Trust Establishment in Mobile Distributed Computing Platforms

This project was funded by the EPSRC UK e-Science programme of research (EP/D053269). The project members were part of the Information Security Group at Royal Holloway, University of London. Contact details can be found in the papers published for the project, listed below.


Since the inception of Grid computing, security efforts have focussed on protecting assets through authorisation and authentication. One of the main examples of this work is the Grid Security Infrastructure [Foster et. al 1998]. The goal was to provide a means for Grid resource providers to enforce both local and Virtual Organisation security policies, taking into account difficulties such as managing hosts across multiple domains and authorising potentially unknown users. Clearly, a lot of trust was placed in Grid resource providers to maintain security, and while this may have been an adequate model for academic use, it is not appropriate for all scenarios. Many potential Grid users have been reluctant to use Grid computing because of security concerns:

Getting these assurances requires action by both the the Grid user and the Grid resource provider, and this project has investigated how Grid workflows can be used in a security context. This page summarises the results of this work, and is organised as follows:

More details of each area can be found in the publications listed at the end of the page.

Automated Grid workflows

Workflows have always been in place, either implicitly or explicitly specified, but this project focussed on automated workflow systems. These systems attempt to execute a workflow of multiple processes in a defined order, where a process can operate on either an individual set of data or on the results of a previous process. Sections of the workflow can be sequential, operate in parallel, branch depending on conditions, or iteratively loop. A variety of workflow systems exist, but there are only two main types. Typically, early systems operated at a low level, when users had to specify Grid jobs according to the resource providers the jobs would execute on. The current trend has been to abstract away the physical details of Grid jobs, allowing a user to create a high level abstract workflow of tasks. In these systems, the Workflow Resource Broker (WRB) is an important central management component, and is responsible for:

The user should conduct a risk analysis of their data, designing and modifying their workflow following the principles of separation of duty. However, sections of the workflow may still require assurances provided by additional security mechanisms. These have to be provided by the Grid network infrastructure, forming solutions that allow trust levels to be determined and written into user security policy. Therefore, the notions of security include: controlling access to data, deciding upon the resource providers that are trusted to both store and process data, and selecting those that are trusted to enforce user security policy.

Grid workflow security

There are two main requirements for workflow security: confidentiality and integrity.

However, there are obstacles to meeting the above requirements. The Workflow Resource Broker is clearly a point of vulnerability - it provides delegated control of user credentials, and is responsible for selecting resource providers for the execution of the user's workflow. Similarly, the chosen resource providers could also have vulnerabilities, because of complex software (OS, Grid middleware), local user access, and network vulnerabilities.

The project uses Trusted Computing and virtualisation technologies to overcome the above vulnerabilities, and meet the security requirements for Grid workflows.

An introduction to Trusted Computing

Trusted Computing has been developed by the Trusted Computing Group, a consortium of companies including Intel, Hewlett Packard and Microsoft. Specifications have been produced for a 'trusted platform' containing a Trusted Platform Module (TPM), which is a hardware chip embedded into the host platform. The TPM is used to create proxy 'roots of trust' within a trusted platform. The chip contains protected capabilities, commands, that can access shielded locations within the TPM.

Three types of key are used by Trusted Computing:

Non-migratable keys can be certified because each TPM is installed with a non-migratable Endorsement key. This is an asymmetric key pair that is created and installed by the TPM manufacturer, along with an Endorsement key credential (certificate) for the public key.

Furthermore, when a TPM is either initalised or reset, another non-migratable asymmetric key pair is created. This key is called the Storage Root Key and the public key can be used to encrypt other keys, creating a key hierarchy that can be stored outside of the TPM. If a non-migratable key is used to encrypt data, then that data is bound to that particular TPM. If use of the non-migratable key is only possible when the platform is in a specific state, then that data is sealed to that platform state.

Sealing is only possible because of the presence of integrity measuring mechanisms, which provide the ability to record initial platform state and any events that modify platform state. The measurements are stored in Platform Configuration Registers (PCRs) within the TPM. Details of what was measured are recorded in a Secure Measurement Log (SML) outside of the TPM.

Measuring the integrity of a platform also allows for another service called attestation. Attestation provides a means for a platform to prove its state to an external entity. PCR values are signed using an Attestation Identity Key (AIK), which is an asymmetric key created by a TPM and verified by either a `Privacy Certification Authority' or using the Direct Anonymous Attestation (DAA) protocol.

An introduction to virtualisation

Platform virtualisation is the process of emulating a hardware platform within software, for a guest OS or applications to run inside a virtual machine. Virtual machines are controlled by a Virtual Machine Monitor (VMM), which is also known as the hypervisor. The guest system is encapsulated within a Virtual Disk Image (VDI), which can be cloned, migrated and needs to be secured. One of the difficulties with securing VDIs are their size. One method is to divide a VDI into chunks and create a hash digest for each chunk. Each hash is stored in a metadata file, along with associated information. Since each metadata file is considerably smaller, then it can be protected by conventional means.

Virtualisation offers several advantages for computational Grid jobs, one of which is that there is no need to rely on resource providers for particular software libraries, including proprietary software, because these can be preinstalled in a virtual disk image. Moreover, a fully functioning OS may not be required. Both of these advantages can also benefit user security. Software included in a virtual disk image can also include digital rights management software. Reducing the complexity of the system encapsulated by a virtual disk image should make verifying the security properties easier than a full OS. The same argument can also be made for the VMM, in which the code-base is smaller than that of a full OS. Finally, the VMM in an ideal location to enforce isolation between virtual machines.

Securing Grid workflows

The following proposal uses Trusted Computing and virtualisation to provide:

Prerequisites for the scheme include trusted platforms installed within the WRB and a subset of resource providers. Also, there must be a means for verifying trust in the WRB; for example, this may be through using Trusted Computing or that the WRB is internal to the user's domain. In addition, a Grid user should be able to create their own VDIs, or specify third party VDIs for use within the workflow. Furthermore, it is assumed that a Grid user can specify security requirements that can be translated into low level platform requirements by the WRB. Finally, all resource providers have a certified copy of the WRB’s public signature verification key; conversely, the WRB has a copy of all resource providers’ public signature verification keys. Hence, all messages exchanged between the WRB and resource providers must be signed, so that their origin and integrity can be verified.

Workflow preparation

Consider a linear workflow of jobs a0, a1, … , an created by a WRB from a user's high-level workflow. Each job is encapsulated within a VDI, described above. Furthermore, each job is allocated a resource provider RPi, selected because their platform is in a trusted state αi and the TPM contains a non-migratable secret key SKi of an asymmetric key pair. The secret key could either have been proactively created by a resource provider, who advertises the corresponding public key and platform state [Lohr et al. 06], or it could have been the result of certified migration to a trusted platform.

Figure 1 illustrates an example for three resource providers RPi-1 , RPi and RPi+1 that have been allocated three consecutive jobs ai-1 , ai and ai+1 (3). The corresponding public key PKi is used to seal a symmetric key ki (2), which is generated by the WRB along with a random number ri . The key ki is used to protect the job and random number (1), where g is a generation-encryption function that produces ciphertext and a Message Authentication Code.

Each resource provider is also sent the public key corresponding to the trusted platform state for the proceeding resource provider in the workflow (4), and also the trusted platform state of the previous resource provider (5). These are used to maintain security in the forward and reverse directions during the execution of the workflow.

Figure 1: Workflow preparation

Workflow execution

When a resource provider RPi-1 has processed its job in the workflow, a ready signal is sent to the next resource provider RPi, either directly or via the WRB. This is shown in message (6) in Figure 2. The next resource provider RPi creates an attestation challenge, which includes a random number rRPi , to send to to RPi-1 (7). RPi-1 creates a response to the challenge, αi-1(rRPi), attesting to its platform state; RPi-1 protects the results of the Grid job, R( ai-1 ), using a symmetric key ki-1' that RPi-1 generates; this key is also sealed to the trusted platform state of RPi - the three data objects are sent as part of message (8).

Figure 2: Workflow execution

There are two essential checks during the transition between RPi-1 and RPi. The first is that the same public key PKi that is indirectly used to protect the Grid job is also used to protect the input data for that job, i.e. the results of the previous job. The corresponding secret key can only be accessed if RPi's platform is in the expected, trusted state. The attestation challenge is used to check that the previous resource provider RPi-1 remained in the expected, trusted state during the execution of its allocated Grid job. If either verification cannot be made, then an exception can be raised for the WRB to handle.

Final Remarks

Grid workflows provide significant advantages when completing highly complex computations if assurances that participating entities have behaved as expected can be provided. This requires both the judicious selection of trustworthy Grid resource providers, and a means to determine whether or not this trust still holds after job processing. This trust is built using Trusted Computing and virtualisation technology. The scheme presented above enables Grid users to derive confidence in the execution of their workflows, and from this establish trust in workflow results. While a simple linear example has been given above, it is also possible to divide a key protecting workflow results into several key shares and use the scheme to distribute them amongst several resource providers. The scheme can also be extended to incorporate the Grid access device, which could be a wireless mobile terminal. Further work includes:


I. Foster, C. Kesselman, G. Tsudik, and S. Tuecke, “A security architecture for computational grids,” in Proceedings of the 5th ACM conference on Computer and Communications Security, San Francisco, California, United States, New York, November 2–5, 1998, ACM Press, pp. 83–92.

H. Löhr, H. V. Ramasamy, A.-R. Sadeghi, S. Schulz, M. Schunter, and C. Stüble. Enhancing Grid security using trusted virtualization. In Proceedings of the 1st Benelux Workshop on Information and System Security (WISSEC ’06), Antwerpen, Belgium, November 8-9, 2006. COmputer Security and Industrial Cryptography (COSIC), K.U. Leuven, ESAT/SCD, Nov 2006.


[1] A. Martin and P.W. Yau, “Grid Security: Next Steps”, Information Security Technical Report, 12 no. 3 (2007), 113-122. [pdf]

[2 P.-W. Yau, S. Hu and C. J. Mitchell, 'Malicious attacks on ad hoc network routing protocols' (pdf), International Journal of Computer Research, 15 no. 1 (2007) 73-100. [pdf]

[3] P.W. Yau and A. Tomlinson, “Using Trusted Computing in Commercial Grids”, in Proceedings of the 15th International Workshops on Conceptual Structures (ICCS 2007), Sheffield, UK, July 22-27, 2007, Springer-Verlag, pp 31-36. [pdf]

[4] A. Leung and C. J. Mitchell, 'Ninja: Non Identity Based, Privacy Preserving Authentication for Ubiquitous Environments', in: J. Krumm, G. D. Abowd, A.Seneviratne and T. Strang (eds.), UbiComp 2007: Ubiquitous Computing, 9th International Conference, Innsbruck, Austria, September 16--19 2007, Springer-Verlag (LNCS 4717), Berlin (2007), pp.73-90. [pdf]

[5] E. Gallery and C. J. Mitchell, 'Trusted mobile platforms', in: A. Aldini and R. Gorrieri (eds.), Foundations of Security Analysis and Design IV: FOSAD 2006/2007 Tutorial Lectures, Springer-Verlag (LNCS 4677), Berlin (2007), pp.282-323. [pdf]

[6] S. Balfe, E. Gallery, C. J. Mitchell and K. G. Paterson, 'Challenges for trusted computing', IEEE Security and Privacy, 6 no. 6 (November/December 2008) 60-66. [pdf]

[7] A. Leung, L. Chen and C. J. Mitchell, 'On a possible privacy flaw in Direct Anonymous Attestation (DAA)', in: P. Lipp, A.-R. Sadeghi and K.-M. Koch (eds.), Trusted Computing - Challenges and Applications, First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Villach, Austria, March 11-12, 2008, Proceedings, Springer-Verlag (LNCS 4968), Berlin (2008), pp.179-190. [pdf]

[8] A. Leung and C. J. Mitchell, 'A device management framework for secure ubiquitous service delivery', in: Proceedings: the Fourth International Symposium on Information Assurance and Security (IAS 2008), Naples, Italy, September 2008, IEEE Computer Society Press, Los Alamitos, CA (2008), pp.267-274. [pdf]

[9] P. W. Yau, A. Tomlinson, S. Balfe and E. M. Gallery, “Securing Grid Workflows with Trusted Computing (Extended Abstract)”, in Proceedings of the Eigth IEEE International Symposium on Cluster Computing and the Grid (CCGRID '08), Lyon, France, May 19-22, 2008, IEEE Press, pp 700. [pdf]

[10] P. Yau, A. Tomlinson, S. Balfe, and E. M. Gallery, “Securing grid workflows with trusted computing,” in Proceedings of the 8th International Conference on Computation Science (ICCS ’08), Krakow, Poland, June 23–25, 2008, Springer-Verlag (LNCS 5103), June 2008, pp. 510–519. [pdf]

[11]. C. Gebhardt and A. Tomlinson, “Secure virtual disk images for grid computing,” in Proceedings of the Third Asia-Pacific Trusted Infrastructure Technologies Conference, Wuhan, Hubei, China, October 14-17, 2008, IEEE Press, October 2008, pp. 19–29. [pdf]

[12] A. Leung, P.-W. Yau and C. J. Mitchell, 'Using trusted computing to secure mobile ubiquitous environments' in: Security and Privacy in Wireless and Mobile Networking (Troubador Publishing, 2009), edited by S. Gritzalis, T. Karygiannis and C. Skianis. [pdf]

[13] E. M. Gallery and C. J. Mitchell, 'Trusted computing: Security and applications', Cryptologia, 33 (2009) 217-245. [pdf]

[14] P. Yau and A. Tomlinson, “Enhancing Grid Security using Workflows, Trusted Computing and Virtualisation”, in Proceedings of the 2009 International Conference on Grid Computing and Applications (GCA 2009), Worldcomp ’09, Las Vegas, Nevada, USA, July 13-16, 2009, CSREA Press, July 2009, pp. 113–119. [pdf]

[15] S. Balfe, P. Yau and K. G. Paterson, 'A Guide to Trust in Mobile Ad Hoc Networks', Security and Communication Networks, to appear. [pdf]