360 likes | 748 Views
Authentication and Authorization in Web Systems. Zhenhua Guo Jun-30-2009. Outline. Background Terminology Cryptography REST, Web 2.0, Social Network Authentication Authorization Conclusion. Terminology. Authentication Authorization Confidentiality Integrity Non-repudiation
E N D
Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009
Outline • Background • Terminology • Cryptography • REST, Web 2.0, Social Network • Authentication • Authorization • Conclusion
Terminology • Authentication • Authorization • Confidentiality • Integrity • Non-repudiation • Single Sign-On • Delegation
Cryptography encrypt decrypt clear text encrypted text clear text • Shared-key cryptography • DES, 3DES, AES • Public-key cryptography • RSA, DSA • Digital Certificate • Bind an entity’s identity with a public key • Certificate Authority • Public Key Infrastructure
REST - REpresentational State Transfer • Each resource is identified by a unique ID. • Stateless communication • Link resources together • Resources have multiple representations • Based on HTTP
Web 2.0 • Read-write collaborative web • Participatory nature • Cooperate, not control • … Cooperate, Participate, Collaborate Social Network
Social Network • Science collaboration • OpenSocial • APIs for web-based social network apps • MySpace, Orkut, Ning…
Security Challenges in WWW • Loosely coupled components • Separation of security policies and security mechanisms. • No single, isolated trusted base • Domain-specific policies • …
Outline • Background • Authentication • Identity Federation • HTTP Auth, SSL • Central Authentication Service • OpenID • Authorization • Conclusion
HTTP Basic Auth • Allow browser to provide credential when making a request. WWW-Authenticate: Basic realm="Secure Area“ Username: Aladdin Password: open sesame Aladdin:open sesame Base64 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Drawback: Clear text HTTP Digest Access Auth
SSL/TLS End-to-End message protection protocol Features • Use both shared-key cryptography and public-key cryptography. • Authentication • Key exchange • Confidentiality • Integrity • Non-repudiation • Prevention of replay attack
Identity Federation • Data across multiple identity management systems can be joined.
Central Authentication Service https://cas.iu.edu/cas/login?cassvc=ANY&casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login&casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu
CAS • Use HTTPS to guarantee confidentiality and integrity. • Advantages • Simplicity • Single Sign-On (ticket-granting cookie) • Drawbacks • Single point of failure • ID federation
discovery OpenID relying party Association
OpenID • How to discover Identity Providers? • The Relying Party uses the Identifier to look up the necessary information for initiating requests • Solution • XRI • Yadis • HTTP-Based discovery • How to share user attributes beyond authentication? • Solution • Simple Registration Extension • Attribute Exchange
OpenID – Drawbacks • If username and password of a user are stolen or phished, then all of the registered sites then become targets. • Quality of OpenID providers varies.
Outline • Background • Authentication • Authorization • Access Control • Grid Security Infrastructure • Shibboleth • OAuth • Conclusion
Access Control • Access Control List • A list of permissions are attached to an object. • Role-Based Access Control • permissions → roles • roles → users • Access Control Matrix • characterizes the rights of each subject with respect to every object in the system • …
Architecture (local site) VS: validation servicePEP: policy enforcement pointPDP: policy decision pointAR: attribute repository
Architecture - Push mode (in distributed systems) VS: validation servicePEP: policy enforcement pointPDP: policy decision pointAR: attribute repository AA: attribute authority
Architecture - Pull mode(in distributed systems) VS: validation servicePEP: policy enforcement pointPDP: policy decision pointAR: attribute repository AA: attribute authority
GSI • Based on X.509 PKI • Every entity involved in the Grid has an X.509 certificate • Each site trusts the CAs it wants • Each Grid transaction is mutually authenticated • Authorization is enforced using local policies. • Global ID (certificate DN) is mapped to local ID
GSI Features • Proxy Certificate (rfc3820) and Delegation • A temporary credential is generated for the user proxy • Delegation is indicated by user signing the temporary certificate with a secret. • Single Sign-On • Identity Mapping and Authorization • Global identity is mapped to a local identity before local identity is used to enforce policies "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde
GSI - Drawbacks • Granularity of delegation • All or none • Infrastructure cost
Shibboleth - Flow Assertions Attribute Query
the user is an IU student Shibboleth - Example • InCommon “more than 3 million end-users” Authentication
OAuth - Features • A third party app can access user’s data stored at service provider without requiring username and password. • Delegated authorization protocol • Explicit user consent is mandatory. • Light-weight
Third-party application OAuth - Flow
Your google calendar data is: Would you like the third party app to access your Google Calender data??? Google Calendar Third-party application
OAuth - Drawbacks • Delegation granularity • Error handling • Token expiration and revocation
GSI vs. CAS* vs. Shibboleth vs. OAuth CAS: Community Authorization Service
Research Opportunities • Authorization granularity • Trust management