CHAMPAIGN, IL The National Computational Science Alliance (Alliance) has been working to enable a Public Key Infrastructure (PKI) authentication system for its user communitya move that means better security for users in distributed computing environments, including computing done over the Partnerships for Advanced Computational Infrastructure (PACI) Grid.
The Alliance's sister program, the National Partnership for Advanced Computational Infrastructure (NPACI) is deploying a similar PKI authentication system.
"We were after a solution that the whole grid community could use; a standard solution for grid environments," said Randy Butler, who heads the Alliance Computational Environment and Security (ACES) division at the National Center for Supercomputing Applications (NCSA), the Alliance's leading edge site. "We feel strongly PKI is that solution. It offers scalability, interoperability, strong authentication, and implementation flexibility."
PKI differs from other security and authentication systems in that it uses both a public and private key to identify a user and authenticate that user's identity. In order to access resources, a user's private key is paired with a public key and a request for a digital certificate is sent to a third party, called a Certificate Authority (CA). The CA vouches for the identity of the user and sends that user a certificate. This certificate is the user's proof of identity.
The National Science Foundation provided $500,000 to the Alliance last year to deploy the Alliance PKI solution. With that funding the Alliance established a Certificate Authority at Argonne National Laboratory, an Alliance PACI partner. A Certificate Policy (CP) that identifies the policies for requesting, authorizing, creating, and managing PKI-based security credentials was created for the Alliance's Advance Computational Resource and Services sites, and that policy was used as the basis for establishing the NPACI CP.
"Different organizations will have different policies and different Certificate Authorities, but those certificates will be recognized and accepted by other sites," explained Ian Foster, an Alliance researcher with Argonne and the University of Chicago. "For the user this means not only more security but more capabilities too."
Foster added that the Alliance's PKI infrastructure is designed to support the Grid Security Infrastructure (GSI), a library of software and utilities developed within the Globus project. Globus is a set of integrated software tools used in distributed computing environments. Globus researchers at Argonne, NCSA, and the University of Southern California's Information Sciences Institute have developed a wide variety of GSI-enabled tools, including remote job submission capabilities, a GSI-enabled FTP, and a GSI-enabled version of the popular "secure shell" utility. These tools are being deployed as part of the Alliance public key rollout, and will ensure that Alliance users can immediately use their new Alliance PKI credentials to access computers and storage systems at Alliance sites.
This is good news for the Alliance sites with computing resources that are linked together over the PACI Grid to create a Virtual Machine Room (VMR). A major goal of the Alliance VMR effort has been to allow sites maximum flexibility in implementing local service. GSI and PKI can be layered on top of whatever authentication infrastructure a site already has in place.
"This has been a real win for the VMR effort since each of our partners has their own unique set of security requirements," said Butler. "The advantages for our users are simple, standard mechanisms and procedures for authentication, including the use of a single authentication certificate that identifies them to all VMR resources. The advantage to developers is a common security API for them to program to."
The Grid Forum, a community-initiated forum of researchers and practitioners working on distributed computing technologies, is also looking into PKI as a security and authentication solution. Butler is co-chair of the Grid Forum Security working group, along with Steve Tuecke of Argonne and Marty Humphrey of the University of Virginia. Two of the working group's focus areas deal with PKI interoperability issues, namely certificate policy models and security applications program interfaces.
The Alliance CA is currently providing certificates for early Alliance PKI users, and will begin issuing certificates to the general Alliance user community in June.
The National Computational Science Alliance is a partnership to prototype an advanced computational infrastructure for the 21st century and includes more than 50 academic, government and industry research partners from across the United States. The Alliance is one of two partnerships funded by the National Science Foundation's Partnerships for Advanced Computational Infrastructure (PACI) program, and receives cost-sharing at partner institutions. NSF also supports the National Partnership for Advanced Computational Infrastructure (NPACI), led by the San Diego Supercomputer Center.
The National Center for Supercomputing Applications is the leading-edge site for the National Computational Science Alliance. NCSA is a leader in the development and deployment of cutting-edge high-performance computing, networking, and information technologies. The National Science Foundation, the state of Illinois, the University of Illinois, industrial partners, and other federal agencies fund NCSA.