硕士论文-基于网格安全基础设施的访问控制研究

中南民族大学硕士学位论文基于网格安全基础设施的访问控制研究姓名：张一帆申请学位级别：硕士专业：计算机应用技术指导教师：蒋天发20090522IIIABSTRACTThegridpotentiallydangerousenvironmentforvirusesandTrojanhorseprogramstoattack.Inagrid,Membermachinesareconfiguredtoprovideruntimeenvironmentratherthanjusttotransferdata,sothatsharingofresourcessafelyisimportanttousethemstrongly.Inordertoachievethesharingandmanagingofgridresources,resourceprovidersandresourceconsumersneedtonegotiateresourcesharingagreementsandtheconditionsofsharing,andsettletheproblemofaccesscontrol.Thispaperanalyzespresentsituationhomeandabroadanddirectionofgridandaccesscontroltechnique,andstudiesspecificallytheaccesscontrolproblemofGSIingridenvironment.Andbylearningoffundamentaltheoryandmodelofaccesscontrol,discussthedemandcharacteristicsofaccesscontrol,analyzescapabilitiesofaccesscontrolundergridapplication.Gridaccesscontrolmechanismisaimedatverifyingtheidentityofanentity,controllingcertificatesandtorestrictfromunauthorizedaccessestogridresources.Hence,itplaysavitalroletogetthesystemavailabilityandstabilityandsecurity.ThisthesisintroducesanimprovedauthenticationsystemofaccesscontrolwhichbasedonsecuritycertificateframeworkinGSIplatform.Comparedtotraditionalsinglecertificateauthenticationaccesscontrolmodel,thissystemdesignsadoublecertificateway.Themainadvantageofthiscertificatewayisthatitestablishestheprimaryandsecondarycertificateandsendsthemtotheuser.ThentheusersendstheprimarycertificatetotheCAS.Afterverificationoftheprimarycertificate,theusersendsthesecondarycertificatetootherusersingridandcompletestheaccesscontrolcertification.Inthisprocess,itestablishestheconnectionswhichareusedforthesharingofresourcesandproceduresforoperationsingrid.Inthedoublecertificateprocess,thissystemusescountingprocesstoensureauthorization,authenticationandaccesscontrolservicesinordertoadaptgridapplication.Theexperimentalresultsinthisthesisshowthatthisimprovedsystemenhancethesecurityofgridaccesscontrolandthestabilityofusers’authentication.Atsametime,ingirdenvironment,italsoreducesthedelaywhichiscausedintheprocessofusers’authentication.Inaword,theperformanceofthissystemissignificantlyimprovedcomparedtotraditionalgridaccesscontrolsystemsandhasanapplicationvalueingrid.KeyWordsGrid;AccessControl;Authentication;GSI;CAS;1______2111.1(Grid)[1]TCPIP[2][2][2][2]21.2(OrganizationfortheAdvancementofStructuredInformationStandardsOASIS)[3](GlobalGridForumGGF)[4](ArgonneNationalLaboratoryANL)(TheUniversityofSouthernCalifornia)[5]Globus(GridSecurityInfrastructureGSI)[6](OpenGridServiceArchitectureOGSA)[7]OGSAGGFGSIGlobusToolkit[8]GlobusGSI(CommunityAuthorizationServiceCAS)[9]CAS(VirtualOrganizationVO)[10]NHPCE[11]NHPCE31.3123GlobusCASWeb4GSI5GSI422.1[12](1)(2)(3)(4)(5)(6)(1)(Integration)(2)(Interoperability)(3)(TrustRelationships)Point-to-Point2.25——(1)(PublicKeyInfrastructurePKI)[13](2)(3)6(4)(5)(6)(7)2.32.3.1(CertificateAuthorityCA)[14]7(QualityofServiceQoS)[15]2.12.12.1(1)(2)(3)2.3.2CA82.22.293GlobusGlobus(GridSecurityInfrastructureGSI)GSIGSIGSI(SecureSocketsLayerSSL)[16]X.509[17](CommissionMechanism)[18](ProxyCertificateMechanism)[19]SDKGSI(InternetEngineeringTaskForceIETF)[20]——(GenericSecurityServiceAPIGSS-API)[21]GSIWeb3.1(PublicKeyInfrastructurePKI)3.1.1PKI(End-EntityApplicationEE)[22](RegistrationAuthorityRA)[22]EECA(CertificationAuthorityCA)[23](CertificatePolicyCP)[24]PKI[23]PKIPKI3.1103.1PKI(PersonalSecurityEnvironmentPSE)EECA3.1.2PKIPKIRSA[25][26]PKIDSA[27]3.23.2[28]CACACAEERACAPKICA()113.23.2.1CASSL(GSIxGSIy)GSIxGSIySSL⇒GSIxGSIyCA⇒GSIyGSIxCAGSIx⇒GSIyMGSIx⇒GSIxMM'GSIy⇒GSIyM'MGSIx3.2.2GSIGSI3.2.3(UserAgentUA)GSISSL12X.5093.13.1IssuerSerialNumberSubjectNameKeyUsageExtendedKeyUsageProxyCertInfoExtensionGSISSL3.33.3GSI3.2.4(GridPortal)UIWebWebWeb3.2.5GSS-APIGSIGSS-APIGSS-APIGlobusGSS-APIGSSGSIGSS-APICACA......133.3Web3.3.1WebWeb(Webservice)[29]WebWebWebHTTPXMLWebWebWebWebWebWebWeb3.3.2WebWebWeb3.43.4Web3.3.3WebWebWeb3.5WSFLStaticUDDIDirectUDDIWSDLSOAPXMLXMLSchemaXMLHTTPFTPSMTP3.5Web14WSFLWSFLWebWSDLWSDLUDDIUDDIWSDLWSDLWebXMLSOAPSOAPWebSOAPSOAPSOAPSOAPRPCXMLSOAPWSDLUDDIXMLXMLSchemaWebXMLXMLWebHTTPHTTPWeb3.43.4.1CASCASGSICASGSICASCAS3.4.2CASCAS(Role-Based)CASCASCASGSI15CASCASCASCAS3.4.3CASGSICAS1.alpha1.020022GSICAS1.0CASServiceManageProcessUserClientCASCertificatePolicyGridFTPServicealpha1.0CASServiceCASCertificate3.63.6CASalpha1.0(2)alpha2.0alpha2.0alpha1.0CASCASServiceUserClientCAS-EnableGridFTPServicealpha2.0AssertionCASServicealpha2.0CAS3.7CAS2.CAS3.1.163.7CASalpha2.0(3)alpha3.0alpha3.0alpha2.0alpha3.0OGSAserviceWeb3.Assertion2.CAS1.174C/SGSI4.14.1.1(AuthenticationMechanism)[30]4.1.2(AuditMechanism)[31](1)(2)(3)(4)184.24.2.1[32](Users)(InformationSpace)(Operations)(Metadata)4.14.1(U,IS,OP)UISOPΦ),,(ΦΦΦOP)IS,(U,)op,is,(uiiiiuiisiopOP)IS,(U,}ISisOP,opU,u|)op,is,(u{XXiiiXi∈∈=(4.2.1.1)}UuOP,opU,is|)op,is,(u{YYiiiiy∈∈=(4.2.1.2)Xis(AccessControlListACL)[26]Xyu(AccessControlCapabilityList)[26]Y4.2.24.2UISOP(Ф,Ф,Ф)194.2(U,IS,OP)}1,0{OPISU:F→××(4.2.2.1)OP)IS,(U,}1,0{)op,is,(uiii1iuiisiop0iu1OP)IS,(U,OP)IS,(U,D(4.2.2.2)}1)op,is,uF(且OP,opIS,isU,