Authentication delegation for subscription-based remote network services
Introduction
Our daily activities increasingly rely on remote resources and services, specifically on interactions between different, remotely located parties. Many universities and research organizations subscribe to a number of electronic databases for their users (students and staff). In a subscription-based remote service, universities or organizations are charged a flat fee for a period of time independent of the actual number of times the service is requested. One of the characteristics of such a subscription-based service is that the resource provider issues its service to multiple subscribers and the subscribers might subscribe to multiple services. Another characteristic is that only resource providers share their resources, which is different from peer-to-peer resource sharing. But both the university and resource provider have to somehow control access so that only legitimate users can consume these services. However, current solutions employ fairly primitive mechanisms for identifying legitimate users.
In this paper, we will investigate the problems of identity management inherent in distributed subscription-based resource sharing. Digital identity management (Damiani et al., 2003) is crucial for building and maintaining trust relationships in a distributed resource-sharing environment. Presently a common method used by the resource provider is IP address based access control. This solution suffers from lack of flexibility, forcing off-campus and mobile users to use a proxy server; IP addresses are also relatively easy to spoof. It also suffers from the problem of lack of accountability. If information or a service is misused, the resource provider (and the university) has little means of ascertaining who specifically misused the resource. In other cases, each user is given a new name and password to be used when accessing the resource site. But the number of eligible users (students and staff) in a university is very large. It is not only a large burden on the resource provider to create and maintain identities for each user, but the burden on the university system administration and users is also very significant. The university has to update information on new students and on those leaving to the resource provider. The user has yet another name and password to remember besides the one used at the university. Even worse, a university often subscribes to multiple online digital resources (e.g. ScienceDirect Digital Library, ACM Digital Portal, IEEE Digital Library, etc.) at the same time; updating information must be synchronized among these resource providers. Users therefore might have to remember a number of account–password pairs.
A centralized identity management service such as Microsoft Passport (Oppliger, 2004) can help with the problems discussed above. However, storing all users' personal information in a central database is analogous to putting all of ones' eggs into one basket and represents a serious risk. Although the centralized service simplifies the user management and complexity of the system, it raises concern of privacy from users, lures malicious attacks, and forms a single point of failure.
The maintenance of privacy and identity control is paramount in the distributed resource-sharing environment, yet users also demand ease-of-use and rapid access (e.g. single sign-on (SSO)). The main motivation for our work is the study of identity management issues in subscription-based remote services. Because universities have built an identity management service for students and staff so that they can access email and other controlled resources within the university, an improvement is to leverage the existing access control system of the university and extend it to support the new service. A decentralized identity management infrastructure is required. One solution is authentication delegation; the resource provider delegates authentication to the subscriber (the university) by issuing a delegate certificate. The universities will authenticate the users with their existing authentication system and then grant the user an ephemeral service access ticket (SAT), which is digitally signed by the university. When the resource provider receives the access request from the user, it first checks the SAT of the user to identify legitimate users and then makes an access decision according to the token and its local access policy. Although authentication delegation based identity management may look similar to Passport superficially, there are several fundamental differences. It is a decentralized authentication infrastructure instead of central access control. It supports the privacy of users since there is no need to expose any user information to a third-party. Users with one account within the university can access controlled resources both within the university and on the subscribed sites.
Our aim is to use off-the-shelf components and (de facto) standard protocols (SAML, HTTP, TLS, etc.) to implement an easy-to-use and powerful identity management infrastructure for web-based distributed resource sharing. To do so, a number of requirements have been identified. Usually resource sites provide services not only to subscribing institutions, but also to individuals (who acquire a userID and password from the resource site directly). Therefore these resource sites also apply some access control mechanism (e.g. ACL) to individuals. Our solution should be easily integrated into the legacy access control system and extend the functionalities of existing system to support the authentication-delegation service so as to reduce the administrative overhead. Significant modifications are undesirable. Second, the system should not expect the end users to install any proprietary software; only a standard web browser should be required. Thirdly, it should provide an SSO service so as to improve the user experience. Fourthly, a flexible authorization model is required to support policy-based authorization. A fifth requirement is that the authentication and authorization information should be transferable between mirror resource servers in a secure way. Lastly, the privacy of users should remain a priority.
The rest of this paper is organized as follows. We first present the system components in detail. Then we discuss the implementation in Section 3 and performance in Section 4, followed by related work in Section 5. Finally we conclude our paper in Section 6.
Section snippets
System overview
The system assumes that TLS (Dierks and Allen, 1999) is used for communication channel protection. It employs a browser-based third-party authentication protocol for user authentication. It represents the authorization policy for a resource as a set of policy certificates signed by the resource owners. The policy certificates are used by the authorization engine to inform authorization decisions. In the reported implementation, the system has only coarse granularity access control and does not
Key management
As we discussed in the previous section, websites are required to use key pairs that are distinct from the key pairs applied in the TLS channel protection. We provide a key management tool for website administrators to generate and maintain the public/private key pair. This tool is based on the Java Security API and has a GUI interface. It can, for example, generate RSA or DSA signing keys, import or export public/private keys in different formats. The generated key pairs are stored in a file,
Performance
In this section we discuss the performance of the prototype system by examining the cost of making a request to a resource site, which in turn, redirects to the user's origin site, which again, redirects back to the resource site. Our focus is on understanding the overhead introduced by the web server plug-in. We only measure the impact when users login because the plug-ins only intercept the login request. The plug-in will not impact any other request and response between users and websites.
Related work
Existing work, which is related to the challenges we propose to address, are rooted in two research areas: browser-based third-party authentication protocols and policy-based authorization models.
Discussion
By separating the authentication and authorization, authentication delegation provides a flexible yet powerful identity management infrastructure. This eases the administrative overhead of both resource providers and subscribing institutions. Meanwhile it improves user experience since only one userID and password is required to access multiple services. The resource provider, by issuing policy certificates, controls who will be trusted to undertake authentication. It also controls how the
Mingchao Ma is a PhD student in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. He received his Masters Degree in Computer Science from the Northeastern University, P.R. China in 2000 and undertook research in the areas of PKI, network security and multimedia applications at the University Trier in Germany for three years before moving to the UK to pursue his PhD degree. His research interests are in the areas of PKI, Identity
References (25)
Federated identity and web services
Information Security Technical Report
(2004)Microsoft .NET passport and identity management
Information Security Technical Report
(2004)- et al.
XML-Signature Syntax and Processing
- Blaze M, Feigenbaum J, Lacy J. Decentralized trust management. In: Proceedings of IEEE conference on security and...
- et al.
Extensible markup language (XML) 1.0
(2004) - et al.
Role-based access control with X.509 attribute certificates
IEEE Internet Computing
(March–April 2003) - et al.
Managing multiple and dependable identities
IEEE Internet Computing
(November–December 2003) - Dierks T, Allen C. The TLS protocol, RFC 2246;...
- Ellison C, Frantz B, Lampson B, Rivest R, Tomas B, Ylonen T. SPKI certificate theory, RFC 2693;...
- et al.
Shibboleth-architecture draft, v05
Cited by (5)
Implement mobile learning cloud platform - A case study give me five
2016, ICIC Express Letters, Part B: ApplicationsA Study on security grade assignment model for mobile users in Urban computing
2013, Information (Japan)A study on secure contents using in intelligent urban computing
2010, International Journal of Smart HomeA study on secure contents using in urban computing
2009, Communications in Computer and Information ScienceSafety high accuracy context-aware matrix (CAM) making based on X.509 proxy certificate
2009, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Mingchao Ma is a PhD student in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. He received his Masters Degree in Computer Science from the Northeastern University, P.R. China in 2000 and undertook research in the areas of PKI, network security and multimedia applications at the University Trier in Germany for three years before moving to the UK to pursue his PhD degree. His research interests are in the areas of PKI, Identity Management, Access Control, Trust Management and Network Security. He is a student member of ACM, IEEE, IEEE Computer Society, IEE and BCS.
Steve Woodhead is the Director of Research in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. Steve holds both a PhD and BSc in Electrical and Electronic Engineering from Greenwich and has been undertaking research and teaching in computer and information security for almost ten years. Steve has published over 40 papers in international conferences and journals. He is a member of the BCS, a Chartered Engineer and a Chartered Information Technology Professional. He is also a member of the Information Security Specialist Group of the BCS.