Elsevier

Computers & Security

Volume 25, Issue 5, July 2006, Pages 371-378
Computers & Security

Authentication delegation for subscription-based remote network services

https://doi.org/10.1016/j.cose.2006.03.006Get rights and content

Abstract

There is growing interest in collaboration and resource sharing among institutions and organizations. In this paper, we investigate the problems of identity management inherent in distributed subscription-based resource sharing. The paper describes the design, implementation and performance of a system that provides controlled access to subscription-based remote network services through a browser. A third-party authentication protocol is designed and employed to exchange security assertions among involved parties. The web servers use plug-ins to provide an authentication-delegation service and a policy-based authorization service. Users can use a single userID and password to access multiple subscribed resource sites.

Introduction

Our daily activities increasingly rely on remote resources and services, specifically on interactions between different, remotely located parties. Many universities and research organizations subscribe to a number of electronic databases for their users (students and staff). In a subscription-based remote service, universities or organizations are charged a flat fee for a period of time independent of the actual number of times the service is requested. One of the characteristics of such a subscription-based service is that the resource provider issues its service to multiple subscribers and the subscribers might subscribe to multiple services. Another characteristic is that only resource providers share their resources, which is different from peer-to-peer resource sharing. But both the university and resource provider have to somehow control access so that only legitimate users can consume these services. However, current solutions employ fairly primitive mechanisms for identifying legitimate users.

In this paper, we will investigate the problems of identity management inherent in distributed subscription-based resource sharing. Digital identity management (Damiani et al., 2003) is crucial for building and maintaining trust relationships in a distributed resource-sharing environment. Presently a common method used by the resource provider is IP address based access control. This solution suffers from lack of flexibility, forcing off-campus and mobile users to use a proxy server; IP addresses are also relatively easy to spoof. It also suffers from the problem of lack of accountability. If information or a service is misused, the resource provider (and the university) has little means of ascertaining who specifically misused the resource. In other cases, each user is given a new name and password to be used when accessing the resource site. But the number of eligible users (students and staff) in a university is very large. It is not only a large burden on the resource provider to create and maintain identities for each user, but the burden on the university system administration and users is also very significant. The university has to update information on new students and on those leaving to the resource provider. The user has yet another name and password to remember besides the one used at the university. Even worse, a university often subscribes to multiple online digital resources (e.g. ScienceDirect Digital Library, ACM Digital Portal, IEEE Digital Library, etc.) at the same time; updating information must be synchronized among these resource providers. Users therefore might have to remember a number of account–password pairs.

A centralized identity management service such as Microsoft Passport (Oppliger, 2004) can help with the problems discussed above. However, storing all users' personal information in a central database is analogous to putting all of ones' eggs into one basket and represents a serious risk. Although the centralized service simplifies the user management and complexity of the system, it raises concern of privacy from users, lures malicious attacks, and forms a single point of failure.

The maintenance of privacy and identity control is paramount in the distributed resource-sharing environment, yet users also demand ease-of-use and rapid access (e.g. single sign-on (SSO)). The main motivation for our work is the study of identity management issues in subscription-based remote services. Because universities have built an identity management service for students and staff so that they can access email and other controlled resources within the university, an improvement is to leverage the existing access control system of the university and extend it to support the new service. A decentralized identity management infrastructure is required. One solution is authentication delegation; the resource provider delegates authentication to the subscriber (the university) by issuing a delegate certificate. The universities will authenticate the users with their existing authentication system and then grant the user an ephemeral service access ticket (SAT), which is digitally signed by the university. When the resource provider receives the access request from the user, it first checks the SAT of the user to identify legitimate users and then makes an access decision according to the token and its local access policy. Although authentication delegation based identity management may look similar to Passport superficially, there are several fundamental differences. It is a decentralized authentication infrastructure instead of central access control. It supports the privacy of users since there is no need to expose any user information to a third-party. Users with one account within the university can access controlled resources both within the university and on the subscribed sites.

Our aim is to use off-the-shelf components and (de facto) standard protocols (SAML, HTTP, TLS, etc.) to implement an easy-to-use and powerful identity management infrastructure for web-based distributed resource sharing. To do so, a number of requirements have been identified. Usually resource sites provide services not only to subscribing institutions, but also to individuals (who acquire a userID and password from the resource site directly). Therefore these resource sites also apply some access control mechanism (e.g. ACL) to individuals. Our solution should be easily integrated into the legacy access control system and extend the functionalities of existing system to support the authentication-delegation service so as to reduce the administrative overhead. Significant modifications are undesirable. Second, the system should not expect the end users to install any proprietary software; only a standard web browser should be required. Thirdly, it should provide an SSO service so as to improve the user experience. Fourthly, a flexible authorization model is required to support policy-based authorization. A fifth requirement is that the authentication and authorization information should be transferable between mirror resource servers in a secure way. Lastly, the privacy of users should remain a priority.

The rest of this paper is organized as follows. We first present the system components in detail. Then we discuss the implementation in Section 3 and performance in Section 4, followed by related work in Section 5. Finally we conclude our paper in Section 6.

Section snippets

System overview

The system assumes that TLS (Dierks and Allen, 1999) is used for communication channel protection. It employs a browser-based third-party authentication protocol for user authentication. It represents the authorization policy for a resource as a set of policy certificates signed by the resource owners. The policy certificates are used by the authorization engine to inform authorization decisions. In the reported implementation, the system has only coarse granularity access control and does not

Key management

As we discussed in the previous section, websites are required to use key pairs that are distinct from the key pairs applied in the TLS channel protection. We provide a key management tool for website administrators to generate and maintain the public/private key pair. This tool is based on the Java Security API and has a GUI interface. It can, for example, generate RSA or DSA signing keys, import or export public/private keys in different formats. The generated key pairs are stored in a file,

Performance

In this section we discuss the performance of the prototype system by examining the cost of making a request to a resource site, which in turn, redirects to the user's origin site, which again, redirects back to the resource site. Our focus is on understanding the overhead introduced by the web server plug-in. We only measure the impact when users login because the plug-ins only intercept the login request. The plug-in will not impact any other request and response between users and websites.

Related work

Existing work, which is related to the challenges we propose to address, are rooted in two research areas: browser-based third-party authentication protocols and policy-based authorization models.

Discussion

By separating the authentication and authorization, authentication delegation provides a flexible yet powerful identity management infrastructure. This eases the administrative overhead of both resource providers and subscribing institutions. Meanwhile it improves user experience since only one userID and password is required to access multiple services. The resource provider, by issuing policy certificates, controls who will be trusted to undertake authentication. It also controls how the

Mingchao Ma is a PhD student in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. He received his Masters Degree in Computer Science from the Northeastern University, P.R. China in 2000 and undertook research in the areas of PKI, network security and multimedia applications at the University Trier in Germany for three years before moving to the UK to pursue his PhD degree. His research interests are in the areas of PKI, Identity

References (25)

  • P. Madsen

    Federated identity and web services

    Information Security Technical Report

    (2004)
  • R. Oppliger

    Microsoft .NET passport and identity management

    Information Security Technical Report

    (2004)
  • M. Bartel et al.

    XML-Signature Syntax and Processing

  • Blaze M, Feigenbaum J, Lacy J. Decentralized trust management. In: Proceedings of IEEE conference on security and...
  • T. Bray et al.

    Extensible markup language (XML) 1.0

    (2004)
  • D. Chadwich et al.

    Role-based access control with X.509 attribute certificates

    IEEE Internet Computing

    (March–April 2003)
  • E. Damiani et al.

    Managing multiple and dependable identities

    IEEE Internet Computing

    (November–December 2003)
  • Dierks T, Allen C. The TLS protocol, RFC 2246;...
  • Ellison C, Frantz B, Lampson B, Rivest R, Tomas B, Ylonen T. SPKI certificate theory, RFC 2693;...
  • M. Erdos et al.

    Shibboleth-architecture draft, v05

  • Farrell S, Housley R. An Internet attribute certificate profile for authorization, RFC 3281;...
  • Ferraiolo DF, Kuhn DR. Role based access control. In: Proceedings of 15th national computer security conference;...
  • Cited by (5)

    Mingchao Ma is a PhD student in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. He received his Masters Degree in Computer Science from the Northeastern University, P.R. China in 2000 and undertook research in the areas of PKI, network security and multimedia applications at the University Trier in Germany for three years before moving to the UK to pursue his PhD degree. His research interests are in the areas of PKI, Identity Management, Access Control, Trust Management and Network Security. He is a student member of ACM, IEEE, IEEE Computer Society, IEE and BCS.

    Steve Woodhead is the Director of Research in the Department of Computer and Communications Engineering, School of Engineering at the University of Greenwich, UK. Steve holds both a PhD and BSc in Electrical and Electronic Engineering from Greenwich and has been undertaking research and teaching in computer and information security for almost ten years. Steve has published over 40 papers in international conferences and journals. He is a member of the BCS, a Chartered Engineer and a Chartered Information Technology Professional. He is also a member of the Information Security Specialist Group of the BCS.

    View full text