Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multi-party Authentication in Web Services

Published byAnne-Marie Cardinal Modified over 6 years ago

Similar presentations

Presentation on theme: "Multi-party Authentication in Web Services"— Presentation transcript:

1 Multi-party Authentication in Web Services
Madhumita Chatterjee Dt :28th October 2004 11/18/2018 3:14 PM

2 Overview Web Services Architecture Typical Scenario Security Threats
Challenges and issues Need for Session Authentication Two Approaches—an analysis Proposal 11/18/2018 3:14 PM

3 Web Service Components
Internet based modular applications Program to program communication XML WSDL SOAP UDDI 11/18/2018 3:14 PM

4 Web Service Architecture
Implementation of Services (components) UDDI Interface Description with WSDL 1. Request 4. Request Service requester Service Broker Web Server For SOAP S E R V I C e 11/18/2018 3:14 PM

5 Web Service Workflows Dynamic composition Multiple instances
Workflow involves service instances belonging to different Web services Multiple parties belong to a flow. 11/18/2018 3:14 PM

6 Typical Web Service Scenario
Buyer Govt service Financer Provider Shipper B.1 G.1 P.2 S.1 P.1 F.2 Service Instance Insurance I.1 F.1 11/18/2018 3:14 PM

7 Threats…. Unauthorized access Parameter manipulation
Network eavesdropping Message replay 11/18/2018 3:14 PM

8 Challenges Dealing with un-trusted clients.
Application internals are exposed. SOAP messages are not point to point Challenge is to preserve security of SOAP message from initial SOAP sender to ultimate SOAP receiver. 11/18/2018 3:14 PM

9 SSL is inadequate SSL provides point-to-point security
Web Services need end-to-end security SSL does not support End-to-end confidentiality Element wise signing and encryption Non-repudiation 11/18/2018 3:14 PM

10 Need for session Authentication
TA-1 TA-2 Hotel Flight Car#1 Car#2 11/18/2018 3:14 PM

11 Maruyama’s protocol Session Authenticator component responsible for distributing keys and authenticating messages Each instance belonging to a session gets the shared key 11/18/2018 3:14 PM

12 Maruyama’s protocol….cont
Message authentication protocol transports authentication information between session participants Session management protocol responsible for starting, running and ending a particular session. 11/18/2018 3:14 PM

13 Message Authentication
Session Authenticator Allows service instances to mutually verify transient membership Service Authenticator Protocol for sending Web service to send MACed SOAP envelope to receiving Web Service 11/18/2018 3:14 PM

14 Session Authenticator
Sending instance prepares SOAP envelope Optionally uses XML encryption Adds authentication to SOAP header Using SOAP-DSIG applies MAC to envelope under session key. 11/18/2018 3:14 PM

15 Session Auth….cont… Receiver checks for session key.
Else obtains key from session manager. Validates MAC and accepts SOAP envelope. Decrypts encrypted message. Receiver now has authenticated mesg and session handle. 11/18/2018 3:14 PM

16 Service Authenticator
Sending service prepares SOAP envelope. Adds authentication header. Uses SOAP-DSIG to digitally sign mesg. Optionally uses XML encryption. Receiver decrypts, validates signature, verifies its own sign and accepts. 11/18/2018 3:14 PM

17 Session Management Initiator of session could be SA
Assigning session Ids. Creating session secrets. Maintaining status information for each session. Keeping participants informed of the status. Shutting down sessions. 11/18/2018 3:14 PM

18 Online session Management
11/18/2018 3:14 PM

19 Drawbacks .. SA cannot measure the validity of service instance
Anyone who has session ID can contact SA. An attacker who has compromised an instance can request to join session No unique identifier for each instance 11/18/2018 3:14 PM

20 Multi-Party Auth Protocol
Each instance has unique identifier Based on Diffie Hellman Key exchange to compute shared secret key. Session Manager manages a given Web Service session Manager instance’s identifier is unique for one session. 11/18/2018 3:14 PM

21 Notations….. p: a large prime number g: a primitive root of p
R: random no. chosen by a service instance of the session gR: gRmod p is the unique identifier used by the instance. Kx,y: security key shared by service instance x and y. MACx,y(M): MAC code for msg M under key Kx,y. U(R, gR): Service Instance U with pvt msg R and identifier gR. 11/18/2018 3:14 PM

22 Example Scenario User instance (UI (x, gx).
UI contacts session manager Manager invokes service instance (MI(y, gy)). MI and UI exchange identifiers and a session is initialized. 11/18/2018 3:14 PM

23 Multi-Party Auth Protocol
11/18/2018 3:14 PM

24 Cont…. UI wants to contact service # 1
New instance (NI(z, gz)) invoked UI and NI exchange identifiers gx and gz UI sends <Introduction-of-new-Instance> message to MI 11/18/2018 3:14 PM

25 Cont…. 11/18/2018 3:14 PM

26 Cont….. NI needs to contact another service #2.
NI2(n, gn ) is invoked by NI and recommended to MI NI2 sends MI an <identifier-query> message to check UI’s identity 11/18/2018 3:14 PM

27 Cont…. 11/18/2018 3:14 PM

28 Strengths of Protocol Each service instance has a unique identifier
Attackers cannot get key shared in an instance from plain text and MAC code Any new instance wanting to join session must be recommended by session participant. Malicious instance will be detected by SA 11/18/2018 3:14 PM

29 Mathematical Model 11/18/2018 3:14 PM

30 Model…cont… 4xi +1 xi Ttotal,i   ( Tm(j,i)) + Tkey-pair(j,i)
j= j =1 2(xi + 1)  ( Tsec(j,i) ) + T inst,I …………….(1) j=1 11/18/2018 3:14 PM

31 Cont…… n 4xi xj Tn-total = Ttotal,i   (  ( Tm(j,i)) + Tkey-pair(j,i) ) i= j= j =1 n 4xi xj  (  ( Tm(j,i) )+ Tkey-pair(j,i) i= 1 j= j=1 11/18/2018 3:14 PM

32 Cont………….. 2(xi +1) +  ( Tsec(j,i) ) + T inst,I j=1
== [4(x1 + x2 + x3 +….. xn ) + n](Tmessage) + (x1 + x2 + x3 +….. xn ) + n](Tkey-pair) + 2[(x1 + x2 + x3 +….. xn ) + n](Tsecret) + n Tinstant … ……………………………….(2) 11/18/2018 3:14 PM

33 Cont…… n 4xj + 1 where Tmessage =  (  ( Tm(j,i) )) i= 1 j=1
______________ n  ( 4xi + 1 ) i=1 n xi Tkey-pair =  (  ( Tkey-pair(j,i) )) i= 1 j=1  xi 11/18/2018 3:14 PM

34 Cont…… n 2xi + 1 Tsecret =  (  ( Tsec(j,i) )) i= 1 j=1
______________ n  (2xi + 1) i=1 Tinstance =  ( Tinst,i ) i= 1 11/18/2018 3:14 PM

35 Analysis Assume that key space is large.
Prob that two partners within same session chose same private key is small For every i in {1,2,3….n} xi  1. (x1 + x2 + x3 + …….xn)  n. 11/18/2018 3:14 PM

36 Cont…. Tn-total = 5n (Tmessage) + n(Tkey-pair ) + 4n (Tsecret ) +
n Tinstance = n [5(Tmessage) +(Tkey-pair ) + 4 (Tsecret ) + Tinstance] 11/18/2018 3:14 PM

37 Result of Analysis In worst case time consumption of introducing service instances into session increases linearly with amount of session partners. 11/18/2018 3:14 PM

38 Drawbacks Message overheads due to Diffie Hellman exchange
Time consumption to compute so many key pairs Diffie Hellman also prone to attacks 11/18/2018 3:14 PM

39 Issues not considered What if Session Manager is malicious??
11/18/2018 3:14 PM

40 A Proposal….Adaptive approach
Requirements of users may vary. Is there need for stringent measures uniformly to every node and transaction Can we apply as much security as a particular transaction requires? 11/18/2018 3:14 PM

41 Sophisticated Web Services
E.g order for aircraft engine Spawns multiple supporting transactions Orders to individual parts Orders for shipping containers Etc Involves handling huge volumes of traffic 11/18/2018 3:14 PM

42 Adaptive approach ….cont
For Simple Web services existing security measures may suffice. For sophisticated Web Services involving long transactions trusted third party model desirable. Can an adaptive/hybrid approach be implemented??? 11/18/2018 3:14 PM

43 References 1. S. Hada and H. Maruyama, “Session Authentication Protocol for Web Services,” Proc IEEE Symposium on Application and the Internet, pp , Jan 2. Dacheng Zhang and Jie Xu, “Multi-Party Authentication for Web Services: Protocols, Implementation and Evaluation,” Proc IEEE Symposium on Object Oriented Real-time Distributed Computing. 3. M.Hondo, N. Nagaratnam, A.Nadalin, “Securing Web Services,” IBM Systems Journal, Vol 41, No. 2, 2002. 4. David Geer, “Taking Steps to Secure Web Services,” IEEE Computer, Vol 36, Oct 2003. 5. V Vasudevan, “A Web Services Primer”, April 2001. 6. Y. Nakamur, S. Hada and R. Neyama, “Towards the Integration of Web Services Security on Enterprise Environments,” Proc Symposium on Applications and the Internet, pp , Jan 7. W3C NOTE, Simple Object Access Protocol (SOAP) 1.1, 11/18/2018 3:14 PM

44 References 8. W3C NOTE, SOAP Security Extensions: Digital Signature,
9. Web `Services Security(WS-Security), 10. Web Services Security Threats and Countermeasures, Microsoft Corporation, Jan 2004. 11/18/2018 3:14 PM

45 Acknowledgements Prof Bernard M Prof G.Sivakumar 11/18/2018 3:14 PM

Download ppt "Multi-party Authentication in Web Services"

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Secure Mobile IP Communication

Secure Mobile IP Communication
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.

Copyright © 2013 Curt Hill SOAP Protocol for exchanging data and Enabling Web Services.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Similar presentations

Ads by Google