1 / 35

Mobile Agent for Secure Web-Service

Mobile Agent for Secure Web-Service. Debashis Roy Katayoon Moazzami Rachita Singh. Outline. Introduction Security issues in mobile agent & web service integration Selected Papers Agent-based Delegation Model Bilinear Diffie-Hellman Public Key System

marin
Download Presentation

Mobile Agent for Secure Web-Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Agent for Secure Web-Service Debashis Roy KatayoonMoazzami Rachita Singh

  2. Outline • Introduction • Security issues in mobile agent & web service integration • Selected Papers • Agent-based Delegation Model • Bilinear Diffie-Hellman Public Key System • Boneh-Franklin ID-based Public Key Scheme • Conclusion

  3. Introduction • Web services • Based on XML,SOAP,WSDL • Enables communication between software & client • Invokes services from service provider • Information retrieval, online calculation and etc • Mobile agent • Mobile executable object • Dispatched from owner/agent service provider • Migrates autonomously in the network

  4. Why Mobile Agent? • Mobile agent can migrate in the network independently • Returns back to the owner after finishing the task • Does not need continuous network connection as the conventional RPC • Applicable to devices with limited bandwidth and resources

  5. Security Issues • Non-repudiation • Verify the sender & the recipient are the parties who claim to send or receive the message • Authentication • Verify digital identity of the sender/receiver • Authorization • Decide the access to data or function • Use traditional ACL (Access Control List) or RBAC (Role Based Access Control)

  6. Selected Papers • H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D. S. Park, “Agent-Based Delegation Model for the Secure Web Service in Ubiquitous Computing Environments”, International Conference on Hybrid Information Technology, ICHIT '06, Volume 1, pp.51-57, Nov. 2006. • J. Zhang, Y. Wang, V. Varadharajan, “Mobile Agent and Web Service Integration Security Architecture”, IEEE International Conference on Service-Oriented Computing and Applications, SOCA '07, pp.172-179, June 2007. • J. Zhang, Y. Wang, V. Varadharajan, “A New Security Scheme for Integration of Mobile Agents and Web Services”, Second International Conference on Internet and Web Applications and Services (ICIW'07), pp.43-48, May 2007.

  7. Agent-based Delegation Model • All the communication are done with the help of agents. • User gives his/her credentials to his/her agents, the agents transfer user’s credentials to web service providers. • Extends from SAML 1.1/2.0 (Security Assertion Markup Language) specification to transfer the delegation information among the user and the agents

  8. Components of Delegation Model • Web-Service Management Server (WSMS) • Based on XACML (eXtensible Access Control Markup Language) model. • Mediator between the users and the web service providers • Manages the web services and the policies registers by the web service providers • Assigns appropriate roles to the user.

  9. Components of Delegation Model (contd.) • Principal (P) • The user who delegates his/her rights to agents • Principal Agent (PA) • Communicates with other agents on behalf of P • Carrier Agent (CA) • PA delegates its rights to CA • CA can communicates with other agents if required • Service Agent (SA) • Verifies the validity of delegation assertion • Processes P’s service request

  10. Components of Delegation Model (contd.) • Authentication Authority (AA) • Authenticates Ps or agents • Delegation Authority (DA) • Issues delegation assertions to authenticated agents

  11. The Delegation Model

  12. Delegation Assertion • Indicates whether P or agent is capable of delegating their rights or not. • Based on the SAML (Security Assertion Markup Language) specification • Digitally signed by DA • P’s information is encrypted with AA’s public key • Contains additional information such as • Service provider’s URL • Inputs to the WSDL • Least role, • Recipient agent PA • Encrypted with service provider’s public key

  13. Delegation Interaction

  14. Discussion • Agents can delegate their rights to other agents without any privacy disclosure • Principal agent PA has the complete control over all delegation operations • No agent can delegate its rights to other agent without PA’s approval • The communication between any two components is encrypted with public key cryptosystem • Requires a considerable amount of time and resource for encryption and decryption

  15. Bilinear Diffie-Hellman Public Key System • ID-based authentication instead of the certification authority (CA) • One key required for encrypting a service available to a group of users • based on the computational Diffe-Hellman and the Bilinear Diffe-Hellman assumption

  16. Assumptions • Web service provider consists of different web services to which users can be assigned • Each of these users has a mobile agent • The users that are assigned to a specific web service resource form a group • Web service provider acts as a key distribution centre (KDC) • Keys allocated to each group of users • The users are free to join any web service resource and leave any one

  17. Steps • System setup • Subscription • Signature scheme • Authentication scheme • Encryption • Decryption • Re-keying

  18. System setup • p=2q+1 • G1 , G2 of order p(BDH assumption ) • Master key sZq* • P belonging to the additive group G1 • H1:{0,1}*G1,H2:{0,1}*G2 • Ppub=sP • sID=sQID(QID=H1(ID)) private key

  19. Subscription • If there are n users using l web service resources a n×l matrix is set where the ij th element is 1 if user i is a part of user group j and 0 otherwise • Signature is a triple (Ri,Si,m) • m message • Ri=rQi • Si=(H2(m,Ri)+r)sIDi

  20. Authentication • Signed message can be authenticated using the public key and the user ID • Should check e(Si,P)=e(H2(Mr,Ri)H1(IDi)+Ri,Ppub) • e is a computable bilinear map,for some a,bZq and P,QG1 e(aP,bQ)=e(P.Q)ab

  21. Encryption • considering the kth service provider , tk the number of users using this service resource, Qtbe the user’s public key and Mk a session key or a message for this group of users • and matrices denoted by aik are set up thus • The ciphertext (Uik,Vk) obtained by • U1k=rkP,Uik=rQVik(2≤ik≤tk) • Vk=MkH2(e(Ppub,rkQV1k)) ( rkZq* a random number)

  22. Decryption • Qv1k calculated • Mk calculated using

  23. Re-keying • Member changes • Re-keying of the group session key is done by the WSP • changing the group registration matrix S • adding a new row when a member joins • removing a row when a member leaves • recalculating the values of U,V • Web-service changes • adding a new column in the matrix S and recalculating all the parameters

  24. Boneh-Franklin ID-based Public Key Scheme • Security scheme employs an Identity-based public key system • New authentication protocol without using the username/password pair • Alternative method for security mechanism without using the Certification Authorities (CA)

  25. System Description • Web Service provider (WSP) acts as a Key Distribution Centre (KDC) • Have secure channels to distribute keys to the users • Registered users with same web service resource form a group • Groups denoted as G[1],G[2],…….G[l], resources as r1,r2,….,rland l as cardinality of web services

  26. New Scheme Setup • Based on ID based encryption algorithm • WSP computes the system public key Ppub=sP and sends to all registered users • User has to provide his/her identity whenever he/she joins the group • WSP authorize the user by sending user’s private key SID=sQID where QID=H1(ID) • H1:{0,1}*G1 and H2:G1{0,1}* are two one way hash functions

  27. New Scheme Setup (cont) • For n users and l services,WSP provides matrix S as • Where Smk=1 if user um is a member of web service G[k]

  28. Authentication Scheme • User Ui has a unique identification IDi • Message Mr • Random number rZq • Generator PG1 • Public hash function H2:{0,1}*q • Computes Ri←rQiand Si←(H2(m,Ri)+r)sIDi • Signature is the triple (Ri,Si,Mr) • WSP verifies the signature using public key and the senders IDi.

  29. Secure Web Service Scheme • Describes about web service data encryption • Assumes one encryption key for each service • Data can be encrypted depending on its size • If data set is not large then it is directly encrypted with the service encryption key • For large data set, data is first encrypted with a session key and then the session key is encrypted with the service encryption key • Receiver decrypts the session key with its private key then uses session key to decrypt the data

  30. Re-keying for member changes and service changes • Three cases for re-keying • New member joins • Existing member leaves • Member switches from one group to another • Member switches from group G[k] to G[k’] where k≠k’,WSP updates the registration matrix S

  31. Re-keying for member changes and service changes (cont) • WSP recomputed the polynomial function fk(x) to revoke the member Um from G[k], and then recomputes another polynomial function fk’(x) to add the member Um to the data group G[k’]. • The function fk(x) is given as Where

  32. Discussion • New ID-based public key management scheme for securing the integration of mobile agents and web services • Without use of Certification Authorities (CA), also does not use the username/password pair. • Simplifies the key management • Drawbacks • users must have their private key pair based on PKI • calculate the username/password token • use different keys for different user's

  33. Conclusion • All communications among the users, agents or service providers needed to be encrypted • Symmetric encryption cannot be used • Asymmetric encryption based on the public key infrastructure (PKI) is most suitable for agent-based web service integration • PKI also has some drawbacks • All users must have his/her public/private key pair • A server has to manage and verify all the public keys • Server has to search the user’s public key and use different keys to encrypt different messages for different users • Requires a considerable amount of resource for encryption and decryption

  34. References • [1] H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D. S. Park, “Agent-Based Delegation Model for the Secure Web Service in Ubiquitous Computing Environments”, International Conference on Hybrid Information Technology, ICHIT '06, Volume 1, pp.51-57, Nov. 2006. • [2] J. Zhang, Y. Wang, V. Varadharajan, “Mobile Agent and Web Service Integration Security Architecture”, IEEE International Conference on Service-Oriented Computing and Applications, SOCA '07, pp.172-179, June 2007. • [3] J. Zhang, Y. Wang, V. Varadharajan, “A New Security Scheme for Integration of Mobile Agents and Web Services”, Second International Conference on Internet and Web Applications and Services (ICIW'07), pp.43-48, May 2007. • [4] C. A. Ardagna, E. Damiani, S. De Capitani di Vimercati, P.Samarati, XML-based Access Control Language, 2004. • [5] Web services, http://www.webopedia.com/TERM/W/ Web_services.html. • [6] Mobile Agent, http://en.wikipedia.org/wiki/ Mobile_agent • [7] SAML, http://en.wikipedia.org/wiki/SAML

  35. Any Questions??

More Related