Users. 3rd InternationalSymposium on Cluster Computing and the Grid May 2003, Tokyo,Japan.
[2]. Park, S-M., Ko, Y.-B., & Kim, J.-H. (2003). Disconnected OperationService in Mobile Grid Computing, International Conference on
Service Oriented Computing (ICSOC'2003), Trento, Italy, Dec 2003.
[3]. Foster, I., Kesselman, C., & Tuecke, S. (2001). The Anatomy of the
Grid: Enabling Scalable Virtual Organizations. International
Journal of Supercomputer Applications, vol. 15, no. 3, (2001),pp.200-222.
[4]. Cannataro, M., Talia, D., & Trunfio, P. (2001). Knowledge grid:
High performance knowledge discovery services on the grid . In Grid
2001.
[5]. UDDI version 3.0.2 specification (2004). Retrieved May 23, 2008from http://uddi.org/pubs/uddi-v3.0.2-20041019.htm
[6]. David, M., Massimo, P., Sheila, M., Mark, B., Drew, M., Deborah,
M.., Bijan, P., Terry, P., Marta, S., Monika, S., Naveen, S., &Katia, S. (2004). Bringing Semantics to Web Services: The OWL-S
Approach. Proceedings of the First International Workshop on
Semantic Web Services and Web Process Composition (SWSWPC
2004), July 6-9, 2004, San Diego, California, USA. Retrieved July 10,
2008, from http://www.daml.org/services/owl-s/coalition-pubs.html
[7]. SOAP Framework (2007). W3C Simple Object Access Protocol
version 1.2 part 0, W3C recommendation, 27 April 2007. Retrieved
March 30, 2008 from http://www.w3.org/TR/2007/REC-soap12-part0-20070427/
[8].
Daemen, J. & V. Rijmen. AES Proposal: Rijndael,http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf
AUTHORS PROFILE
Kashif Munir receives his BSc degree in Mathematics and
Physics from Islamia University Bahawalpur in 1999. He
received his MSc degree in Informatuon Technology from
University Sains Malaysa in 2001. He also obtained another
MSc degree in Software Engineering from University of Malaya,
Malaysia in 2005. His research area was in the field secure
network for mobile devices and pervasive computing.
Mr.Kashif was the lecturer at Stamford College, Malaysia.
Currently, he is an Lecturer in the department of Computer
Systems and Engineering Technology Unit Hafr BatinCommunity College, Saudi Arabia.
Dr. Lawan A. Mohammed is currently an Assistant
Professor in Computer Science and Engineering Technology
Department at King Fahd University of Petroleum and Minerals
(HBCC Campus), Saudi Arabia. His main research interests are
in the design of Authentication Protocols for both wired and
wireless networks, Wireless Mobility, Group Oriented
Cryptography, Smartcard Security, and Mathematical
Programming.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 1, April 2010
243 http://sites.google.com/site/ijcsis/
ISSN 1947-5500