CCSIT 2011: Advanced Computing pp 217-236 | Cite as
A Model for Delegation Based on Authentication and Authorization
Abstract
Sharing information and maintaining privacy and security is a requirement in distributed environments. Mitigating threats in a distributed environment requires constant vigilance and defense-in-depth. Most systems lack a secure model that guarantees an end-to-end security. We devise a model that mitigates a number of threats to the distributed computing pervasive in enterprises. This authentication process is part of a larger information assurance systemic approach that requires that all active entities (users, machines and services) be named, and credentialed. Authentication is bi-lateral using PKI credentialing, and authorization is based upon Security Assertion Markup Language (SAML) attribution statements. Communication across domains is handled as a federation activity using WS-* protocols. We present the architectural model, elements of which are currently being tested in an operational environment. Elements of this architecture include real time computing, edge based distributed mashups, and dependable, reliable computing. The architecture is also applicable to a private cloud.
Keywords
Credentialing Authentication Authorization Delegation Attribution Least Privilege Public Key Infrastructure Security Assertion Markup Language (SAML) WS-*Preview
Unable to display preview. Download preview PDF.
References
- 1.Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. ACM Transaction on Computer Systems 8(1), 18–36 (1990)CrossRefMATHGoogle Scholar
- 2.Needham, R.M., Schroeder, R.M.: Using encryption for authentication in large networks of computers. Communication of the ACM 21(12), 993–999 (1978)CrossRefMATHGoogle Scholar
- 3.Internet2, Shibboleth Project (2007), http://shibboleth.internet2.edu/
- 4.OASIS. Identity Federation. Liberty Alliance Project (2004), http://projectliberty.org/resources/specifications.php
- 5.OASIS. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
- 6.Guide to Secure Web Services: Recommendations of the National Institute of Standards and Technology. NIST-US Department of Commerce Publication (August 2007)Google Scholar
- 7.Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0, Microsoft Corporation (2005)Google Scholar
- 8.WS-ReliableMessaging Specification, OASIS (June 2007)Google Scholar
- 9.WS-SecureConversation Specification, OASIS (March 2007)Google Scholar
- 10.WSE 3.0 and WS-ReliableMessaging, Microsoft White Paper (June 2005), http://msdn2.microsoft.com/en-us/library/ms996942d=printer.aspx
- 11.FIPS PUB 196, Federal Information Processing Standards Publication. Entity Authentication Using Public Key Cryptography, February 18 (1997)Google Scholar
- 12.Air Force Information Assurance Strategy Team, Air Force Information Assurance Enterprise Architecture, Version 1.70, SAF/XC, March 15 (2009)Google Scholar
- 13.Overview: Globus Grid Security Infrastructure, http://www.globus.org/security/overview.html (last retrieved April 2009)
- 14.Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A Security Architecture for Computational Grids. In: Proc. of 5th ACM Conference on Computer and Communications Security Conference, pp. 83–92 (1998)Google Scholar
- 15.Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S., Siebenlist. F.: X.509 Proxy Certificates for Dynamic Delegation. In: 3rd Annual PKI R&D Workshop (2004)Google Scholar
- 16.Belani, E., Vahdat, A., Anderson, T., Dahlin, M.: The CRISIS wide area security architecture. In: Usenix Security Symposium (January 1998)Google Scholar
- 17.Lewis, M., Grimshaw, A.: The Core Legion Object Model. In: Proc. 5th IEEE Symposium On High Performance Distributed Computing, pp. 562–571. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
- 18.Chandersekaran, C., Simpson, W.: Information Sharing and Federation. In: The 2nd International Multi-Conference on Engineering and Technological Innovation: IMETI 2009, Orlando, FL, vol. I, pp. 300–305 (July 2009)Google Scholar
- 19.Chandersekaran, C., Simpson, W., Trice, A.: Cross-Domain Solutions in an Era of Information Sharing. In: The 1st International Multi-Conference on Engineering and Technological Innovation: IMET2008, Orlando, FL, vol. I, pp. 313–318 (June 2008)Google Scholar
- 20.Chandersekaran, C., Simpson, W.: A Persona Framework for Delegation, Attribution and Least Privilege. In: The International Conference on Complexity, Informatics and Cybernetics, Orlando, FL, vol. II, pp. 84–89 (April 2010)Google Scholar
- 21.Chandersekaran, C., Ceesay, E., Simpson, W.: An Authentication Model for Delegation, Attribution and Least Privilege. In: The 3rd International Conference on PErvasive Technologies Related to Assistive Environments: PETRAE 2010, Samos, Greece, p. 7 (June 2010)Google Scholar
- 22.Chandersekaran, C., Simpson, W.: A SAML Framework for Delegation, Attribution and Least Privilege. In: The 3rd International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, pp. 303–308 (July 2010)Google Scholar
- 23.Chandersekaran, C., Simpson, W.: Use Case Based Access Control. In: The 3rd International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, pp. 297–302 (July 2010)Google Scholar