Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009 Outline Background Terminology Cryptography REST, Web 2.0, Social Network Authentication Authorization Conclusion.
Download ReportTranscript Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009 Outline Background Terminology Cryptography REST, Web 2.0, Social Network Authentication Authorization Conclusion.
Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009 1 Outline Background Terminology Cryptography REST, Web 2.0, Social Network Authentication Authorization Conclusion 2 Terminology Authentication Authorization Confidentiality Integrity Non-repudiation Single Sign-On Delegation 3 Cryptography clear text encrypted text decrypt clear text Shared-key cryptography encrypt DES, 3DES, AES Public-key cryptography RSA, DSA Digital Certificate Bind an entity’s identity with a public key Certificate Authority Public Key Infrastructure 4 REST - REpresentational State Transfer Each resource is identified by a unique ID. Stateless communication Link resources together Resources have multiple representations Based on HTTP GET Read /accounts POST Create PUT Update /accounts/id DELETE Delete GET – list all accounts PUT – unused POST – add account DELETE - unused GET – get account details PUT – update account details POST - unused DELETE – delete account 5 Web 2.0 Read-write collaborative web Participatory nature Cooperate, not control … Cooperate, Participate, Collaborate Social Network 6 Social Network Science collaboration OpenSocial APIs for web-based social network apps MySpace, Orkut, Ning… 7 Security Challenges in WWW Loosely coupled components Separation of security policies and security mechanisms. No single, isolated trusted base Domain-specific policies … 8 Outline Background Authentication Identity Federation HTTP Auth, SSL Central Authentication Service OpenID Authorization Conclusion 9 HTTP Basic Auth Allow browser to provide credential when making a request. WWW-Authenticate: Basic realm="Secure Area“ Username: Aladdin Password: open sesame Aladdin:open sesame Base64 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Drawback: Clear text HTTP Digest Access Auth 10 SSL/TLS End-to-End message protection protocol Features Use both shared-key cryptography and public-key cryptography. Authentication Key exchange Confidentiality Integrity Non-repudiation Prevention of replay attack 11 Identity Federation Data across multiple identity management systems can be joined. 12 Central Authentication Service https://cas.iu.edu/cas/login?cassvc=ANY& casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login& 13 casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu CAS Use HTTPS to guarantee confidentiality and integrity. Advantages Simplicity Single Sign-On (ticket-granting cookie) Drawbacks Single point of failure ID federation 14 OpenID relying party discovery Association 15 OpenID How to discover Identity Providers? Solution The Relying Party uses the Identifier to look up the necessary information for initiating requests XRI Yadis HTTP-Based discovery How to share user attributes beyond authentication? Solution Simple Registration Extension Attribute Exchange 16 OpenID – Drawbacks If username and password of a user are stolen or phished, then all of the registered sites then become targets. Quality of OpenID providers varies. 17 Kerberos vs. CAS vs. OpenID CAS Kerberos OpenID HTTP SSL TCP/UDP Built in HTTP Built in Very hard Hard Easy Single Point of Failure Yes Yes No Single Sign-On Yes Yes Yes Replay attack Yes Yes Yes ID Federation No No Yes Layer Confidentiality + Integrity Cross-Domain 18 Outline Background Authentication Authorization Access Control Grid Security Infrastructure Shibboleth OAuth Conclusion 19 Access Control Access Control List Role-Based Access Control permissions → roles roles → users Access Control Matrix A list of permissions are attached to an object. characterizes the rights of each subject with respect to every object in the system … 20 Architecture (local site) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository 21 Architecture - Push mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority 22 Architecture - Pull mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority 23 GSI (Grid Security Infrastructure) 24 GSI Based on X.509 PKI Every entity involved in the Grid has an X.509 certificate Each site trusts the CAs it wants Each Grid transaction is mutually authenticated Authorization is enforced using local policies. Global ID (certificate DN) is mapped to local ID 25 GSI Features Proxy Certificate (rfc3820) and Delegation A temporary credential is generated for the user proxy Delegation is indicated by user signing the temporary certificate with a secret. Single Sign-On Identity Mapping and Authorization Global identity is mapped to a local identity before local identity is used to enforce policies "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde 26 GSI - Drawbacks Granularity of delegation All or none Infrastructure cost 27 Shibboleth - Flow Assertions Attribute Query 28 Shibboleth - Example the user is an IU student InCommon “more than 3 million end-users” 29 OAuth - Features A third party app can access user’s data stored at service provider without requiring username and password. Delegated authorization protocol Explicit user consent is mandatory. Light-weight 30 OAuth - Flow Third-party application 31 Google Calendar Third-party application Your google calendar data is: Would you like the third party app to access your Google Calender data??? 32 OAuth - Drawbacks Delegation granularity Error handling Token expiration and revocation 33 GSI vs. CAS* vs. Shibboleth vs. OAuth Delegation Delegation Granularity Tech GSI CAS* Shibboleth OAuth Yes Yes Yes (read only) Yes (needs user intervention) Depends on SP Implementation Specific Impersonation Fine-grained Proxy Cert Capability SAML HTTP High High Low Low WAN No No Yes Yes Mode N/A Push Both N/A Infrastructure Cost CAS: Community Authorization Service 34 Research Opportunities Authorization granularity Trust management 35 Questions? 36