Secure Framework for Mobile Devices to Access Grid Infrastructure

8/9/2019 Secure Framework for Mobile Devices to Access Grid Infrastructure

http://slidepdf.com/reader/full/secure-framework-for-mobile-devices-to-access-grid-infrastructure 1/6

Secure Framework for Mobile Devices to Access Grid

Infrastructure

Kashif Munir Computer Science and Engineering Technology Unit

King Fahd University of Petroleum and Minerals

HBCC Campus, King Faisal Street, Hafr Al Batin 31991

e-mails: [email protected]

Lawan Ahmad MohammadComputer Science and Engineering Technology Unit

King Fahd University of Petroleum and Minerals

HBCC Campus, King Faisal Street, Hafr Al Batin 31991

e-mails: [email protected]

Abstract---Mobile devices are gradually becoming prevalent in ourdaily life, enabling users in the physical world to interact with the

digital world conveniently. Mobile devices increasingly offer

functionality beyond the one provided by traditional resources

processor, memory and applications. This includes, for example,

integrated multimedia equipment, intelligent positioning systems,

and different kinds of integrated or accessible sensors. For future

generation grids to be truly ubiquitous we must find ways to

compensate for the security limitations inherent in these devices as

they interact with grid infrastructure in order to leverage available

resources to authorized users. This paper looks into design

architecture for mobile computing environment. Focus is given to

security framework that will enhance the performance of grid

computing in terms of secure design, architecture and accessibility.

Keywords: Autonomic computing, middleware technologies, Grid

computing, mobile computing

I. INTRODUCTION

Grid computing has made rapid strides during the last few

years from their first use in the scientific computing domain to

enterprise grids deploying commercial applications. Grid

computing permits participating entities connected via networks

to dynamically share their resources. Its increasing usage and

popularity in the scientific community and the prospect of

seamless integration and interaction with heterogeneous devices

and services makes it possible to develop further complex and

dynamic applications for the grid. Grid is already beingsuccessfully used in many scientific applications where huge

amounts of data have to be processed and/or stored. Such

demanding applications have created, justified and diffused the

concept of grid among the scientific community. As the amount

of potential grid users is really enormous, the accumulated data

processing and storage requirements are at least comparable.

Wireless devices laptops and Personal Digital Assistants (PDAs),

with currently limited resources (low processing power, finite

battery life and constrained storage space), and would benefit

from the opportunity of using a considerable amount of

resources made available by all the other devices connected to

the network [1]. In particular, mobile users might be the futu

users of this new technology. Moreover, we have nomadic use

who travel and work only seldom at their offices.

Mobile grid enables both the mobility of the use

requesting access to a fixed grid and the resources that a

themselves part of the grid. Both cases have their ow

limitations and constraints that should be handled [2]. In the fi

case the devices of the mobile users act as interfaces to the gr

enabling job submission, monitoring and management of t

activities in an „anytime, anywhere‟ mode, while the gr

provides them with a high reliability, performance and cos

efficiency. Physical limitations of the mobile devices ma

necessary the adaptation of the services that grid can provide

the users‟ mobile devices. In those cases mobile grid has t

meaning of „gridifying‟ the mobile resources. In the second caof having mobile grid resources, we should underline that th

performances of current mobile devices are significant

increased. Laptops and PDAs can provide aggregat

computational capability when gathered in hotspots, forming

Grid on site. This capability can advantage the usage of gr

applications even in places where this would be imaginar

Grids and mobile grids can be the ideal solution for many larg

scale applications that are of dynamic nature and requi

transparency for users. Grid will increase the job throughput a

performance of the involved applications and will increa

utilization rate of resources by applying efficient mechanism

for resource management in the vast amount of its resources.

will enable advanced forms of cooperative work by allowing t

seamless integration of resources, data, services and ontologie

However, the efficient management of such a large computi

platform is a considerably complicated issue and it is

constantly increasing complexity because of increasing numbe

of heterogeneous devices and components being added to it [3

Arguably, the current level of the system complexity h

reached such a level of complexity that it threatens the securi

of the grid. A promising approach to handle this or reduce su

reduces is the employing of suitable security policy a

authentication scheme. Also, as the environment of a mob

device changes, the application behavior needs to be adjusted

(IJCSIS) International Journal of Computer Science and Information Security,

Vol. 8, No. 1, April 2010

238 http://sites.google.com/site/ijcsis/ISSN 1947-5500

mailto:[email protected]









adapt itself to the changing environment. Hence, the mobile

clients usually need to have the ability to interact with various

networks, services, and security policies as they move from one

place to another.

In this paper, we discuss the issues involved in mobile

access to grid services and then present grid computing

environment architecture based on middleware which provides

support and management infrastructure for delegation of jobs tothe grid, a light-weight security model, offline processing,

adaptation to network connectivity issues etc. The proposed

system enables heterogeneous mobile devices to access grid

services in a secure manner and also suggests security policy

applications and security management infrastructure for

accessing grid resources.

II. ARCHITECTURE

The grid middleware is integrated with functions that

facilitate the management of data mining and data transfer [4].

We use a mobile agent environment that manages the user(mobility, profile, etc.) and the issues related with the

heterogeneity of the devices. First of all, let us analyze the

interfacing between the user (wireless) and the wired zone. A

fixed agent (Personal Agent) will be present in every mobile

device (PDA, Laptop). The Personal Agent will have the task of

managing the wireless device, by monitoring resources (battery,

memory, CPU, display, etc.) and position (through GPS, for

instance) within the wireless area. When a user enters the

wireless area, an agent (User Agent) is created in the

corresponding Access Point. This agent will represent the user

while he/she remains connected to the network. The User Agent

will be able to communicate with the Personal Agent present in

the device, in order to obtain all the information needed. Anytime the user moves (by changing his/her Access Point) the user

agent will follow him/her, by migrating to the new Access Point.

The User Agent will therefore act as an intermediary between

the mobile device and the grid resources present in the wired

area. As we can see in Figure 1 each node of the Grid network

will consist of a three-level architecture. The lowest one is the

level that provides the grid basic services (resource management,

security, distributed access). If the Globus middleware is used,

the main services will be: the Globus Resource Management

Architecture (GRAM), the Grid Security Infrastructure (GSI),

the Grid Information Service (GIS), and the Globus Access to

Secondary Storage (GASS).

A. Discovery

Discovery is the process of finding Web services with

given capability. In general, discovery requires that W

services advertise their capabilities with a registry, and th

requesting services query the registry for Web services wi

particular capabilities. The role of the registry is both to stothe advertisements of capabilities, and to perform a mat

between the request and the advertisements. In this section, w

will describe how Ontology Web Language for Services (OW

S) can be used to add capability matching to Univers

Description, Discovery and Integration (UDDI), the de-fac

standard discovery registry for Web Services. The autonom

middleware which enables mobile devices to access gr

services is managed by employing a Universal Descriptio

Discovery and Integration, or UDDI [5] registry whose goal

to create an Internet wide network of registries of Web service

The composition of the current web services may not provi

sufficient facilities to represent an autonomic behavior or

integrate them seamlessly with other autonomic componenbut with the advent of semantic web service technologies li

Ontology Web Language for Services, or OWL-S [6],

becomes possible to provide a fundamental framework f

representing and relating devices and services with their polici

and describing about their functionalities and capabilities.

As the middleware service is in place and information

exposed, other devices would be able to discover and provi

support to use the API in the UDDI specification (UDDI versi

3.0.2) [5] which is defined in XML, enclosed in a SOA

envelope and sent over HTTP. SOAP is fundamentally

stateless, one-way message exchange paradigm, but applicatio

can create more complex interaction patterns (e.grequest/response, request/multiple responses, etc.) by combini

such one-way exchanges with features provided by

underlying protocol and/or application-specific informatio

SOAP is silent on the semantics of any application-specific da

it conveys, as it is on issues such as the routing of SOA

messages, reliable data transfer, etc. However, SOAP provid

the framework by which application-specific information m

be conveyed in an extensible manner. Also, SOAP provides

full description of the required actions taken by a SOAP node

receiving a SOAP message (SOAP Version 1.2 Part 0) [7].



239 http://sites.google.com/site/ijcsis/

ISSN 1947-5500



Figure 1. Self Organized middleware Architecture for enabling mobile devices to access

Grid services

III. Proposed Grid Security Infrastructure

In this section, we provide an overview of the security

operation for secure access to resources. A user sends a message

to the center for authorization to access a resource. The message

may consist of header and content payload. In addition to

message being encrypted, it should also be signed forconfidentially and integrity. Associated with very secure

resources is a secret key generated and maintain by a

Certification Authority (CA). The secret key associated with a

resource is distributed securely to all interesting entities in the

system. A user in need of the resource should encrypt the

content payload of the message with this key. To ensure

integrity of the payload, a user signs the encrypted payload; this

involves computing the message digest of the encrypted payload

and encrypting this hashed value with an asymmetric key.

When the CA received the message, it can validate it based on

the signature to verify the source and to confirm message

integrity and then proceed to decrypt the encrypted payload

using the previously distributed secret key. A message

comprises a set of message headers (MH) and the message

payload (MP): M=MH+MP. We secure both the headers and the

body of the message. We do not need confidentiality for the

headers, but we do need tamper evidence. In the case of the

message payload, we need both confidentiality and tamper-

evidence. Finally, the message header associated with message

is MH = SU(MP).

The CA is a specialized node within the system which is

responsible for managing information pertaining to secure

resources. There can be more than one CA within the system,

and a given CA may manage more than one resource

However, a given secure resource can be managed by only o

CA. A given CA performs four core functions. First, the CA

responsible for the generation of the secret symmetric key that

used for encrypting and decrypting content payloads. Secon

the CA maintains the list of authorized entities to access give

recourses. In addition to this, the CA maintains authorizatiinformation related to each of these entities. A

communications between the entities and the CA need to b

secure. To ensure this, all exchanges between the entities a

CA are encrypted using the following rule. First, a secr

symmetric key is generated at the sender, and then used

encrypt the content payload. Second, depending on the directi

of the communication this secret key is then secured using th

CA‟s or the entity‟s public personal-key. Only the entity or t

CA that is in possession of the corresponding private persona

key is able to decrypt the secret key that was used for encrypti

the content payload. This method leverages both symmetric an

asymmetric key encryptions. Specifically, asymmetr

encryptions have higher overheads for large payloads. B

restricting the use of asymmetric encryptions (and subseque

decryptions) to operate on only the secret key, which wou

typically be a 256-bit AES key [8], we have worked around t

high overhead constraint for asymmetr

encryptions/decryptions.

The following notations were used in our proposed system

Notation: Meaning:

K Secret key shared between U and CA

U User




ISSN 1947-5500



PKU Public key for user U

SKU Secret key for user U

RS Secure resource server

KR Symmetric key shared between CA and RS

SU Signature operation for user U

C Cipher text

E Encryption operation

D Decryption operation

V Verification operation

H Hashing algorithm

TS Time Stamp

KUR Session key to be shared by U and RS

(generated by CA)

The encryption operation E using a symmetric key K ov

message M resulting in a cipher-text C is represented

C=E K (M) and the corresponding decryption operation D

represented as DK (C ) = M. The signing operation S, by

entity U , using a hashing algorithm H over a message M

represented as follows: SU(M) = E(SKU[H(M)]). T

corresponding verification operation V using the signing entity

public key is represented as follows: V U (M) = D(PKU[SU(M)The verification is a success if the result is H(M). Figure

below shows the authentication process required before a user

allowed to access resources.

U Rs CA

KR{EK(SU[M], TS)}

EK(SU[M], TS)

KR{ KUR, TS, [EK(KUR)]}

EK(KUR)

KUR [(M), TS]

KUR [(M), TS]

Authorization sent to RS

Retrieve resources from Rs

Figure 2. User Authentication Process to Access Resources

Summary of the steps:

1. U RS: E K (SU [M], T S) - U forwards request to

access resources

2. RS CA: KR{EK(SU[M], TS)}- RS encrypts and

forwards the details to CA

3. CA RS: KR{ KUR, TS, [EK(KUR)]} - CA

encrypted the information with the key it shares

with RS and U respectively .

4. RS U: EK(KUR) i.e. RS forwards the partencrypted with the key shared between U and CA

to U. The message contains the shared key to be

used between U and RS (generated by CA)

5. U RS: KUR [(M), TS] - RS verifies the key used

since it has a copy of the same key. It forwards the

message to CA for final authorization to ensure the

freshness of the message from the time

stamp.After this step, the authentication process is

completed.

A. Security Policy

Mobile security policies are necessary for a safe mobile gr

computing environment and it is very important that a securi

policy be in place before any decisions are made as to specif

solutions. While basic security measures should always,

course, be operational, too often major and otherwise expensi

upgrades are made before a real need for them has bee

established. A security policy therefore serves as a vital focpoint for any enterprise or organization. A security policy can

defined as a document that defines how a given enterpri

approaches the security of its IT resources. The scope may

very broad involving physical security, network securit

information security, and mobile device security. In general

security policy defines what information is to be treated

sensitive (and therefore protected), who should have access

this information and under what conditions, and what to

when security is compromised (or even suspected of bei

compromised). From a physical security perspective, it shou




ISSN 1947-5500



define who may have access to IT-specific areas of a given

installation or building and how these areas are to be secured.

The following five elements from figure 1 are most

important with respect to the proposed mobile grid security:

Mobile Device Security - This part of the policy

defines how security is maintained on mobile devices

outside the perimeter and otherwise outside theprotection of the physical enterprise. It also refers to

securing data that resides on the device as well as

securing the device itself from malware. It might

restrict the ability of a user to install an application on

the device, for example, and it might specify that

mobile devices are to be backed up or virus-checked or

that a particular firewall configuration might be

required.

Transmission Security - A data transmission security

policy defines identity verification of the sender and

the receiver and protects data from being modified by a

third party as it transits the wireless network. This can

be achieved by encrypting the data using reliableencryption algorithm with an encrypted SSL tunnel. A

cryptographic shared key system can be used to

authenticate the sender and receiver.

Wireless Network Security - There are two key

elements to the solution here, strong authentication and

the encryption of sensitive data wherever it is stored.

Note again that while a security policy will not usually

define the actual solution in any given case, it will

mention, for example, that two-factor and/or mutual

authentication is required and that a VPN must be used

when accessing the enterprise network remotely. It

might even restrict the choice of a specific network to

certain approved carriers.Middleware/Gateway Security - Gateway security

policy should define the measures to be taken for

preventing sensitive or inappropriate data being sent

outside the organization or to unauthorized users inside

the organization. This may involves; 1. Content

scanning of email messages and attachments to control

and block sensitive information, by identifying, for

example, social security numbers, or keywords relating

to confidential corporate information. 2. Content

scanning of web traffic to ensure spyware Trojans and

other malware are not downloaded onto the user‟s

devices. 3. Preventing the download of particular file

types and preventing users from disguising andobfuscating unauthorized file types in emails. 4.

Controlling access to particular websites and

applications. 5. Controlling and blocking the

unauthorized use of IM and FTP traffic. 6. Protecting

against “drive- by downloads” which secretly place

spyware on the user‟s devices when they visit a website.

Information Security - This defines what information

should be treated as sensitive. This may be approach

similar to that used by the government, which is to

have multiple levels of security with fewer people or

groups having access as the classification level rises. In

our proposed design, this policy resides in the databa

based on role based access control as shown in figure

This policy might also restrict access to certa

applications to authorized users only.

Each of these areas can be affected by some kind of securi

breach, and the security policy defines what to do when

potential (or realized) security problem occurs. For example,

lost handset might involve little more than a phone call to thteam that will remotely "zap" (erase) any sensitive data on th

unit, while unusual network activity might involve shutting o

remote access and waking an emergency response team.

general, the mobile grid computing security policy shou

endeavor to address the following key issues:

Protect sensitive data – It must impleme

administrative, technical, and physical safeguards

protect sensitive nonpublic corporate and person

information of its customers.

Identify vulnerabilities and monitor the secu

posture – It must have an ability to gather and analy

data on new threats and vulnerabilities, actual attackand the effectiveness of their security controls.

Alert key personnel to trouble - It must have an abil

to identify that a material event (e.g., negative

affecting shareholder value or the customer) h

occurred, assess the affect on the company a

customer, take remedial action, and notify appropria

parties such as customers, regulators, shareholders, e

The Securities and Exchange Commission h

specified a “48-hour” response. Other regulato

bodies have specified a “reasonable” amount of time.

Data integrity controls to protect corporate

customer data – It must implement processes, policie

and controls to ensure information has not been alterin an unauthorized manner and that systems are fr

from unauthorized manipulation that will compromi

accuracy, completeness, and reliability.

CONCLUSION

In this paper we identified the potential of enabling mobi

devices access to the Grid in a secure manner. We focused o

providing solutions particularly when mobile devices intend

interact with Grid services or resources. The architecture of

self organized middleware is presented which facilitates impli

interaction of mobile devices with Grid infrastructure. It handl

secure communication between the client and the serviprovider. As the grid Security Infrastructure is based on publ

key scheme typically RSA. However key sizes in the RS

scheme are large and thus computationally heavy on handhe

devices such as PDA's, mobile phones, smart phones etc. Sin

smaller keys are nowadays considered insecure. For access

the Grid, Elliptic Curve Cryptography (ECC) based public k

scheme can be used in conjunction with Advanced Encryptio

Standard (AES). This provides the same level of security

RSA while the key sizes are a smaller. Communication betwee

the user and middleware is based on security policies specifie

in the user profile. According to this policy different levels




ISSN 1947-5500



security can be used. e.g. some users might just require

authentication, and need not want privacy or integrity of

messages.

REFERENCES

[1]. Bruneo, D., Scarpa, M.,. Zaia, A., & Puliafito, A. (2003).

Communication Paradigms for Mobile Grid Users. 3rd InternationalSymposium on Cluster Computing and the Grid May 2003, Tokyo,Japan.

[2]. Park, S-M., Ko, Y.-B., & Kim, J.-H. (2003). Disconnected OperationService in Mobile Grid Computing, International Conference on

Service Oriented Computing (ICSOC'2003), Trento, Italy, Dec 2003.

[3]. Foster, I., Kesselman, C., & Tuecke, S. (2001). The Anatomy of the

Grid: Enabling Scalable Virtual Organizations. International

Journal of Supercomputer Applications, vol. 15, no. 3, (2001),pp.200-222.

[4]. Cannataro, M., Talia, D., & Trunfio, P. (2001). Knowledge grid:

High performance knowledge discovery services on the grid . In Grid

2001.

[5]. UDDI version 3.0.2 specification (2004). Retrieved May 23, 2008from http://uddi.org/pubs/uddi-v3.0.2-20041019.htm

[6]. David, M., Massimo, P., Sheila, M., Mark, B., Drew, M., Deborah,

M.., Bijan, P., Terry, P., Marta, S., Monika, S., Naveen, S., &Katia, S. (2004). Bringing Semantics to Web Services: The OWL-S

Approach. Proceedings of the First International Workshop on

Semantic Web Services and Web Process Composition (SWSWPC

2004), July 6-9, 2004, San Diego, California, USA. Retrieved July 10,

2008, from http://www.daml.org/services/owl-s/coalition-pubs.html

[7]. SOAP Framework (2007). W3C Simple Object Access Protocol

version 1.2 part 0, W3C recommendation, 27 April 2007. Retrieved

March 30, 2008 from http://www.w3.org/TR/2007/REC-soap12-part0-20070427/

[8].

Daemen, J. & V. Rijmen. AES Proposal: Rijndael,http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf

AUTHORS PROFILE

Kashif Munir receives his BSc degree in Mathematics and

Physics from Islamia University Bahawalpur in 1999. He

received his MSc degree in Informatuon Technology from

University Sains Malaysa in 2001. He also obtained another

MSc degree in Software Engineering from University of Malaya,

Malaysia in 2005. His research area was in the field secure

network for mobile devices and pervasive computing.

Mr.Kashif was the lecturer at Stamford College, Malaysia.

Currently, he is an Lecturer in the department of Computer

Systems and Engineering Technology Unit Hafr BatinCommunity College, Saudi Arabia.

Dr. Lawan A. Mohammed is currently an Assistant

Professor in Computer Science and Engineering Technology

Department at King Fahd University of Petroleum and Minerals

(HBCC Campus), Saudi Arabia. His main research interests are

in the design of Authentication Protocols for both wired and

wireless networks, Wireless Mobility, Group Oriented

Cryptography, Smartcard Security, and Mathematical

Programming.




ISSN 1947-5500

http://uddi.org/pubs/uddi-v3.0.2-20041019.htm



http://www.daml.org/services/owl-s/coalition-pubs.html



http://www.w3.org/TR/2007/REC-soap12-part0-20070427/



http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf







Documents

Secure Framework for Mobile Devices to Access Grid Infrastructure