Claims-Based Authentication for an Enterprise that Uses Web Services

Conference paper

Abstract

Authentication is the process of determining whether someone or something is, in fact, who or what they are declared to be. The authentication process uses credentials (claims) containing authentication information within one of many possible authentication protocols to establish the identities of the parties that wish to collaborate. Claims are representations that are provided by a trusted entity and can be verified and validated. Of the many authentication protocols, including self-attestation, username/password and presentation of credentials, only the latter can be treated as claims. This is a key aspect of our enterprise solution, in that all active entities (persons, machines, and services) are credentialed and the authentication is bi-lateral, that is, each entity makes a claim to the other entity in every communication session initiated. This paper describes authentication that uses the TLS protocols primarily since these are the dominant protocols above the transport layer on the Internet. Initial user authentication may be upgraded to multi-factor as discussed in the text. Other higher layer protocols, such as WS-Security, WS-Federation and WS-Trust, that use a Public Key Infrastructure credential for authentication, integrate via middleware. This authentication is claims based and is a part of an enterprise level security solution that has been piloted and is undergoing operational standup.

Keywords

Authentication Bi-lateral authentication Claims-based identity Enterprise processes Multi-factor authentication Public key infrastructure Transport layer security Web services 

References

  1. 1.
    W.R. Simpson, C. Chandersekaran, in WCE 2013: Claims-Based Authentication for a Web-Based Enterprise. Proceedings World Congress on Engineering, London, July 2013. Lecture Notes in Engineering and Computer Science (3–5 July 2013), pp. 524–529Google Scholar
  2. 2.
    Public Key Cryptography Standard, PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, 14 June 2002Google Scholar
  3. 3.
    FIPS PUB 140, Security Requirements for Cryptographic Modules. National Institute of Standards, Gaithersburg, Maryland, 25 May 2001Google Scholar
  4. 4.
    Internet Engineering Task Force (IETF) Standards. RFC 2459: “Internet X.509 Public Key Infrastructure Certificate and CRL Profile”, January 1999Google Scholar
  5. 5.
    Standard for Naming Active Entities on DoD IT Networks, Version 3.5 (or current), 23 September 2010Google Scholar
  6. 6.
    Internet Engineering Task Force (IETF) Standards. RFC 4120: The Kerberos Network Authentication Service V5), updated by RFC 4537 and 5021Google Scholar
  7. 7.
    S. Cantor et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  8. 8.
    C. Chandersekaran, W.R. Simpson, in IMETI2010: A SAML Framework for Delegation, Attribution and Least Privilege. The 3rd International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, July 2010, vol. 2, pp. 303–308Google Scholar
  9. 9.
    W.R. Simpson, C. Chandersekaran, in IMETI2010: Use Case Based Access Control. The 3rd International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, July 2010,vol. 2, pp. 297–302Google Scholar
  10. 10.
    FPKI-Prof Federal PKI X.509 Certificate and CRL Extensions Profile, Version 6, 12 October 2005Google Scholar
  11. 11.
    Internet Engineering Task Force (IETF) Standards. RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2”, August 2008Google Scholar
  12. 12.
    Internet Engineering Task Force (IETF) Standards. STD 66 (RFC3986) Uniform Resource Identifier (URI): Generic Syntax, T. Berners-Lee, R. Fielding, L. Masinter, January 2005Google Scholar
  13. 13.
    C. Chandersekaran, W.R. Simpson, in WCE 2012: Claims-Based Enterprise-Wide Access Control. Proceedings World Congress on Engineering 2012, 30 June–July 2012, London. Lecture Notes in Engineering and Computer Science, pp. 524–529Google Scholar
  14. 14.
    N. Ragouzis et al., Security Assertion Markup Language (SAML) V2.0 Technical Overview. OASIS Committee Draft, March 2008Google Scholar
  15. 15.
    P. Madsen et al., SAML V2.0 Executive Overview. OASIS Committee Draft, Apr 2005Google Scholar
  16. 16.
    P. Mishra et al. Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  17. 17.
    S. Cantor et al. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  18. 18.
    S. Cantor et al. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  19. 19.
    S. Cantor et al. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  20. 20.
    F. Hirsch et al. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  21. 21.
    J. Hodges et al. Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  22. 22.
    WS-ReliableMessaging Specification 1.2. http://docs.oasis-open.org/ws-rx/wsrm/200702 OASIS, 2 February 2009
  23. 23.
    WS-SecureConversation Specification 1.4. http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512 OASIS, February 2009
  24. 24.
    W.R. Simpson, C. Chandersekaran, in IMETI2009: Information Sharing and Federation. The 2nd International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, July 2009, vol. 1, pp. 300–305Google Scholar
  25. 25.
    W.R. Simpson, C. Chandersekaran, A. Trice, in IMET 2008: Cross-Domain Solutions in an Era of Information Sharing. The 1st International Multi-Conference on Engineering and Technological Innovation, Orlando, FL, June 2008, vol. 1, pp. 313–318Google Scholar
  26. 26.
    C. Chandersekaran, W.R. Simpson, in W3C: The Case for Bi-lateral End-to-End Strong Authentication. World Wide Web Consortium Workshop on Security Models for Device APIs, London, December 2008, pp. 4Google Scholar
  27. 27.
    C. Chandersekaran, W.R. Simpson, in CCSIT-2011: A Model for Delegation Based on Authentication and Authorization. The First International Conference on Computer Science and Information Technology. Lecture Notes in Computer Science (Springer, Heildleberg, 2011), 20 ppGoogle Scholar
  28. 28.
    W.R. Simpson, C. Chandersekaran, in CCT2011: An Agent Based Monitoring System for Web Services. The 16th International Command and Control Research and Technology Symposium, Orlando, FL, April 2011, vol. 2, pp. 84–89Google Scholar
  29. 29.
    W.R. Simpson, C. Chandersekaran, An agent-based web-services monitoring system. Int. J. Comput. Technol. Appl. 2(9), 675–685 (2011)Google Scholar
  30. 30.
    W.R. Simpson, C. Chandersekaran, R. Wagner, in WCECS 2011: High Assurance Challenges for Cloud Computing. Proceedings of World Congress on Engineering and Computer Science 2011, San Francisco, October 2011. Lecture Notes in Engineering and Computer Science, pp. 61–66Google Scholar
  31. 31.
    W.R. Simpson, C. Chandersekaran, in WCE 2012: Assured Content Delivery in the Enterprise. Proceedings World Congress on Engineering 2012, 30 June–July 2012, London. Lecture Notes in Engineering and Computer Science, pp. 555–560Google Scholar
  32. 32.
    C. Chandersekaran, W.R. Simpson, in Co-Existence of High Assurance and Cloud-Based Computing. Book Chapter, IAENG Transactions on Engineering Technologies—Special Edition of the World Congress on Engineering and Computer Science 2011. Lecture Notes in Electrical Engineering 170. DOI:  10.1007/978-94-007-4786-9, ISBN: 978-94-007-4785-2, May 2012,  Chap. 16 (Springer Science+Business Media, Dordrecht 2012) 14 pp
  33. 33.
    W.R. Simpson, C. Chandersekaran, in WCECS2012: Enterprise High Assurance Scale-up. Proceedings World Congress on Engineering and Computer Science 2012, 24–26 October 2012, San Francisco, USA. Lecture Notes in Engineering and Computer Science, pp. 54–59Google Scholar
  34. 34.
    C. Chandersekaran, W.R. Simpson, A uniform claims-based access control for the enterprise. Int. J. Sci. Comput. 6(2), 1–23 (2012). ISSN: 0973-578XGoogle Scholar
  35. 35.
    C. Chandersekaran, W.R. Simpson, in WCECS2013: Cryptography for a High-Assurance Web-Based Enterprise. Proceedings World Congress on Engineering and Computer Science 2013, San Francisco, USA. Lecture Notes in Engineering and Computer Science, pp. 23–28Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • William R. Simpson
    • 1
  • Coimbatore Chandersekaran
    • 1
  1. 1.Institute for Defense AnalysesAlexandriaUSA

Personalised recommendations