Authentication and Authorization in Web Systems Zhenhua Guo Jun-30 -2009 1
Outline n Background q q q n n n Terminology Cryptography REST, Web 2. 0, Social Network Authentication Authorization Conclusion 2
Terminology n n n n Authentication Authorization Confidentiality Integrity Non-repudiation Single Sign-On Delegation 3
Cryptography clear text n encrypted text decrypt clear text Shared-key cryptography q n encrypt DES, 3 DES, AES Public-key cryptography q q RSA, DSA Digital Certificate n q q Bind an entity’s identity with a public key Certificate Authority Public Key Infrastructure 4
REST - REpresentational State Transfer n n n Each resource is identified by a unique ID. Stateless communication Link resources together Resources have multiple representations Based on HTTP GET Read POST Create PUT Update /accounts/id DELETE Delete GET – list all accounts PUT – unused POST – add account DELETE - unused GET – get account details PUT – update account details POST - unused DELETE – delete account 5
Web 2. 0 n n Read-write collaborative web Participatory nature Cooperate, not control … Cooperate, Participate, Collaborate Social Network 6
Social Network n n Science collaboration Open. Social q n APIs for web-based social network apps My. Space, Orkut, Ning… 7
Security Challenges in WWW n n n Loosely coupled components Separation of security policies and security mechanisms. No single, isolated trusted base Domain-specific policies … 8
Outline n n Background Authentication q q n n Identity Federation HTTP Auth, SSL Central Authentication Service Open. ID Authorization Conclusion 9
HTTP Basic Auth n Allow browser to provide credential when making a request. WWW-Authenticate: Basic realm="Secure Area“ Username: Aladdin Password: open sesame Aladdin: open sesame Base 64 Authorization: Basic QWxh. ZGRpbjpvc. GVu. IHNlc 2 Ft. ZQ== Drawback: Clear text HTTP Digest Access Auth 10
SSL/TLS End-to-End message protection protocol Features n Use both shared-key cryptography and public-key cryptography. n Authentication n Key exchange n Confidentiality n Integrity n Non-repudiation n Prevention of replay attack 11
Identity Federation n Data across multiple identity management systems can be joined. 12
Central Authentication Service https: //cas. iu. edu/cas/login? cassvc=ANY& casurl=https: //onestart. iu. edu/my 2 -prd/Login. do? __p_dispatch__=login& 13 casticket=ST-26434 -kr. E 7 MK 7 qkv 1 Cc. Xrf. BPLT-wsa 453. uits. indiana. edu
CAS n n Use HTTPS to guarantee confidentiality and integrity. Advantages q q n Simplicity Single Sign-On (ticket-granting cookie) Drawbacks q q Single point of failure ID federation 14
Open. ID relying party discovery Association 15
Open. ID n How to discover Identity Providers? q n Solution q q q n n The Relying Party uses the Identifier to look up the necessary information for initiating requests XRI Yadis HTTP-Based discovery How to share user attributes beyond authentication? Solution q q Simple Registration Extension Attribute Exchange 16
Open. ID – Drawbacks n n If username and password of a user are stolen or phished, then all of the registered sites then become targets. Quality of Open. ID providers varies. 17
Kerberos vs. CAS vs. Open. ID CAS Kerberos Open. ID HTTP SSL TCP/UDP Built in HTTP Built in Very hard Hard Easy Single Point of Failure Yes No Single Sign-On Yes Yes Replay attack Yes Yes ID Federation No No Yes Layer Confidentiality + Integrity Cross-Domain 18
Outline n n n Background Authentication Authorization q q n Access Control Grid Security Infrastructure Shibboleth OAuth Conclusion 19
Access Control n Access Control List q n Role-Based Access Control q q n permissions → roles → users Access Control Matrix q n A list of permissions are attached to an object. characterizes the rights of each subject with respect to every object in the system … 20
Architecture (local site) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository 21
Architecture - Push mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority 22
Architecture - Pull mode (in distributed systems) VS: validation service PEP: policy enforcement point PDP: policy decision point AR: attribute repository AA: attribute authority 23
GSI (Grid Security Infrastructure) 24
GSI n n n Based on X. 509 PKI Every entity involved in the Grid has an X. 509 certificate Each site trusts the CAs it wants Each Grid transaction is mutually authenticated Authorization is enforced using local policies. q Global ID (certificate DN) is mapped to local ID 25
GSI Features n Proxy Certificate (rfc 3820) and Delegation q q n n A temporary credential is generated for the user proxy Delegation is indicated by user signing the temporary certificate with a secret. Single Sign-On Identity Mapping and Authorization q Global identity is mapped to a local identity before local identity is used to enforce policies "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ben Clifford” benc "/C=US/O=Globus/O=ANL/OU=MCS/CN=Mike. Wilde” wilde 26
GSI - Drawbacks n Granularity of delegation q n All or none Infrastructure cost 27
Shibboleth - Flow Assertions Attribute Query 28
Shibboleth - Example the user is an IU student Au the nti ca tio n n In. Common “more than 3 million end-users” 29
OAuth - Features n n A third party app can access user’s data stored at service provider without requiring username and password. Delegated authorization protocol Explicit user consent is mandatory. Light-weight 30
OAuth - Flow Third-party application 31
Google Calendar Third-party application Your google calendar data is: Would you like third party app to access your Google Calender data? ? ? 32
OAuth - Drawbacks n n n Delegation granularity Error handling Token expiration and revocation 33
GSI vs. CAS* vs. Shibboleth vs. OAuth GSI Delegation Granularity Tech CAS* Shibboleth OAuth Yes Yes (read only) Yes (needs user intervention) Depends on SP Implementation Specific Impersonation Fine-grained Proxy Cert Capability SAML HTTP High Low WAN No No Yes Mode N/A Push Both N/A Infrastructure Cost CAS: Community Authorization Service 34
Research Opportunities n n Authorization granularity Trust management 35
Questions? 36
Скачать презентацию Authentication and Authorization in Web Systems Zhenhua Guo
49434ee90035a3a9ea954201452dd731.ppt