Publication Date

2010

Document Type

Dissertation

Committee Members

Nikolaos Bourbakis (Committee Member), Soon M. Chung (Advisor), Yong Pei (Committee Member), Chansu Yu (Committee Member), Xinhui Zhang (Committee Member)

Degree Name

Doctor of Philosophy (PhD)

Abstract

A Grid community is composed of diverse stake holders, such as data resource providers, computing resource providers, service providers, and the users of the resources and services. In traditional security systems for Grids, most of the authentication and authorization mechanisms are based on the user's identity or the user's classification information. If the authorization mechanism is based on the user's identity, fine-grained access control policies can be implemented but the scalability of the security system would be limited. If the authorization mechanism is based on the user's classification, the scalability can be improved but the fine-grained access control policies may not be supported. We developed an enhanced version of the Community Authorization Service (CAS) which supports centralized, fine-grained access control by managing the memberships, service types, resource objects and security policies of a Virtual Organization (VO). The current CAS provides fundamental solutions regarding user privacy, authentication and authorization, but it has some limitations due to its centralized management of the security policies of a VO, in terms of scalability, flexibility and interoperability. We enhanced the CAS to support diverse security requirements within a dynamic Grid environment by enabling the CAS server to publish a proxy certificate embedding additional attributes of users. It allows the service providers to support customized services by analyzing the attributes of users and security policies. Previous researches on privacy-preserving in a Grid have focused on protecting the data stored in a data server and on securing the communication to protect exchanged data. The issue of preserving the privacy of users has not been a major issue in the security domain. However, as on-line transactions prevail and diverse user attributes are required for authorization decision, the privacy-preserving becomes an important issue. Attribute-Based Access Control (ABAC) employs multiple attributes for authorization decision, which enables the security system to be flexible, interoperable, and multifunctional. However, ABAC has disadvantages with regard to privacy-preserving because it requires the circulation of the user attributes which can increase the risk of privacy violation. To enhance the privacy-preserving capability of ABAC in a Grid, we developed an attribute release control mechanism to publish an optimal set of attributes that are essential to access a desired resource (or service), while exposing least amount of sensitive user information. To facilitate the selection of an optimal set of attributes, we also developed Security Policy Publication Service (SPPS) which retrieves the access condition from the access control policies in eXtensible Access Control Markup Language (XACML) and converts it into a Disjunctive Normal Form (DNF) of attributes. We modified the Shibboleth Identity Provider and GridShib for the implementation of our privacy-preserving ABAC, and the performance analysis shows that the overhead of the proposed system is very small.

Page Count

76

Department or Program

Department of Computer Science and Engineering

Year Degree Awarded

2010


Share

COinS