Authentication and
Authorization in Web Systems
Outline
n Background
q Terminology
q Cryptography
q REST, Web 2.0, Social Network
n Authentication
n Authorization
Terminology
n Authentication
n Authorization
n Confidentiality
n Integrity
n Non-repudiation
n Single Sign-On
n Delegation
Cryptography
n Shared-key cryptography
q DES, 3DES, AES
n Public-key cryptography
q RSA, DSA
q Digital Certificate
n Bind an entity’s identity with a public key
q Certificate Authority
q Public Key Infrastructure
REST - REpresentational State Transfer
n Each resource is identified by a unique ID. n Stateless communication
n Link resources together
n Resources have multiple representations n Based on HTTP
GET – get account details PUT – update account details POST - unused
DELETE – delete account /accounts/id
GET – list all accounts PUT – unused
Web 2.0
n Read-write collaborative web
n Participatory nature
n Cooperate, not control
n …
Cooperate, Participate, Collaborate
Social Network
n Science collaboration
n OpenSocial
q APIs for web-based social network apps
n MySpace, Orkut, Ning…
Security Challenges in WWW
n Loosely coupled components
n Separation of security policies and security
mechanisms.
n No single, isolated trusted base
n Domain-specific policies
Outline
n Background
n Authentication
q Identity Federation
q HTTP Auth, SSL
q Central Authentication Service
q OpenID
n Authorization
n Conclusion
HTTP Basic Auth
n Allow browser to provide credential when making
a request.
Authorization: Basic
QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Drawback: Clear text
HTTP Digest Access Auth
Username: Aladdin
Password: open sesame Aladdin:open sesame WWW-Authenticate: Basic realm="Secure
Area“
SSL/TLS
End-to-End message protection protocol
Features
n Use both shared-key cryptography and public-key
cryptography.
n Authentication
n Key exchange
n Confidentiality
n Integrity
n Non-repudiation
n Prevention of replay attack
Identity Federation
n Data across multiple identity management systems
Central Authentication Service
https://cas.iu.edu/cas/login?cassvc=ANY
casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login
https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login
casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu
CAS
n Use HTTPS to guarantee confidentiality and
integrity.
n Advantages
q Simplicity
q Single Sign-On (ticket-granting cookie)
n Drawbacks
OpenID
discovery
Association
relying party
OpenID
n How to discover Identity Providers?
q The Relying Party uses the Identifier to look up the necessary
information for initiating requests
n Solution
q XRI
q Yadis
q HTTP-Based discovery
n How to share user attributes beyond authentication? n Solution
OpenID – Drawbacks
n If username and password of a user are stolen or
phished, then all of the registered sites then become targets.
n Quality of OpenID providers varies.
Kerberos vs. CAS vs. OpenID
Yes No No ID Federation HTTP TCP/UDP HTTP Layer Yes Yes Yes Replay attack Yes Yes Yes Single Sign-On No Yes Yes Single Point of FailureOutline
n Background
n Authentication
n Authorization
q Access Control
q Grid Security Infrastructure
q Shibboleth
q OAuth
n Conclusion
Access Control
n Access Control List
q A list of permissions are attached to an object.
n Role-Based Access Control
q permissions → roles q roles → users
n Access Control Matrix
q characterizes the rights of each subject with respect to
every object in the system
Architecture (local site)
VS: validation servic
PEP: policy enforcement poin PDP: policy decision poin
AR: attribute repository
Architecture - Push mode
(in distributed systems)
VS: validation servic
PEP: policy enforcement poin PDP: policy decision poin
Architecture - Pull mod
(in distributed systems)
VS: validation servic
PEP: policy enforcement poin PDP: policy decision poin
AR: attribute repository AA: attribute authority
GSI
n Based on X.509 PKI
n Every entity involved in the Grid has an X.509
certificate
n Each site trusts the CAs it wants
n Each Grid transaction is mutually authenticated
n Authorization is enforced using local policies.
q Global ID (certificate DN) is mapped to local ID
GSI Features
n Proxy Certificate (rfc3820) and Delegation
q A temporary credential is generated for the user proxy q Delegation is indicated by user signing the temporary
certificate with a secret.
n Single Sign-On
n Identity Mapping and Authorization
q Global identity is mapped to a local identity before
local identity is used to enforce policies
GSI - Drawbacks
n Granularity of delegation
q All or none
n Infrastructure cost
Shibboleth - Flow
Assertion s
Shibboleth - Example
n InCommon
“more than 3
million end-users”
Authent icat
ion
the user is an IU student
OAuth - Features
n A third party app can access user’s data stored at
service provider without requiring username and password.
n Delegated authorization protocol
n Explicit user consent is mandatory.
OAuth - Flow
Third-party applicationGoogle Calendar
Would you like the third party app to access your Google Calender data??? Your google calendar data
is:
OAuth - Drawbacks
n Delegation granularity
n Error handling
n Token expiration and revocation
GSI vs. CAS
*vs. Shibboleth vs. OAuth
N/A Both Push N/A Mode Yes Yes No No WAN Low Low High High Infrastructure Cost HTTP SAML Capability Proxy Cert Tech Implementation Specific Depends on SPFine-grained Impersonation
Delegation Granularity
Yes (needs user intervention) Yes (read only)
Research Opportunities
n Authorization granularity
n Trust management