DE-FG02-04ER25606 Identity Federation and Policy Management Guide: Final Report

The goal of this 3-year project was to facilitate a more productive dynamic matching between resource providers and resource consumers in Grid environments by explicitly specifying policies. There were broadly two problems being addressed by this project. First, there was a lack of an Open Grid Services Architecture (OGSA)-compliant mechanism for expressing, storing and retrieving user policies and Virtual Organization (VO) policies. Second, there was a lack of tools to resolve and enforce policies in the Open Services Grid Architecture. To address these problems, our overall approach in this project was to make all policies explicit (e.g., virtual organization policies, resource provider policies, resource consumer policies), thereby facilitating policy matching and policy negotiation. Policies defined on a per-user basis were created, held, and updated in MyPolMan, thereby providing a Grid user to centralize (where appropriate) and manage his/her policies. Organizationally, the corresponding service was VOPolMan, in which the policies of the Virtual Organization are expressed, managed, and dynamically consulted. Overall, we successfully defined, prototyped, and evaluated policy-based resource management and access control for OGSA-based Grids. This DOE project partially supported 17 peer-reviewed publications on a number of different topics: General security for Grids, credential management, Web services/OGSA/OGSI, policy-based grid authorization (for remote execution and for access to information), policy-directed Grid data movement/placement, policies for large-scale virtual organizations, and large-scale policy-aware grid architectures. In addition to supporting the PI, this project partially supported the training of 5 PhD students

Dynamic deployment of web services on the internet or grid

PhD ThesisThis thesis focuses on the area of dynamic Web Service deployment for grid and Internet applications. It presents a new Dynamic Service Oriented Architecture (DynaSOAr) that enables the deployment of Web Services at run-time in response to consumer requests. The service-oriented approach to grid and Internet computing is centred on two parties: the service provider and the service consumer. This thesis investigates the introduction of mobility into this service-oriented approach allowing for better use of resources and improved quality of service. To this end, it examines the role of the service provider and makes the case for a clear separation of its concerns into two distinct roles: that of a Web Service Provider, whose responsibility is to receive and direct consumer requests and supply service implementations, and a Host Provider, whose role is to deploy services and process consumers' requests on available resources. This separation of concerns breaks the implicit bond between a published Web Service endpoint (network address) and the resource upon which the service is deployed. It also allows the architecture to respond dynamically to changes in service demand and the quality of service requirements. Clearly defined interfaces for each role are presented, which form the infrastructure of DynaSOAr. The approach taken is wholly based on Web Services. The dynamic deployment of service code between separate roles, potentially running in different administrative domains, raises a number of security issues which are addressed. A DynaSOAr service invocation involves three parties: the requesting Consumer, a Web Service Provider and a Host Provider; this tripartite relationship requires a security model that allows the concerns of each party to be enforced for a given invocation. This thesis, therefore, presents a Tripartite Security Model and an architecture that allows the representation, propagation and enforcement of three separate sets of constraints. A prototype implementation of DynaSOAr is used to evaluate the claims made, and the results show that a significant benefit in terms of round-trip execution time for data-intensive applications is achieved. Additional benefits in terms of parallel deployments to satisfy multiple concurrent requests are also shown

Authentication and privacy in mobile web services

This thesis looks at the issue of authentication and privacy in mobile Web services. The work in this thesis builds on GSM and UMTS security framework to develop security protocols for mobile Web services environment. The thesis initially highlights some core principles of designing security protocols in such environment. The next two chapters look at the core technologies and building blocks in Web services systems and the core security features in mobile networks mainly GSM and UMTS. Registration and authentication were identified as security issues in federated systems. Proposed solutions were developed utilizing XML security mechanisms with SIM card security in GSM environment to address these issues. Also a novel system was proposed in which it is possible for a mobile user to securely authenticate and have full anonymity as far as the service providers are concerned; however it is possible for a trusted authority to reveal the identity of the user if he or she is suspected of illegal activities. The next section analyze in detail the Generic Authentication Architecture from 3GPP. Combining SAML with the Generic Authentication Architecture, we propose a novel "generic mobile Web service platform" for M-Commerce. Various solutions have been proposed to address privacy concern in distributed networks; the Platform for Privacy Preferences is one of the popular proposal, though it has many desirable features, it is not easy to enforce it. We argue that this limitation can be managed in federated system such as the Liberty Alliance framework. In the final chapter we make the case for using timestamp based authentication protocol in mobile Web service on the ground of efficiency gain