Skip to main content

Authentication Scheme for REST

Part of the Communications in Computer and Information Science book series (CCIS,volume 523)

Abstract

REST has been established as an architectural style for designing distributed hypermedia systems. With an increased adoption in Cloud and Service-oriented Computing, REST is confronted with requirements not having been central to it so far. Most often the protection of REST-based service systems is, e.g., solely ensured by transport-oriented security. For mission-critical enterprise applications securing data in transit only, is, however, not a sufficient safeguard. This introduces a vital demand for REST Security, which is currently an active research and development topic, focusing on one specific instantiation of REST merely, though, namely on HTTP.

This paper augments REST by an authentication scheme, while remaining on the same level of abstraction as the architectural style itself. The introduced authentication scheme for REST is then mapped to HTTP. Based on this concrete instantiation, an empirical study is conducted in order to analyse the current state of the art in authentication techniques for REST-ful HTTP. The developed scheme and its HTTP instantiation in particular offer a methodical framework for assessing and comparing the available work, which shows to be incompatible and incomplete in terms of the provided protection. Moreover, this generic authentication scheme can be used to deduce other concrete means related to existing and upcoming technologies for implementing REST-based systems.

Keywords

  • REST
  • REST security
  • Authentication

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-19210-9_8
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-19210-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)

References

  1. Authentication for the Azure Storage Services (2014). http://msdn.microsoft.com/en-us/library/dd179428.aspx

  2. HP Helion Public Cloud Object Storage API Specification (2014). https://docs.hpcloud.com/publiccloud/api/object-storage/

  3. Migrating from Amazon S3 to Google Cloud Storage (2014). https://cloud.google.com/storage/docs/migrating

  4. Signing AWS Requests By Using Signature Version 4 (2014). https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

  5. The Heartbleed Bug (2014). http://heartbleed.com/

  6. Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifier (URI): Generic Syntax. RFC 3986, IETF (2005). http://www.ietf.org/rfc/rfc3986.txt

  7. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: 35th IEEE Symposium on Security and Privacy (S&P) (2014)

    Google Scholar 

  8. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0, 5th edn. Recommendation, W3C (2008). http://www.w3.org/TR/2008/REC-xml-20081126

  9. Cavage, M., Sporny, M.: Signing HTTP Messages. Internet-draft, IETF (2014). http://tools.ietf.org/html/draft-cavage-http-signatures-03

  10. Crockford, D.: The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627, IETF (2006). http://www.ietf.org/rfc/rfc4627.txt

  11. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (2008). http://tools.ietf.org/html/rfc5246

  12. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616, IETF (1999). http://www.ietf.org/rfc/rfc2616.txt

  13. Fielding, R.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000). https://www.ics.uci.edu/ fielding/pubs/dissertation/top.htm

  14. Fielding, R.: REST APIs must be hypertext-driven (2008). http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven

  15. Gorski, P., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)

    Google Scholar 

  16. Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework, 2nd edn. W3C Recommendation, W3C (2007). http://www.w3.org/TR/soap12-part1/

  17. Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC 5849, IETF (2010). https://tools.ietf.org/html/rfc5849

  18. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, IETF (2012). https://tools.ietf.org/html/rfc6749

  19. Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - A vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014). http://www.w3.org/TR/html5/

  20. IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2014). http://datatracker.ietf.org/wg/jose/

  21. Jones, M.: JSON Web Algorithms (JWA). Internet-draft, IETF (2015). https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40

  22. Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). Internet-draft, IETF (2015). https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-40

  23. Josefsson, S.: The Base16, Base32, and Base64 Data Encodings. RFC 4648, IETF (2006). https://tools.ietf.org/html/rfc4648

  24. Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting SSL/TLS implementations: new bleichenbacher side channels and attacks. In: 23rd USENIX Security Symposium (USENIX Security) (2014)

    Google Scholar 

  25. Richer, J., Bradley, J., Tschofenig, H.: A Method for Signing an HTTP Requests for OAuth. Internet-Draft, IETF (2014). https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01

  26. Richer, J., Mills, W., Tschofenig, H.: OAuth 2.0 Message Authentication Code (MAC) Tokens. Internet-Draft, IETF (2014). http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05

  27. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014). http://openid.net/specs/openid-connect-core-1_0.html

  28. Serme, G., De Oliveira, A.S., Massiera, Julien, R.Y.: Enabling message security for RESTful services. In: 19th IEEE International Conference on Web Services (ICWS) (2012)

    Google Scholar 

  29. Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014). https://tools.ietf.org/html/rfc7252

  30. W3C: XML Security Working Group (2013). http://www.w3.org/standards/xml/security

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Hoai Viet Nguyen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Lo Iacono, L., Nguyen, H.V. (2015). Authentication Scheme for REST. In: Doss, R., Piramuthu, S., ZHOU, W. (eds) Future Network Systems and Security. FNSS 2015. Communications in Computer and Information Science, vol 523. Springer, Cham. https://doi.org/10.1007/978-3-319-19210-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-19210-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-19209-3

  • Online ISBN: 978-3-319-19210-9

  • eBook Packages: Computer ScienceComputer Science (R0)