CHAMPAIGN, IL — The National Computational Science Alliance (Alliance)
has been working to enable a Public Key Infrastructure (PKI) authentication
system for its user community—a move that means better security for users in
distributed computing environments, including computing done over the Partnerships
for Advanced Computational Infrastructure (PACI) Grid.
The Alliance's sister program, the National Partnership for Advanced Computational
Infrastructure (NPACI) is deploying a similar PKI authentication system.
"We were after a solution that the whole grid community could use; a standard
solution for grid environments," said Randy Butler, who heads the Alliance
Computational Environment and Security (ACES) division at the National Center
for Supercomputing Applications (NCSA), the Alliance's leading edge site. "We
feel strongly PKI is that solution. It offers scalability, interoperability,
strong authentication, and implementation flexibility."
PKI differs from other security and authentication systems in that it uses both a
public and private key to identify a user and authenticate that user's identity.
In order to access resources, a user's private key is paired with a public key
and a request for a digital certificate is sent to a third party, called a
Certificate Authority (CA). The CA vouches for the identity of the user and
sends that user a certificate. This certificate is the user's proof of identity.
The National Science Foundation provided $500,000 to the Alliance last year to
deploy the Alliance PKI solution. With that funding the Alliance established a
Certificate Authority at Argonne National Laboratory, an Alliance PACI partner. A
Certificate Policy (CP) that identifies the policies for requesting, authorizing,
creating, and managing PKI-based security credentials was created for the
Alliance's Advance Computational Resource and Services sites, and that policy was
used as the basis for establishing the NPACI CP.
"Different organizations will have different policies and different Certificate
Authorities, but those certificates will be recognized and accepted by other
sites," explained Ian Foster, an Alliance researcher with Argonne and the
University of Chicago. "For the user this means not only more security but more
capabilities too."
Foster added that the Alliance's PKI infrastructure is designed to support the
Grid Security Infrastructure (GSI), a library of software and utilities developed
within the Globus project. Globus is a set of integrated software tools used in
distributed computing environments. Globus researchers at Argonne, NCSA, and the
University of Southern California's Information Sciences Institute have developed
a wide variety of GSI-enabled tools, including remote job submission capabilities,
a GSI-enabled FTP, and a GSI-enabled version of the popular "secure shell" utility.
These tools are being deployed as part of the Alliance public key rollout, and
will ensure that Alliance users can immediately use their new Alliance PKI
credentials to access computers and storage systems at Alliance sites.
This is good news for the Alliance sites with computing resources that are linked
together over the PACI Grid to create a Virtual Machine Room (VMR). A major goal
of the Alliance VMR effort has been to allow sites maximum flexibility in
implementing local service. GSI and PKI can be layered on top of whatever
authentication infrastructure a site already has in place.
"This has been a real win for the VMR effort since each of our partners has their
own unique set of security requirements," said Butler. "The advantages for our
users are simple, standard mechanisms and procedures for authentication, including
the use of a single authentication certificate that identifies them to all VMR
resources. The advantage to developers is a common security API for them to
program to."
The Grid Forum, a
community-initiated forum of researchers and practitioners working on distributed
computing technologies, is also looking into PKI as a security and authentication
solution. Butler is co-chair of the Grid Forum Security working group, along
with Steve Tuecke of Argonne and Marty Humphrey of the University of Virginia. Two
of the working group's focus areas deal with PKI interoperability issues, namely
certificate policy models and security applications program interfaces.
The Alliance CA is currently providing certificates for early Alliance PKI users,
and will begin issuing certificates to the general Alliance user community in June.
The National Computational Science Alliance is a partnership to prototype an
advanced computational infrastructure for the 21st century and includes more than
50 academic, government and industry research partners from across the United
States. The Alliance is one of two partnerships funded by the National Science
Foundation's Partnerships for Advanced Computational Infrastructure (PACI)
program, and receives cost-sharing at partner institutions. NSF also supports the
National Partnership for Advanced Computational Infrastructure (NPACI), led by the
San Diego Supercomputer Center.
The National Center for Supercomputing Applications is
the leading-edge site for the National Computational Science Alliance. NCSA is a
leader in the development and deployment of cutting-edge high-performance
computing, networking, and information technologies. The National Science
Foundation, the state of Illinois, the University of Illinois, industrial
partners, and other federal agencies fund NCSA.
More Headlines
| 
![[Alliance]](http://access.ncsa.uiuc.edu/includes/footer-alliancelogo2.gif)
![[NCSA]](http://access.ncsa.uiuc.edu/includes/footer-ncsalogo.gif){kind=small}