search query: @keyword authorization / total: 27
results-list
reference: 8 / 27
« previous | next »
Author:Suba, Filip
Title:Security in Applications of Internet Identification and Authorization Standards
Publication type:Master's thesis
Publication year:2008
Pages:(7) + 93      Language:   eng
Department/School:Informaatio- ja luonnontieteiden tiedekunta
Main subject:Tietokoneverkot   (T-110)
Supervisor:Tarkoma, Sasu ; Sjödin, Peter
Instructor:Gurp, Jilles van
OEVS:
Electronic archive copy is available via Aalto Thesis Database.
Instructions
close

Reading digital theses in the closed network of the Aalto University Harald Herlin Learning Centre

In the closed network of Learning Centre you can read digital and digitized theses not available in the open network.

The Learning Centre contact details and opening hours: https://learningcentre.aalto.fi/en/harald-herlin-learning-centre/

You can read theses on the Learning Centre customer computers, which are available on all floors.

Logging on to the customer computers

  • Aalto University staff members log on to the customer computer using the Aalto username and password.
  • Other customers log on using a shared username and password.

Opening a thesis

  • On the desktop of the customer computers, you will find an icon titled:

    Aalto Thesis Database

  • Click on the icon to search for and open the thesis you are looking for from Aaltodoc database. You can find the thesis file by clicking the link on the OEV or OEVS field.

Reading the thesis

  • You can either print the thesis or read it on the customer computer screen.
  • You cannot save the thesis file on a flash drive or email it.
  • You cannot copy text or images from the file.
  • You cannot edit the file.

Printing the thesis

  • You can print the thesis for your personal study or research use.
  • Aalto University students and staff members may print black-and-white prints on the PrintingPoint devices when using the computer with personal Aalto username and password. Color printing is possible using the printer u90203-psc3, which is located near the customer service. Color printing is subject to a charge to Aalto University students and staff members.
  • Other customers can use the printer u90203-psc3. All printing is subject to a charge to non-University members.
Location:P1 Ark Aalto     | Archive
Keywords:authentication
authorization
decentralized
multi-service
extension
redirect
identity
security
attack
Abstract (eng): Decentralized authentication and authorization of users and services on the Internet is becoming more and more important, especially in environments where there are large numbers of services that depend on one another.
OperilD.and OAuth are protocols that can be deployed in such environments.
However, they are both based on HTTP redirects and become practically useless when more than two services are in the service-interaction chain.
Therefore, there is a need for a solution that would minimize the network overhead on the end user's side, while still keeping the system secure by forcing each service in the service-interaction chain to authenticate the user and the service that is requesting the protected resource, and to make sure that the transaction is authorized.
An extension to the OpenlD protocol is introduced as part of the solution to these challenges.
By using this extension, it is enough for the end user to get redirected to his/her identity provider and interact with it only when authenticating with the very first service in the service-interaction chain.
After doing so, the user stays authenticated with all the services in the service-interaction chain without any further need to interact with his/her identity provider.
To address the service/user authorization challenge, a group concept is introduced.
Online groups are used by the services to implement the access control to their protected resources.
The authorization decisions are then based on the membership of the user/service, which is trying to access the protected resource, in these groups.
And finally, to address the problem of service authentication, a public-key cryptosystem is used as part of the solution.
Each service has its public/private key pair.
Every time a service tries to access a resource on another service, it signs the request with its private key.
Then the service that hosts the resource downloads the requester's public key from a trusted online group and verifies the signature on the request, and thus authenticates the requesting service.
By employing these mechanisms, the network load on the end user's side stays minimal, regardless of the number of services in the service-interaction chain, whilst by employing standard OpeniD and OAuth in the same scenarios causes the number of HTTP messages, which the end user needs to send/receive, to grow arithmetically with the increasing number of services in the service-interaction chain.
The solution proposed in this thesis is, however, not optimized for scenarios, where the services or online groups would be hosted on devices with limited network capabilities.
ED:2008-10-03
INSSI record number: 36381
+ add basket
« previous | next »
INSSI