Advertisement

A Secure Token-Based Communication for Authentication and Authorization Servers

  • Jan Kubovy
  • Christian HuberEmail author
  • Markus Jäger
  • Josef Küng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10018)

Abstract

Today, software projects often have several independent subsystems which provide resources to clients. To protect all subsystems from unauthorized access, the mechanisms proposed in the OAuth2.0 framework and the OpenID Standard are often used. The communication between the servers, described in the OAuth2.0 framework, must be encrypted. Usually, this is achieved using Transport Layer Security (TLS), but administrators can forget to activate this protocol in the server configuration. This makes the whole system vulnerable. Neither the developer, nor the user of the system is able to check whether the communication between servers is safe. This paper presents a way to ensure secure communication between authentication-, authorization-, and resource servers without relying in on a correct server configuration. For this purpose, this paper introduces an additional encryption of the transmitted tokens to secure the transmission independently from the server configuration. Further this paper introduces the Central Authentication & Authorization System (CAAS), an implementation of the OpenId standard and the OAuth2.0 framework that uses the token encryption presented in this paper.

Keywords

OpenID OAuth2.0 Security Authentication Authorization Token Encryption 

Notes

Acknowledgement

This work was done as part of several projects by the authors during their stay at the Institute for Application Oriented Knowledge Processing at the Johannes Kepler University in Linz.

The research leading to these results has partly received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under grant agreement no. 604659.

References

  1. 1.
    Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management. DIM 2006, pp. 11–16. ACM, New York (2006)Google Scholar
  2. 2.
    Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, RFC Editor, October 2012Google Scholar
  3. 3.
    The Apache Software Foundation: SSL/TLS Configuration HOW-TO (2016). https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Introduction_to_SSL. Accessed 3 Sept 2016
  4. 4.
    Trustworthy Internet Movement: SSL Pulse - Survey of the SSL Implementation of the Most Popular Web Sites. https://www.trustworthyinternet.org/ssl-pulse. Accessed 3 Sept 2016
  5. 5.
    Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), pp. 271–276, August 2013Google Scholar
  6. 6.
    Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations. RFC 6819, RFC Editor, January 2013Google Scholar
  7. 7.
    Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. The OpenID Foundation, S3 (2014)Google Scholar
  8. 8.
    The Apache Software Foundation: Apache Oltu: An OAuth Open Source framework. https://cwiki.apache.org/confluence/display/OLTU/Index (2013). Accessed 3 Sept 2016
  9. 9.
    RestLet Inc.: RestLet Framework (2016). https://restlet.com/technical-resources/restlet-framework/guide/2.3/extensions/oauth. Accessed 3 Sept 2016
  10. 10.
    Harsta, O.: OAuth-Apis: OAuth Authorization as a Service (2012–2016). https://github.com/OAuth-Apis/apis. Accessed 3 Sept 2016
  11. 11.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://bitcoin.org/bitcoin.pdf. Accessed 3 Sept 2016
  12. 12.
    Travis, P.: The Bitcoin Revolution: An Internet of Money. Travis Patron (2015) Accessed 3 Sept 2016Google Scholar
  13. 13.
    Jones, M.B., Hardt, D.: The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750, RFC Editor, October 2012Google Scholar
  14. 14.
    Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, RFC Editor, June 1999Google Scholar
  15. 15.
    RSA Security: Information Security, Governance, Risk, and Compliance - EMC (2014). http://www.rsa.com. Accessed 3 Sept 2016
  16. 16.
    Barker, E., Barker, W., Burr, W., Polk, T., Smid, M., Zieglar, L.: NIST Special Publication 800-57 Revision 4 Recommendation for Key Management Part 1: General (2016). http://dx.doi.org/10.6028/NIST.Spp. 800-57pt1r4
  17. 17.
    CLAFIS Project: CLAFIS: crop, livestock and forests integrated system for intelligent automation (2013–2016). http://www.clafis-project.eu EU Seventh Framework Programme NMP.2013.3.0-2
  18. 18.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Jan Kubovy
    • 2
  • Christian Huber
    • 1
    Email author
  • Markus Jäger
    • 1
  • Josef Küng
    • 1
  1. 1.Institute for Application Oriented Knowledge Processing (FAW), Faculty of Engineering and Natural Sciences (TNF)Johannes Kepler University (JKU)LinzAustria
  2. 2.Informations- u. Prozesstechnik, Anwendungen, EigenentwicklungenStadtwerke München GmbHMünchenGermany

Personalised recommendations