A Formal Model for the Grid Security Infrastructure ⋆ Baiyan Li, Ruonan Rao, Minglu Li, and Jinyuan You Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, China libaiyan@sjtu.edu.cn Abstract. The Grid Security Infrastructure (GSI) proposed and imple- mented in Globus Toolkit has been a widely accepted solution for the security of grids in recent years. But there is no formal analysis or mod- elling on security mechanisms of GSI emerging in the literature yet. In this paper, we propose a formal logic, and formalize those primary se- curity mechanisms using the logic. Our formalism not only is useful in understanding GSI but also provides us a substantial theoretic basis for some high-level security mechanisms to be developed based on GSI for the emerging service-oriented grid. 1 Introduction The grid computing is mainly concerned with the problem of resources sharing within the Virtual Organization (VO) [1, 2]. So the protection to the shared resources of VO is clearly a critical task of a secure grid environment. As the most important solution for the security of computational grid, Grid Security Infrastructure (GSI) [3, 4, 5] has received much attention since it was proposed in Globus project in 1997. However, since the emergence of Open Grid Ser- vices Architecture (OGSA) [6], the research interests for grid computing have shifted from the high-performance computational grid to the service-oriented grid rapidly. The GT3, whose security mechanisms were implemented using WS- Security, WS-Trust, WS-SecureConversation and SOAP, is a vivid instance of this tendency [4]. In the service-oriented grid, various computing resources and facilities are abstracted and implemented in a unified form: the grid service. So the security mechanisms in GSI that is originally designed for computational grid should be significantly adjusted or integrated with some high-level security mechanisms such as published security policy [4], or role-based access control, to fill the requirements of new environments. As the first step to extend the security mechanisms of GSI, we shall inves- tigate the security mechanisms of GSI in detail, and evaluate the feasibilities of various GSI extensions in a strict manner. For these purposes, we propose a ⋆ This work is supported by 973 project (No.2002CB312002) of China, ChinaGrid Program of MOE of China, and grand project of the Science and Technology Com- mission of Shanghai Municipality (No. 03dz15027) X. Zhou et al. (Eds.): WISE 2004, LNCS 3306, pp. 706–717, 2004. c  Springer-Verlag Berlin Heidelberg 2004