S-07S-13

From
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Webservice authentication with attribute certificates

Assigned to: Ingo Kampe

Advisor: Wolf Müller

Expected Submission: September 2007

Problem Statement

  • Which problem do you want to solve?

There is no way to transport rights seperated from the subject's identity to access webservices and reuse already integrated technology (like X.509 for signature and encryption).

  • To which domain of Computer Science does this problem relate to?

This is strongly related to IT Security in detail the authorization challenge in distributed software architectures.

  • Why is the problem interesting? Why is it difficult?

It is interesting because the need for a good authorization framework/standard grows with the movement of applications into the internet. The flow of sensible private and business data spans more and more different and distributed computer's in different countries with different operating systems and applications written in different programming languages. It is difficult because systems have to interoperate within completly different security domains without central trusted institutions. There are a lot of existing stakeholders that should work together and the technical formats and proccesses are not ready yet.

Deliverables

  • At the end of the project, what will you have delivered?

I will show a way to manage the rights, how to define, to transport and to revoke it. A sketch of the needed infrastructur and as an example the authorization handler to plugin in into a java webservice framework.

  • What does it mean that the project was successful?

If it works to use attribute certificates to authorize with a certain webservice method.

Prior Art

  • Who are your competitors? What are they doing?
  1. PERMIS: X.509 Role Based Privilege Management Infrastructure. This project builds a whole infrastructur with the use of attribute certificates and common API's to establish authorization to anything. Included are diretory services, security policy definitions in XML etc.
  2. Kerberos: A distributed ticket system which has comparable aims like this work. It uses a selfdefined ticket format and a production ready infrastructure to manage them.
  3. WS-Trust: This standard is in early stage and try to define authorization related processes in webservice interoperation.
  • How is your work different?
  1. PERMIS is a complex architecture that with focus to rolebasedauthorization. Probably it could be a replacement for the part of attribute certificate handling but without any relation to usage in webservices. It does not reach the target to get an easy to understand lightweigth library with integrates into existing PKI solutions.
  2. Kerberos (with the newest versions) offers all security requirements that are needed for webservice authorization but it is a completely different infrastructure in opposition to PKI.
  3. WS-Trust will describe how to integrate webservice security handler and to operate in webservice composition, chaining and other szenarios. There will maybe the possibility to use attribute certificates. It could that this development make this work obsolete at some time in future.
  • List of publications related to your topic.

David W Chadwick, Alexander Otenko, and Edward Ball. Implementing role based access controls using x.509 attribute certificates. IEEE Internet Computing, 07(2):62-69, Mar/Apr 2003. doi: http://doi.ieeecomputersociety.org/10.1109/MIC.2003.1189190

Claudia Eckert. IT-Sicherheit: Konzepte, Verfahren, Protokolle. Oldenbourg Verlag, Muenchen Wien, studienausg. edition, Jan 2005. ISBN 3-486-57676-3.

S. Farrell and R. Housley. An internet attribute certificate profile for authorization. TLS WG, draft-ietf-tls-ac509prof-00.txt, April 2002.

Toni Nykaenen. Attribute certificates in x.509. Technical report, Helsinki University of Technology, 2000.

OASIS. Web services security: Soap message security 1.1 (ws-security 2004),Feb 2006a.

OASIS. Web services security x.509 certificate token profile 1.1, Feb 2006b.

RFC3280. Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile, April 2002.

RFC4120. The kerberos network authentication service (v5), July 2005.

John J. Ritsko and Alexander Birman. Preface. IBM Systems Journal, 44(4):651-652, 2005. doi: 10.1147/sj.444.0651. http://www.research.ibm.com/journal/sj/444/preface.html

Lutz Suhrbier and Thomas Hildmann. Pki based access control with attribute certificates for data held on smartcards. Technical report, Technical University of Berlin, May 2002.

Key Ideas / Project Execution Plan

  • How will you approach the problem?

I try to build attribute certificates (ACs) and include rights needed in a webservice operation. Then I try to reuse the existing X.509 WSS profile with this ACs and build an authorization handler. As an extra value I take a look at the possibility of anonymous authorized

  • On which contributions of others do you depend on?

none yet

Project Log

  • What you have done so far?

Read, read, read. Already described the theoretical background.

  • What You plan to do next?

Build an example security handler for webservices and use attribute certificate to access. This will be a small library in java to demonstrate how the authorization could work.