BitDew: A Programmable Environment for Large-Scale Data Management and Distribution

Desktop Grids use the computing, network and storage resources from idle desktop PC's distributed over multiple-LAN's or the Internet to compute a large variety of resource-demanding distributed applications. While these applications need to access, compute, store and circulate large volumes of data, little attention has been paid to data management in such large-scale, dynamic, heterogeneous, volatile and highly distributed Grids. In most cases, data management relies on ad-hoc solutions, and providing general approach is still a challenging issue. To address this problem, we propose the BitDew framework, a programmable environment for automatic and transparent data management on computational Desktop Grids. This paper describes the BitDew programming interface, its architecture, and the performance evaluation of its runtime components. BitDew relies on a specific set of meta-data to drive key data management operations, namely life cycle, distribution, placement, replication and fault-tolerance with a high level of abstraction. The Bitdew runtime environment is a flexible distributed service architecture that integrates modular P2P components such as DHT's for a distributed data catalog and collaborative transport protocols for data distribution. Through several examples, we describe how application programmers and Bitdew users can exploit Bitdew's features. The performance evaluation demonstrates that the high level of abstraction and transparency is obtained with a reasonable overhead, while offering the benefit of scalability, performance and fault tolerance with little programming cost

A Dynamic Validation Infrastructure for Interoperable Grid Services

Los encargados de recursos Grid pueden autorizar el acceso a sus elementos de cómputo por medio de procedimientos bien establecidos para los clientes, regularmente a través del uso de credenciales criptográficas que en su mayoría tienen un tiempo de vida definido.A pesar que la adopción de Autoridades de Certificación -AC- ha parcialmente resuelto el problema de identificación y autenticación entre entidades y, la tecnología PKI (Infraestructuras de Clave Pública) es bastante madura, no es posible hacer los mismos supuestos cuando existen dominios que no confían entre si. En los últimos años han proliferado las Organizaciones Virtuales -VOs- dentro del Grid, cada una instalando su propia Autoridad de Certificación y dando lugar a un gran número de diferentes dominios de seguridad, que efectivamente no confían entre si. Esto da lugar a un complejo escenario de interoperabilidad en Grid, que requiere mecanismos capaces de determinar si una credencial cliente puede ser confiada en un momento dado. Este proceso (llamado "validacion") ha sido tradicionalmente tratado via Listas de Revocación de Certificados (CRLs). Sin embargo, esta solución es ineficiente tanto para la ACs como para las aplicaciones Grid. En consecuencia son requeridos mecanismos mas eficientes que permitan conocer el estado de un certificado en tiempo real. Entre estas soluciones, el Online Certificate Status Protocol (OCSP) sobresale para los Grids. A pesar de su importancia para la seguridad, OCSP conlleva considerables retos para el Grid y de momento es incapaz para garantizar un grado seguro de interoperabilidad entre las ACs que participan en dicho ambiente.De momento la comunidad Grid ha resuelto el problema de interoperabilidad mediante el uso de "Policy Management Authorities" (PMAs), las cuales representan "Federaciones de Grid-PKIs" cuyas ACs miembros cumplen con niveles mínimos de seguridad. Estos requisitos mínimos forman el llamado "Perfil de Autenticación de la PMA". Actualmente el cumplimiento con el perfil de una cierta PMA se lleva a cabo a través de un proceso bien definido, pero manual, que se realiza una sola ocasión cuando una AC desea ser parte de dicha PMA. Esto se denomina "Proceso de Acreditación".Cualquier cliente invocando una operación de un servicio Grid, activa un proceso de autenticación que valida su certificado digital de acuerdo a un proceso llamado "Path Validation".Cuando las ACs participantes interoperan gracias a acuerdos explícitos de confianza, solamente se require un "Path Validation Básico": verificación criptográfica y chequeo del estado del certificado. Software Grid como el Globus Toolkit, provee mecanismos estáticos para dicho proceso. Esto sin embargo resulta inapropiado para VOs actuales.Asi pues, a pesar de la importancia que un proceso automático y "Extendido" de "Path Validation" tendría para construir relaciones de confianza dinámicamente en Grid-PKIs, a la fecha no existe ningún mecanismo para hacerlo.Esta tesis presenta una arquitectura novedosa para llevar a cabo el proceso "Extendido de Path Validation" en ambientes Grid para ACs que pertenecen a la misma PMA, gracias al uso de una Infraestructura de Validación basada en el Grid-OCSP y, una metodología de evaluación de políticas que compara las Políticas de Certificación de las ACs involucradas para asegurarse que cumplen con un Perfil de Autenticación y, que por lo tanto pueden interoperar entre ellas. La metodología de evaluación de políticas está basada en una propuesta de investigación de la "Universidad de Nápoles, Federico II" y la "Segunda Universidad de Nápoles". Un prototipo de la Infraestructura de Validación ha sido desarrollado durante nuestra investigación, y es ampliamente explicado en esta tesis.Grid Resource owners can authorize access to their computing elements by means of well established Authentication and Authorization processes for End-entities, through the use of cryptographic credentials that in most of the cases have a defined lifetime. Nevertheless, despite the fact that the adoption of Certification Authorities -CAs- has partially solved the problem of identification and authentication between the involved parties, and that Public Key Infrastructure -PKI- technologies are mature enough, we cannot make the same assumptions when untrusted domains are involved. In the last years a lot of Grid Virtual Organizations -VOs- have been proliferating, each one usually installing its own Certificate Authority and thus giving birth to a large set of different and possibly untrusted security domains. This brings a quite complex Grid interoperability scenario requiring mechanisms able to determine whether a particular end-entity's credential can be trusted at a given moment. This process is commonly named validation and traditionally it is performed via Certificate Revocation Lists (CRL). However this solution tends to be cumbersome for both, the CA and the application. In consequence, more efficient mechanisms to allow for the provision of real time certificate status information are required. Among these solutions, the Online Certificate Status Protocol (OCSP) stands out in the Grid community. Despite its importance for security, OCSP not only faces considerable challenges in the computational Grid but also, in its current form, this protocol is unable to guarantee a secure degree of interoperability among all the involved Grid-Certification Authorities. At the state of the art, the Grid community is circumventing the interoperability problem with the "Policy Management Authorities (PMAs)", which represent "Federations of Grid PKIs" whose CA members accomplish minimum levels of security. These minimum requirements comprise the PMA's Authentication Profile. In the case of the existing Grid PMAs, compliance with their respective authentication profile is given through a well-defined, but manual process involving a careful analysis of the applicant PKI's Certification Policy -CP-, performed just once, when a new CA wishes to be part of an existing PMA. This is known as the PMA's accreditation process.Any end-entity invoking a Grid Service's operation from the server, activates an authentication process that validates the end-entity's digital certificate according to the traditional path validation procedure.When involved CAs interoperate thanks to explicit trust agreements, only basic path validation is required: cryptographic verifications and status' checks over the involved certificates. State of the art Grid software like the Globus Toolkit, provides static mechanisms for the basic path validation. This is a cumbersome process in nowadays Virtual Organizations.Therefore, despite the importance that an automated and extended path validation process has got in order to build dynamic trust relationships among Grid PKI's, to date there is no mechanism to automatically obtain this information.This thesis presents a novel architecture for enabling extended path validation in Grid environments for CAs that are part of the same PMA, thanks to the use of a Validation Infrastructure based on a Grid-enabled Online Certificate Status Protocol and, a policy evaluation methodology that compares the involved CAs' Certificate Policies to assert that they fulfil with a particular Authentication Profile and that they can therefore interoperate among them. The policy evaluation technique is based on a formal methodology originally proposed by researchers of the "Università di Napoli, Federico II" and the "Seconda Università di Napoli". A working prototype of the proposed Validation Infrastructure was also developed during our research, and is widely explained along this thesis

Providing security to the Desktop Data Grid

Project no. FP6-00426