A new way of accessing the grid is making headway in the Polish grid community, getting rid of a time consuming process.
A web portal and virtual file system now makes the process of requesting and managing grid credentials simpler, according to the researchers, from the Wroclaw Centre for Networking and Supercomputing and the Academic Computer Centre CYFRONET, which are both part of PL-Grid, the National Grid Infrastructure of Poland.
X.509 certificates are the passports of the grid and combine a digital certificate (public key) and a password protecting a key for accessing the grid (private key). Even though certificates are secure, most users find the process of obtaining and using them confusing, inconvenient and long winded.
Normally, grid users have to request a digital certificate from their national or regional issuing authority, or Certification Authority (CA) and then they have to prove their identity to a local representative of a Certification Authority. This requires a face to face meeting with a representative and presenting a passport or photo ID. Identify verification is then confirmed by a trusted third party, who must know the user personally. This chain of personal contacts can be tedious and time consuming.
Now, Polish researchers use a new system called the Simple CA; about 70% of PL-grid users use Simple CA.
“We've resigned from face-to-face meeting requirements for user identity verification. Instead we use a special remote procedure, including e-mail contact with the user and phone contact with his institute,” said Bartlomiej Balcerek, a security officer at the Wroclaw Centre for Networking and Supercomputing, His colleague, Marcin Teodorczyk presented this work at the Cracow Grid Workshop in early November 2011.
Changing the culture
Balcerek and his colleagues initially faced criticism from other security people within the Polish grid community about the certification policies they were adopting for Simple CA and the fact that their system was moving away from a face-to-face identification process to a digital one.
Simple CA's remote identity verification procedure enables users to quickly register up to grid services. A user fills in a questionnaire and replies to one e-mail to obtain his or her certificates.
“We have a PL-Grid Operator, a person who does a user's identity verification. Basically, she compares the data stored in the [Center of Data Processing] OPI Database of Polish scientists, with the data specified by the user. We use this database in identity verification procedure. Next, the operator contacts a user's institute by phone and the user by e-mail. The database is not connected in any way with the Polish Grid Project and has its own verification procedures,” said Balcerek.
The key to distributing credentials
In addition, “we've developed KeyFS, which is a tool to distribute a user's credentials between grid user interfaces, and it automatically sets them up with gLite [a grid middleware] and SSH [Secure Shell, a network protocol for secure data communication much like HTTPS for web browsers].”
KeyFS, which is a virtual file system currently being tested, maps a user's credentials stored on a database to a grid user interface. “A user doesn't have to convert and copy a X.509 credential to his or her interface anymore,” said Marcin Teodorczyk, a security officer at the Wroclaw Centre for Networking and Supercomputing.
According to Teodorczyk, in some instances KeyFS is more secure than the current system. “KeyFS cares that user credentials are encrypted properly and that they have appropriate access rights, which is not always true when a user manages a certificate themselves,” he said.
“After a user receives a certificate, they can choose to store their public and private keys on a central database for later use by KeyFS. The private key is encrypted and secured with a password known only by the user. KeyFS then distributes those credentials to all grid user interfaces for use with gLite and SSH almost immediately. All that a user has to do is set up their private key on his (client) side for secure access with SSH. Our work makes it more convenient to become a grid user and access grid services.” This also means grid administrators have less work to do when managing X.509 certificates.
Now, the main challenge the researchers face is moving the KeyFS system from a test environment to a real one. “The Polish National Grid Infrastructure has many sites and administrators. It is necessary to train them on KeyFS installation and maintenance,” said Teodorczyk.
