haku: @supervisor Sjödin, Peter / yhteensä: 16
viite: 10 / 16
Tekijä: | Suba, Filip |
Työn nimi: | Security in Applications of Internet Identification and Authorization Standards |
Julkaisutyyppi: | Diplomityö |
Julkaisuvuosi: | 2008 |
Sivut: | (7) + 93 Kieli: eng |
Koulu/Laitos/Osasto: | Informaatio- ja luonnontieteiden tiedekunta |
Oppiaine: | Tietokoneverkot (T-110) |
Valvoja: | Tarkoma, Sasu ; Sjödin, Peter |
Ohjaaja: | Gurp, Jilles van |
OEVS: | Sähköinen arkistokappale on luettavissa Aalto Thesis Databasen kautta.
Ohje Digitaalisten opinnäytteiden lukeminen Aalto-yliopiston Harald Herlin -oppimiskeskuksen suljetussa verkossaOppimiskeskuksen suljetussa verkossa voi lukea sellaisia digitaalisia ja digitoituja opinnäytteitä, joille ei ole saatu julkaisulupaa avoimessa verkossa. Oppimiskeskuksen yhteystiedot ja aukioloajat: https://learningcentre.aalto.fi/fi/harald-herlin-oppimiskeskus/ Opinnäytteitä voi lukea Oppimiskeskuksen asiakaskoneilla, joita löytyy kaikista kerroksista.
Kirjautuminen asiakaskoneille
Opinnäytteen avaaminen
Opinnäytteen lukeminen
Opinnäytteen tulostus
|
Sijainti: | P1 Ark Aalto | Arkisto |
Avainsanat: | authentication authorization decentralized multi-service extension redirect identity security attack |
Tiivistelmä (eng): | Decentralized authentication and authorization of users and services on the Internet is becoming more and more important, especially in environments where there are large numbers of services that depend on one another. OperilD.and OAuth are protocols that can be deployed in such environments. However, they are both based on HTTP redirects and become practically useless when more than two services are in the service-interaction chain. Therefore, there is a need for a solution that would minimize the network overhead on the end user's side, while still keeping the system secure by forcing each service in the service-interaction chain to authenticate the user and the service that is requesting the protected resource, and to make sure that the transaction is authorized. An extension to the OpenlD protocol is introduced as part of the solution to these challenges. By using this extension, it is enough for the end user to get redirected to his/her identity provider and interact with it only when authenticating with the very first service in the service-interaction chain. After doing so, the user stays authenticated with all the services in the service-interaction chain without any further need to interact with his/her identity provider. To address the service/user authorization challenge, a group concept is introduced. Online groups are used by the services to implement the access control to their protected resources. The authorization decisions are then based on the membership of the user/service, which is trying to access the protected resource, in these groups. And finally, to address the problem of service authentication, a public-key cryptosystem is used as part of the solution. Each service has its public/private key pair. Every time a service tries to access a resource on another service, it signs the request with its private key. Then the service that hosts the resource downloads the requester's public key from a trusted online group and verifies the signature on the request, and thus authenticates the requesting service. By employing these mechanisms, the network load on the end user's side stays minimal, regardless of the number of services in the service-interaction chain, whilst by employing standard OpeniD and OAuth in the same scenarios causes the number of HTTP messages, which the end user needs to send/receive, to grow arithmetically with the increasing number of services in the service-interaction chain. The solution proposed in this thesis is, however, not optimized for scenarios, where the services or online groups would be hosted on devices with limited network capabilities. |
ED: | 2008-10-03 |
INSSI tietueen numero: 36381
+ lisää koriin
INSSI