Authentication and Authorization in Web Systems

(1)

Authentication and

Authorization in Web Systems

(2)

Outline

n Background

q Terminology

q Cryptography

q REST, Web 2.0, Social Network

n Authentication

n Authorization

(3)

Terminology

n Authentication

n Authorization

n Confidentiality

n Integrity

n Non-repudiation

n Single Sign-On

n Delegation

(4)

Cryptography

n Shared-key cryptography

q DES, 3DES, AES

n Public-key cryptography

q RSA, DSA

q Digital Certificate

n Bind an entity’s identity with a public key

q Certificate Authority

q Public Key Infrastructure

(5)

REST - REpresentational State Transfer

n Each resource is identified by a unique ID. n Stateless communication

n Link resources together

n Resources have multiple representations n Based on HTTP

GET – get account details PUT – update account details POST - unused

DELETE – delete account /accounts/id

GET – list all accounts PUT – unused

(6)

Web 2.0

n Read-write collaborative web

n Participatory nature

n Cooperate, not control

n …

Cooperate, Participate, Collaborate



(7)

Social Network

n Science collaboration

n OpenSocial

q APIs for web-based social network apps

n MySpace, Orkut, Ning…

(8)

Security Challenges in WWW

n Loosely coupled components

n Separation of security policies and security

mechanisms.

n No single, isolated trusted base

n Domain-specific policies

(9)

Outline

n Background

n Authentication

q Identity Federation

q HTTP Auth, SSL

q Central Authentication Service

q OpenID

n Authorization

n Conclusion

(10)

HTTP Basic Auth

n Allow browser to provide credential when making

a request.

Authorization: Basic

QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Drawback: Clear text

HTTP Digest Access Auth

Username: Aladdin

Password: open sesame Aladdin:open sesame WWW-Authenticate: Basic realm="Secure

Area“

(11)

SSL/TLS

End-to-End message protection protocol

Features

n Use both shared-key cryptography and public-key

cryptography.

n Authentication

n Key exchange

n Confidentiality

n Integrity

n Non-repudiation

n Prevention of replay attack

(12)

Identity Federation

n Data across multiple identity management systems

(13)

Central Authentication Service

https://cas.iu.edu/cas/login?cassvc=ANY

casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login

https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login

casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu

(14)

CAS

n Use HTTPS to guarantee confidentiality and

integrity.

n Advantages

q Simplicity

q Single Sign-On (ticket-granting cookie)

n Drawbacks

(15)

OpenID

discovery

Association

relying party

(16)

OpenID

n How to discover Identity Providers?

q The Relying Party uses the Identifier to look up the necessary

information for initiating requests

n Solution

q XRI

q Yadis

q HTTP-Based discovery

n How to share user attributes beyond authentication? n Solution

(17)

OpenID – Drawbacks

n If username and password of a user are stolen or

phished, then all of the registered sites then become targets.

n Quality of OpenID providers varies.

(18)

Kerberos vs. CAS vs. OpenID

Yes No No ID Federation HTTP TCP/UDP HTTP Layer Yes Yes Yes Replay attack Yes Yes Yes Single Sign-On No Yes Yes Single Point of Failure

(19)

Outline

n Background

n Authentication

n Authorization

q Access Control

q Grid Security Infrastructure

q Shibboleth

q OAuth

n Conclusion

(20)

Access Control

n Access Control List

q A list of permissions are attached to an object.

n Role-Based Access Control

q permissions → roles q roles → users

n Access Control Matrix

q characterizes the rights of each subject with respect to

every object in the system

(21)

Architecture (local site)

VS: validation servic

PEP: policy enforcement poin PDP: policy decision poin

AR: attribute repository

(22)

Architecture - Push mode

(in distributed systems)

(23)

Architecture - Pull mod

(in distributed systems)

AR: attribute repository AA: attribute authority

(24)

(25)

GSI

n Based on X.509 PKI

n Every entity involved in the Grid has an X.509

certificate

n Each site trusts the CAs it wants

n Each Grid transaction is mutually authenticated

n Authorization is enforced using local policies.

q Global ID (certificate DN) is mapped to local ID

(26)

GSI Features

n Proxy Certificate (rfc3820) and Delegation

q A temporary credential is generated for the user proxy q Delegation is indicated by user signing the temporary

certificate with a secret.

n Single Sign-On

n Identity Mapping and Authorization

q Global identity is mapped to a local identity before

local identity is used to enforce policies

(27)

GSI - Drawbacks

n Granularity of delegation

q All or none

n Infrastructure cost

(28)

Shibboleth - Flow

Assertion s

(29)

Shibboleth - Example

n InCommon

“more than 3

million end-users”

Authent icat

ion

the user is an IU student

(30)

OAuth - Features

n A third party app can access user’s data stored at

service provider without requiring username and password.

n Delegated authorization protocol

n Explicit user consent is mandatory.

(31)

OAuth - Flow

Third-party application

(32)

Google Calendar

Would you like the third party app to access your Google Calender data??? Your google calendar data

is:

(33)

OAuth - Drawbacks

n Delegation granularity

n Error handling

n Token expiration and revocation

(34)

GSI vs. CAS

*

_{vs. Shibboleth vs. OAuth}

N/A Both Push N/A Mode Yes Yes No No WAN Low Low High High Infrastructure Cost HTTP SAML Capability Proxy Cert Tech Implementation Specific Depends on SP

Fine-grained Impersonation

Delegation Granularity

Yes (needs user intervention) Yes (read only)

(35)

Research Opportunities

n Authorization granularity

n Trust management

(36)