Grid Proxy Auditing Infrastructure
Single sign-on and delegation of rights are key requirements for modern Grid infrastructures. These requirements are usually facilitated by X.509 Private-Key Infrastructures (PKI) and proxy certificates. These, however, can be obtained and abused by a malicious third party. There is currently no method for end users to detect such abuse.
In our solution, we introduce modifications to the Grid Security Infrastructure that allow reporting of proxy usage information to a database, giving the end user an opportunity to review by whom and why his credentials were used. Using appropriate visualization, the "path" that each proxy credential takes through a Grid infrastructure will be evident to the end-user.
This system relies on the following key components:
1. A new X.509 certificate extension that is included in the proxy credential by the certificate owner. This extension is part of the certificate and therefore not forgable by a malicious third party - not even one that acquires that proxy certificate's private key (since the proxy is signed with the EEC's key).
2. Modifications to the GSI libraries to recognize the X.509 extension and - should the extension be present - call out to another component, the
3. WSRF Web Service that receives auditing call-outs.
Furthermore, we plan to implement a heuristic method of automated abuse detection for proxy credentials which will give the user a way to easily detect unauthorized usage of their credentials. This method will employ belief networks to model the Grid infrastructures involved.
Our approach will help build end user trust in Grid infrastructures and thus help to promote more widespread Grid usage.
- Kunz, C.; Wiebelitz, J.; Piger, S.; Grimm, C., "A Concept for Grid Credential Lifecycle Management and Heuristic Credential Abuse Detection," Networking and Services, 2009. ICNS '09. Fifth International Conference on , vol., no., pp.505-510, 20-25 April 2009
- Kunz, C., Wiebelitz, J., Piger, S., Grimm, C., "A Concept for Grid Credential Lifecycle Management and heuristic Credential Abuse Detection", Parallel and Distributed Computing, 2009, 8th International Symposium on, pp. 245 - 248 (short paper)
- Kunz, C.; Szongott, C.; Wiebelitz, J.; Grimm, C., "Design and Implementation of a Grid Proxy Auditing Infrastructure", 5th IEEE International Conference on eScience (accepted paper)
- Christopher Kunz(2011): Ein Konzept zur Überwachung und Mißbrauchserkennung bei Grid-Proxy-Credentials, examining committee: M. Smith, G. Von Voigt, B. Freisleben, PhD Thesis