Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Authentication and Authorization in Web Systems

advertisement 
Authentication and
Authorization in Web Systems
Zhenhua Guo
Jun-30-2009
1
Outline

Background






Terminology
Cryptography
REST, Web 2.0, Social Network
Authentication
Authorization
Conclusion
2
Terminology







Authentication
Authorization
Confidentiality
Integrity
Non-repudiation
Single Sign-On
Delegation
3
Cryptography
clear text

encrypted text
decrypt
clear text
Shared-key cryptography


encrypt
DES, 3DES, AES
Public-key cryptography


RSA, DSA
Digital Certificate



Bind an entity’s identity with a public key
Certificate Authority
Public Key Infrastructure
4
REST - REpresentational State Transfer





Each resource is identified by a unique ID.
Stateless communication
Link resources together
Resources have multiple representations
Based on HTTP
GET
Read
/accounts
POST
Create
PUT
Update
/accounts/id
DELETE
Delete
GET – list all accounts
PUT – unused
POST – add account
DELETE - unused
GET – get account details
PUT – update account details
POST - unused
DELETE – delete account
5
Web 2.0




Read-write collaborative web
Participatory nature
Cooperate, not control
…
Cooperate, Participate, Collaborate

Social Network
6
Social Network


Science collaboration
OpenSocial


APIs for web-based social network apps
MySpace, Orkut, Ning…
7
Security Challenges in WWW





Loosely coupled components
Separation of security policies and security
mechanisms.
No single, isolated trusted base
Domain-specific policies
…
8
Outline


Background
Authentication






Identity Federation
HTTP Auth, SSL
Central Authentication Service
OpenID
Authorization
Conclusion
9
HTTP Basic Auth

Allow browser to provide credential when
making a request.
WWW-Authenticate: Basic realm="Secure Area“
Username: Aladdin
Password: open sesame
Aladdin:open sesame
Base64
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Drawback: Clear text
HTTP Digest Access Auth
10
SSL/TLS
End-to-End message protection protocol
Features
 Use both shared-key cryptography and public-key
cryptography.
 Authentication
 Key exchange
 Confidentiality
 Integrity
 Non-repudiation
 Prevention of replay attack
11
Identity Federation

Data across multiple identity management
systems can be joined.
12
Central Authentication Service
https://cas.iu.edu/cas/login?cassvc=ANY&
casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login
https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login&
13
casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu
CAS


Use HTTPS to guarantee confidentiality and
integrity.
Advantages



Simplicity
Single Sign-On (ticket-granting cookie)
Drawbacks


Single point of failure
ID federation
14
OpenID
relying party
discovery
Association
15
OpenID

How to discover Identity Providers?


Solution





The Relying Party uses the Identifier to look up the
necessary information for initiating requests
XRI
Yadis
HTTP-Based discovery
How to share user attributes beyond authentication?
Solution


Simple Registration Extension
Attribute Exchange
16
OpenID – Drawbacks


If username and password of a user are
stolen or phished, then all of the registered
sites then become targets.
Quality of OpenID providers varies.
17
Kerberos vs. CAS vs. OpenID
CAS
Kerberos
OpenID
HTTP
SSL
TCP/UDP
Built in
HTTP
Built in
Very hard
Hard
Easy
Single Point of Failure
Yes
Yes
No
Single Sign-On
Yes
Yes
Yes
Replay attack
Yes
Yes
Yes
ID Federation
No
No
Yes
Layer
Confidentiality +
Integrity
Cross-Domain
18
Outline



Background
Authentication
Authorization





Access Control
Grid Security Infrastructure
Shibboleth
OAuth
Conclusion
19
Access Control

Access Control List


Role-Based Access Control



permissions → roles
roles → users
Access Control Matrix


A list of permissions are attached to an object.
characterizes the rights of each subject with
respect to every object in the system
…
20
Architecture (local site)
VS: validation service
PEP: policy enforcement point
PDP: policy decision point
AR: attribute repository
21
Architecture - Push mode
(in distributed systems)
VS: validation service
PEP: policy enforcement point
PDP: policy decision point
AR: attribute repository
AA: attribute authority
22
Architecture - Pull mode
(in distributed systems)
VS: validation service
PEP: policy enforcement point
PDP: policy decision point
AR: attribute repository
AA: attribute authority
23
GSI (Grid Security Infrastructure)
24
GSI





Based on X.509 PKI
Every entity involved in the Grid has an X.509
certificate
Each site trusts the CAs it wants
Each Grid transaction is mutually
authenticated
Authorization is enforced using local policies.

Global ID (certificate DN) is mapped to local ID
25
GSI Features

Proxy Certificate (rfc3820) and Delegation




A temporary credential is generated for the user
proxy
Delegation is indicated by user signing the
temporary certificate with a secret.
Single Sign-On
Identity Mapping and Authorization

Global identity is mapped to a local identity before
local identity is used to enforce policies
"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc
"/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde
26
GSI - Drawbacks

Granularity of delegation


All or none
Infrastructure cost
27
Shibboleth - Flow
Assertions
Attribute
Query
28
Shibboleth - Example
the user is an IU
student

InCommon
“more than 3
million end-users”
29
OAuth - Features




A third party app can access user’s data
stored at service provider without requiring
username and password.
Delegated authorization protocol
Explicit user consent is mandatory.
Light-weight
30
OAuth - Flow
Third-party
application
31
Google
Calendar
Third-party
application
Your google calendar data is:
Would you like the third party app to
access your Google Calender data???
32
OAuth - Drawbacks



Delegation granularity
Error handling
Token expiration and revocation
33
GSI vs. CAS* vs. Shibboleth vs. OAuth
Delegation
Delegation
Granularity
Tech
GSI
CAS*
Shibboleth
OAuth
Yes
Yes
Yes (read only)
Yes (needs user
intervention)
Depends on SP
Implementation
Specific
Impersonation Fine-grained
Proxy Cert
Capability
SAML
HTTP
High
High
Low
Low
WAN
No
No
Yes
Yes
Mode
N/A
Push
Both
N/A
Infrastructure
Cost
CAS: Community Authorization Service
34
Research Opportunities


Authorization granularity
Trust management
35
Questions?
36
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
What is Identity Management?
What is Identity Management?
Community Schools, the Director - Coalition for Community Schools
Community Schools, the Director - Coalition for Community Schools
HEALTHCARE STATUS AUTHORIZATION
HEALTHCARE STATUS AUTHORIZATION
IB MYP Authorization Timeline
IB MYP Authorization Timeline
Organic Chemistry
Organic Chemistry
Zhenhua_Guo_Oral - Digital Science Center
Zhenhua_Guo_Oral - Digital Science Center
sylla_454_s14
sylla_454_s14
Enhanced OpenID Protocol in Identity Management Web Site: www.ijaiem.org Email: ,
Enhanced OpenID Protocol in Identity Management Web Site: www.ijaiem.org Email: ,
Download
advertisement