Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009.

Published byLaurence Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009."— Presentation transcript:

1 1 Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009

2 2 Outline Background  Terminology  Cryptography  REST, Web 2.0, Social Network Authentication Authorization Conclusion

3 3 Terminology Authentication Authorization Confidentiality Integrity Non-repudiation Single Sign-On Delegation

4 4 Cryptography Shared-key cryptography  DES, 3DES, AES Public-key cryptography  RSA, DSA  Digital Certificate Bind an entity’s identity with a public key  Certificate Authority  Public Key Infrastructure clear textencrypted textclear text encryptdecrypt

5 5 REST - REpresentational State Transfer Each resource is identified by a unique ID. Stateless communication Link resources together Resources have multiple representations Based on HTTP /accounts GET – list all accounts PUT – unused POST – add account DELETE - unused /accounts/id GET – get account details PUT – update account details POST - unused DELETE – delete account GETRead POSTCreate PUTUpdate DELETEDelete

6 6 Web 2.0 Read-write collaborative web Participatory nature Cooperate, not control … Cooperate, Participate, Collaborate  Social Network

7 7 Science collaboration OpenSocial  APIs for web-based social network apps MySpace, Orkut, Ning…

8 8 Security Challenges in WWW Loosely coupled components Separation of security policies and security mechanisms. No single, isolated trusted base Domain-specific policies …

9 9 Outline Background Authentication  Identity Federation  HTTP Auth, SSL  Central Authentication Service  OpenID Authorization Conclusion

10 10 HTTP Basic Auth Allow browser to provide credential when making a request. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Drawback: Clear text HTTP Digest Access Auth Username: Aladdin Password: open sesame Aladdin:open sesame WWW-Authenticate: Basic realm="Secure Area“ Base64

11 11 SSL/TLS End-to-End message protection protocol Features Use both shared-key cryptography and public-key cryptography. Authentication Key exchange Confidentiality Integrity Non-repudiation Prevention of replay attack

12 12 Identity Federation Data across multiple identity management systems can be joined.

13 13 Central Authentication Service https://cas.iu.edu/cas/login?cassvc=ANY& casurl=https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login https://onestart.iu.edu/my2-prd/Login.do?__p_dispatch__=login& casticket=ST-26434-krE7MK7qkv1CcXrfBPLT-wsa453.uits.indiana.edu

14 14 CAS Use HTTPS to guarantee confidentiality and integrity. Advantages  Simplicity  Single Sign-On (ticket-granting cookie) Drawbacks  Single point of failure  ID federation

15 15 OpenID discovery Association relying party

16 16 OpenID How to discover Identity Providers?  The Relying Party uses the Identifier to look up the necessary information for initiating requests Solution  XRI  Yadis  HTTP-Based discovery How to share user attributes beyond authentication? Solution  Simple Registration Extension  Attribute Exchange

17 17 OpenID – Drawbacks If username and password of a user are stolen or phished, then all of the registered sites then become targets. Quality of OpenID providers varies.

18 18 Kerberos vs. CAS vs. OpenID CASKerberosOpenID LayerHTTPTCP/UDPHTTP Confidentiality + Integrity SSLBuilt in Cross-DomainVery hardHardEasy Single Point of FailureYes No Single Sign-OnYes Replay attackYes ID FederationNo Yes

19 19 Outline Background Authentication Authorization  Access Control  Grid Security Infrastructure  Shibboleth  OAuth Conclusion

20 20 Access Control Access Control List  A list of permissions are attached to an object. Role-Based Access Control  permissions → roles  roles → users Access Control Matrix  characterizes the rights of each subject with respect to every object in the system …

21 21 Architecture (local site) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository

22 22 Architecture - Push mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority

23 23 Architecture - Pull mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority

24 24 GSI (Grid Security Infrastructure)

25 25 GSI Based on X.509 PKI Every entity involved in the Grid has an X.509 certificate Each site trusts the CAs it wants Each Grid transaction is mutually authenticated Authorization is enforced using local policies.  Global ID (certificate DN) is mapped to local ID

26 26 GSI Features Proxy Certificate (rfc3820) and Delegation  A temporary credential is generated for the user proxy  Delegation is indicated by user signing the temporary certificate with a secret. Single Sign-On Identity Mapping and Authorization  Global identity is mapped to a local identity before local identity is used to enforce policies "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=MikeWilde” wilde

27 27 GSI - Drawbacks Granularity of delegation  All or none Infrastructure cost

28 28 Shibboleth - Flow Assertions Attribute Query

29 29 Shibboleth - Example InCommon “more than 3 million end-users” Authentication the user is an IU student

30 30 OAuth - Features A third party app can access user’s data stored at service provider without requiring username and password. Delegated authorization protocol Explicit user consent is mandatory. Light-weight

31 31 OAuth - Flow Third-party application

32 32 Google Calendar Would you like the third party app to access your Google Calender data??? Your google calendar data is: Third-party application

33 33 OAuth - Drawbacks Delegation granularity Error handling Token expiration and revocation

34 34 GSI vs. CAS * vs. Shibboleth vs. OAuth GSICAS * ShibbolethOAuth DelegationYes Yes (read only) Yes (needs user intervention) Delegation Granularity ImpersonationFine-grainedDepends on SP Implementation Specific TechProxy CertCapabilitySAMLHTTP Infrastructure Cost High Low WANNo Yes ModeN/APushBothN/A CAS: Community Authorization Service

35 35 Research Opportunities Authorization granularity Trust management

36 36 Questions ?

Download ppt "1 Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009."

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By: Ansuya Chauhan.

By: Ansuya Chauhan.

Similar presentations

Ads by Google