ИСТИНА |
Войти в систему Регистрация |
|
ИСТИНА ИНХС РАН |
||
We propose an alternative approach to building of the security infrastructure for the DCSs. The main idea is in using login/password for user authentication (including multi-factor authentication for strong security were needed) while well tested PKI infrastructure is used for service-to-service interaction only. The authorization is implemented by using just in time approving of the rights via a special trusted authorization service. Consequently there is no need to use proxy certificates. In the proposed model each request should be signed by the individual certificate which is not limited in time. These request certificates are registered by the authorization service in the special database and states of these certificates are tracked on real time. Having received the user’s request every computational service checks against the authorization service if the request certificate is valid and is not yet used, and executes the request only if the signature is correct. So requests signing ensures impossibility of their changing during passing and processing.