Implementing Azure Active Directory Integration with an Existing Cloud Service

Training Simulator (TraSim) is an online, web-based platform for holding crisis management exercises. It simulates epidemics and other exceptional situations to test the functionality of an organization’s operating instructions in the hour of need. The main objective of this thesis is to further develop the service by delegating its existing authentication and user provisioning mechanisms to a centralized, cloud-based Identity and Access Management (IAM) service. Making use of a centralized access control service is widely known as a Single Sign-On (SSO) implementation which comes with multiple benefits such as increased security, reduced administrative overhead and improved user experience. The objective originates from a customer organization’s request to enable SSO for TraSim. The research mainly focuses on implementing SSO by integrating TraSim with Azure Active Directory (AD) from a wide range of IAM services since it is considered as an industry standard and already utilized by the customer. Anyhow, the complexity of the integration is kept as reduced as possible to retain compatibility with other services besides Azure AD. While the integration is a unique operation with an endless amount of software stacks that a service can build on and multiple IAM services to choose from, this thesis aims to provide a general guideline of how to approach a resembling assignment. Conducting the study required extensive search and evaluation of the available literature about terms such as IAM, client-server communication, SSO, cloud services and AD. The literature review is combined with an introduction to the basic technologies that TraSim is built with to justify the choice of OpenID Connect as the authentication protocol and why it was implemented using the mozilla-django-oidc library. The literature consists of multiple online articles, publications and the official documentation of the utilized technologies. The research uses a constructive approach as it focuses into developing and testing a new feature that is merged into the source code of an already existing piece of software

Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy

This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity

Improved Internet Security Protocols Using Cryptographic One-Way Hash Chains

In this dissertation, new approaches that utilize the one-way cryptographic hash functions in designing improved network security protocols are investigated. The proposed approaches are designed to be scalable and easy to implement in modern technology. The first contribution explores session cookies with emphasis on the threat of session hijacking attacks resulting from session cookie theft or sniffing. In the proposed scheme, these cookies are replaced by easily computed authentication credentials using Lamport\u27s well-known one-time passwords. The basic idea in this scheme revolves around utilizing sparse caching units, where authentication credentials pertaining to cookies are stored and fetched once needed, thereby, mitigating computational overhead generally associated with one-way hash constructions. The second and third proposed schemes rely on dividing the one-way hash construction into a hierarchical two-tier construction. Each tier component is responsible for some aspect of authentication generated by using two different hash functions. By utilizing different cryptographic hash functions arranged in two tiers, the hierarchical two-tier protocol (our second contribution) gives significant performance improvement over previously proposed solutions for securing Internet cookies. Through indexing authentication credentials by their position within the hash chain in a multi-dimensional chain, the third contribution achieves improved performance. In the fourth proposed scheme, an attempt is made to apply the one-way hash construction to achieve user and broadcast authentication in wireless sensor networks. Due to known energy and memory constraints, the one-way hash scheme is modified to mitigate computational overhead so it can be easily applied in this particular setting. The fifth scheme tries to reap the benefits of the sparse cache-supported scheme and the hierarchical scheme. The resulting hybrid approach achieves efficient performance at the lowest cost of caching possible. In the sixth proposal, an authentication scheme tailored for the multi-server single sign-on (SSO) environment is presented. The scheme utilizes the one-way hash construction in a Merkle Hash Tree and a hash calendar to avoid impersonation and session hijacking attacks. The scheme also explores the optimal configuration of the one-way hash chain in this particular environment. All the proposed protocols are validated by extensive experimental analyses. These analyses are obtained by running simulations depicting the many scenarios envisioned. Additionally, these simulations are supported by relevant analytical models derived by mathematical formulas taking into consideration the environment under investigation

MSL Framework: (Minimum Service Level Framework) for cloud providers and users

Cloud Computing ensures parallel computing and emerged as an efficient technology to meet the challenges of rapid growth of data that we experienced in this Internet age. Cloud computing is an emerging technology that offers subscription based services, and provide different models such as IaaS, PaaS and SaaS among other models to cater the needs of different user groups. The technology has enormous benefits but there are serious concerns and challenges related to lack of uniform standards or nonexistence of minimum benchmark for level of services offered across the industry to provide an effective, uniform and reliable service to the cloud users. As the cloud computing is gaining popularity, organizations and users are having problems to adopt the service ue to lack of minimum service level framework which can act as a benchmark in the selection of the cloud provider and provide quality of service according to the user’s expectations. The situation becomes more critical due to distributed nature of the service provider which can be offering service from any part of the world. Due to lack of minimum service level framework that will act as a benchmark to provide a uniform service across the industry there are serious concerns raised recently interms of security and data privacy breaches, authentication and authorization issues, lack of third party audit and identity management problems, integrity, confidentiality and variable data availability standards, no uniform incident response and monitoring standards, interoperability and lack of portability standards, identity management issues, lack of infrastructure protection services standards and weak governance and compliance standards are major cause of concerns for cloud users. Due to confusion and absence of universal agreed SLAs for a service model, different quality of services is being provided across the cloud industry. Currently there is no uniform performance model agreed by all stakeholders; which can provide performance criteria to measure, evaluate, and benchmark the level of services offered by various cloud providers in the industry. With the implementation of General Data Protection Regulation (GDPR) and demand from cloud users to have Green SLAs that provides better resource allocations mechanism, there will be serious implications for the cloud providers and its consumers due to lack of uniformity in SLAs and variable standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud providers and impact due to absence of uniform agreed minimum service level framework on the adoption and usage of cloud service. The research is focused around higher education case study and proposes a conceptual model based on uniform minimum service model that acts as benchmark for the industry to ensure quality of service to the cloud users in the higher education institution and remove the barriers to the adoption of cloud technology. The proposed Minimum Service Level (MSL) framework, provides a set of minimum and uniform standards in the key concern areas raised by the participants of HE institution which are essential to the cloud users and provide a minimum quality benchmark that becomes a uniform standard across the industry. The proposed model produces a cloud computing implementation evaluation criteria which is an attempt to reduce the adoption barrier of the cloud technology and set minimum uniform standards followed by all the cloud providers regardless of their hosting location so that their performance can be measured, evaluated and compared across the industry to improve the overall QoS (Quality of Service) received by the cloud users, remove the adoption barriers and concerns of the cloud users and increase the competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo. Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias preocupações levantadas recentemente em termos de violações de segurança e privacidade de dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança e conformidade de padrões constituem outras importantes causas de preocupação para os utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações adicionais e existem sérias implicações para os forncedores de computação em nuvem e para os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços para o caso do ensino superior e as instituições de ensino superior e propõe um modelo conceptualt com base em um modelo de serviço mínimo uniforme que funciona como referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de computação em nuvem, independentemente do seu local de hospedagem para que os seus desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência em toda a indústria da computação em nuvem

EMI Security Architecture

This document describes the various architectures of the three middlewares that comprise the EMI software stack. It also outlines the common efforts in the security area that allow interoperability between these middlewares. The assessment of the EMI Security presented in this document was performed internally by members of the Security Area of the EMI project

Authentication and Identity Management for the EPOS Project

The increase in the number of online services emphasizes the value of authentication and identity management that we, even without realizing, depend on. In EPOS this authentication and identity management are also crucial, by dealing and being responsible for large amounts of heterogeneous data in multiple formats and from various providers, that can be public or private. Controlling and identify the access to this data is the key. For this purpose, it is necessary to create a system capable of authenticating, authorizing, and account the usage of these services. While services in a development phase can have authentication and authorization modules directly implemented in them, this is not an option for legacy services that cannot be modified. This thesis regards the issue of providing secure and interoperable authentication and authorization framework, associated with correct identity management and an accounting module, stating the difficulties faced and how to be addressed. These issues are approached by implementing the proposed methods in one of the GNSS Data and Products TCS services, that will serve as a study case. While authentication mechanisms have improved constantly over the years, with the addition of multiple authentication factors, there is still not a clear and defined way of how authentication should be done. New security threats are always showing up, and authentication systems need to adapt and improve while maintaining a balance between security and usability. Our goal is, therefore, to propose a system that can provide a good user experience allied to security, which can be used in the TCS services or other web services facing similar problems.A importância da autenticação e gestão de identidades, de que dependemos inconscientemente, aumenta com o crescimento do número de serviços online ao nosso dispor. No EPOS, devido à disponibilização e gestão de dados heterogéneos de várias entidades, que podem ser públicas ou privadas, a existência de um sistema de autenticação e gestão de identidades é também crucial, em que o controlo e identificação do acesso a estes dados é a chave. Numa fase de desenvolvimento dos serviços, estes módulos de autenticação e autorização podem ser diretamente implementados e é possível existir uma adaptação do software aos mesmos. No entanto, há serviços já existentes, cujas alterações implicam mudanças de grande escala e uma reformulação de todo o sistema, e como tal não é exequível fazer alterações diretas aos mesmos. Esta dissertação aborda o desenvolvimento de um sistema de autenticação e autorização seguro e interoperável, associado a uma correta gestão de identidades e um módulo de controlo, identificando os problemas encontrados e propondo soluções para os mesmos. Este desenvolvimento é aplicado num dos serviços do TCS GNSS Data and Products e servirá como caso de estudo. Embora os mecanismos de autenticação tenham melhorado continuamente ao longo dos anos, com a adição de vários fatores de autenticação, ainda não existe um método único e claro de como a autenticação deve ser feita. Novas ameaças estão sempre a surgir e os sistemas atuais precisam de se adaptar e melhorar, mantendo um equilíbrio entre segurança e usabilidade. O nosso objetivo é propor um sistema que possa aliar a segurança a uma boa experiência para o utilizador, e que possa ser utilizado não só nos serviços do TCS, mas também em outros serviços web que enfrentem problemas semelhantes

Context-aware multi-factor authentication

Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia InformáticaAuthentication systems, as available today, are inappropriate for the requirements of ubiquitous, heterogeneous and large scale distributed systems. Some important limitations are: (i) the use of weak or rigid authentication factors as principal’s identity proofs, (ii) non flexibility to combine different authentication modes for dynamic and context-aware interaction criteria, (iii) not being extensible models to integrate new or emergent pervasive authentication factors and (iv) difficulty to manage the coexistence of multi-factor authentication proofs in a unified single sign-on solution. The objective of this dissertation is the design, implementation and experimental evaluation of a platform supporting multi-factor authentication services, as a contribution to overcome the above limitations. The devised platform will provide a uniform and flexible authentication base for multi-factor authentication requirements and context-aware authentication modes for ubiquitous applications and services. The main contribution is focused on the design and implementation of an extensible authentication framework model, integrating classic as well as new pervasive authentication factors that can be composed for different context-aware dynamic requirements. Flexibility criteria are addressed by the establishment of a unified authentication back-end, supporting authentication modes as defined processes and rules expressed in a SAML based declarative markup language. The authentication base supports an extended single sign-on system that can be dynamically tailored for multi-factor authentication policies, considering large scale distributed applications and according with ubiquitous interaction needs

MSL Framework: (Minimum Service Level Framework) for Cloud Providers and Users

Cloud Computing ensures parallel computing and emerged as an efficient technology to meet the challenges of rapid growth of data that we experienced in this Internet age. Cloud computing is an emerging technology that offers subscription based services, and provide different models such as IaaS, PaaS and SaaS among other models to cater the needs of different user groups. The technology has enormous benefits but there are serious concerns and challenges related to lack of uniform standards or nonexistence of minimum benchmark for level of services offered across the industry to provide an effective, uniform and reliable service to the cloud users. As the cloud computing is gaining popularity, organizations and users are having problems to adopt the service ue to lack of minimum service level framework which can act as a benchmark in the selection of the cloud provider and provide quality of service according to the user’s expectations. The situation becomes more critical due to distributed nature of the service provider which can be offering service from any part of the world. Due to lack of minimum service level framework that will act as a benchmark to provide a uniform service across the industry there are serious concerns raised recently interms of security and data privacy breaches, authentication and authorization issues, lack of third party audit and identity management problems, integrity, confidentiality and variable data availability standards, no uniform incident response and monitoring standards, interoperability and lack of portability standards, identity management issues, lack of infrastructure protection services standards and weak governance and compliance standards are major cause of concerns for cloud users. Due to confusion and absence of universal agreed SLAs for a service model, different quality of services is being provided across the cloud industry. Currently there is no uniform performance model agreed by all stakeholders; which can provide performance criteria to measure, evaluate, and benchmark the level of services offered by various cloud providers in the industry. With the implementation of General Data Protection Regulation (GDPR) and demand from cloud users to have Green SLAs that provides better resource allocations mechanism, there will be serious implications for the cloud providers and its consumers due to lack of uniformity in SLAs and variable standards of service offered by various cloud providers. This research examines weaknesses in service level agreements offered by various cloud providers and impact due to absence of uniform agreed minimum service level framework on the adoption and usage of cloud service. The research is focused around higher education case study and proposes a conceptual model based on uniform minimum service model that acts as benchmark for the industry to ensure quality of service to the cloud users in the higher education institution and remove the barriers to the adoption of cloud technology. The proposed Minimum Service Level (MSL) framework, provides a set of minimum and uniform standards in the key concern areas raised by the participants of HE institution which are essential to the cloud users and provide a minimum quality benchmark that becomes a uniform standard across the industry. The proposed model produces a cloud computing implementation evaluation criteria which is an attempt to reduce the adoption barrier of the cloud technology and set minimum uniform standards followed by all the cloud providers regardless of their hosting location so that their performance can be measured, evaluated and compared across the industry to improve the overall QoS (Quality of Service) received by the cloud users, remove the adoption barriers and concerns of the cloud users and increase the competition across the cloud industry.A computação em nuvem proporciona a computação paralela e emergiu como uma tecnologia eficiente para enfrentar os desafios do crescimento rápido de dados que vivemos na era da Internet. A computação em nuvem é uma tecnologia emergente que oferece serviços baseados em assinatura e oferece diferentes modelos como IaaS, PaaS e SaaS, entre outros modelos para atender as necessidades de diferentes grupos de utilizadores. A tecnologia tem enormes benefícios, mas subsistem sérias preocupações e desafios relacionados com a falta de normas uniformes ou inexistência de um referencial mínimo para o nível de serviços oferecidos, na indústria, para proporcionar uma oferta eficaz, uniforme e confiável para os utilizadores da nuvem. Como a computação em nuvem está a ganhar popularidade, tanto organizações como utilizadores estão enfrentando problemas para adotar o serviço devido à falta de enquadramento de nível de serviço mínimo que possa agir como um ponto de referência na seleção de provedor da nuvem e fornecer a qualidade dos serviços de acordo com as expectativas do utilizador. A situação torna-se mais crítica, devido à natureza distribuída do prestador de serviço, que pode ser oriundo de qualquer parte do mundo. Devido à falta de enquadramento de nível de serviço mínimo que irá agir como um benchmark para fornecer um serviço uniforme em toda a indústria, existem sérias preocupações levantadas recentemente em termos de violações de segurança e privacidade de dados, autenticação e autorização, falta de questões de auditoria de terceiros e problemas de gestão de identidade, integridade, confidencialidade e disponibilidade de dados, falta de uniformidade de normas, a não resposta a incidentes e o monitoramento de padrões, a interoperabilidade e a falta de padrões de portabilidade, questões relacionadas com a gestão de identidade, falta de padrões de serviços de proteção das infraestruturas e fraca governança e conformidade de padrões constituem outras importantes causas de preocupação para os utilizadores. Devido à confusão e ausência de SLAs acordados de modo universal para um modelo de serviço, diferente qualidade de serviços está a ser fornecida através da nuvem, pela indústria da computação em nuvem. Atualmente, não há desempenho uniforme nem um modelo acordado por todas as partes interessadas; que pode fornecer critérios de desempenho para medir, avaliar e comparar o nível de serviços oferecidos por diversos fornecedores de computação em nuvem na indústria. Com a implementação do Regulamento Geral de Protecção de Dados (RGPD) e a procura da nuvem com base no impacto ambiental (Green SLAs), são acrescentadas precupações adicionais e existem sérias implicações para os forncedores de computação em nuvem e para os seus consumidores, também devido à falta de uniformidade na multiplicidade de SLAs e padrões de serviço oferecidos. A presente pesquisa examina as fraquezas em acordos de nível de serviço oferecidos por fornecedores de computação em nuvem e estuda o impacto da ausência de um quadro de nível de serviço mínimo acordado sobre a adoção e o uso no contexto da computação em nuvem. A pesquisa está orientada para a adoção destes serviços para o caso do ensino superior e as instituições de ensino superior e propõe um modelo conceptualt com base em um modelo de serviço mínimo uniforme que funciona como referência para a indústria, para garantir a qualidade do serviço para os utilizadores da nuvem numa instituição de ensino superior de forma a eliminar as barreiras para a adoção da tecnologia de computação em nuvem. O nível de serviço mínimo proposto (MSL), fornece um conjunto mínimo de normas uniformes e na áreas das principais preocupações levantadas por responsáveis de instituições de ensino superior e que são essenciais, de modo a fornecer um referencial mínimo de qualidade, que se possa tornar um padrão uniforme em toda a indústria. O modelo proposto é uma tentativa de reduzir a barreira de adoção da tecnologia de computação em nuvem e definir normas mínimas seguidas por todos os fornecedores de computação em nuvem, independentemente do seu local de hospedagem para que os seus desempenhos possam ser medidos, avaliados e comparados em toda a indústria, para melhorar a qualidade de serviço (QoS) recebida pelos utilizadores e remova as barreiras de adoção e as preocupações dos utilizadores, bem como fomentar o aumento da concorrência em toda a indústria da computação em nuvem

Contributions to the privacy provisioning for federated identity management platforms

Identity information, personal data and user’s profiles are key assets for organizations and companies by becoming the use of identity management (IdM) infrastructures a prerequisite for most companies, since IdM systems allow them to perform their business transactions by sharing information and customizing services for several purposes in more efficient and effective ways. Due to the importance of the identity management paradigm, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused across different domains by allowing users simple session management, etc. In this way, users’ information is widely collected and distributed to offer new added value services and to enhance availability. Whereas these new services have a positive impact on users’ life, they also bring privacy problems. To manage users’ personal data, while protecting their privacy, IdM systems are the ideal target where to deploy privacy solutions, since they handle users’ attribute exchange. Nevertheless, current IdM models and specifications do not sufficiently address comprehensive privacy mechanisms or guidelines, which enable users to better control over the use, divulging and revocation of their online identities. These are essential aspects, specially in sensitive environments where incorrect and unsecured management of user’s data may lead to attacks, privacy breaches, identity misuse or frauds. Nowadays there are several approaches to IdM that have benefits and shortcomings, from the privacy perspective. In this thesis, the main goal is contributing to the privacy provisioning for federated identity management platforms. And for this purpose, we propose a generic architecture that extends current federation IdM systems. We have mainly focused our contributions on health care environments, given their particularly sensitive nature. The two main pillars of the proposed architecture, are the introduction of a selective privacy-enhanced user profile management model and flexibility in revocation consent by incorporating an event-based hybrid IdM approach, which enables to replace time constraints and explicit revocation by activating and deactivating authorization rights according to events. The combination of both models enables to deal with both online and offline scenarios, as well as to empower the user role, by letting her to bring together identity information from different sources. Regarding user’s consent revocation, we propose an implicit revocation consent mechanism based on events, that empowers a new concept, the sleepyhead credentials, which is issued only once and would be used any time. Moreover, we integrate this concept in IdM systems supporting a delegation protocol and we contribute with the definition of mathematical model to determine event arrivals to the IdM system and how they are managed to the corresponding entities, as well as its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to user profile management, we define a privacy-awareness user profile management model to provide efficient selective information disclosure. With this contribution a service provider would be able to accesses the specific personal information without being able to inspect any other details and keeping user control of her data by controlling who can access. The structure that we consider for the user profile storage is based on extensions of Merkle trees allowing for hash combining that would minimize the need of individual verification of elements along a path. An algorithm for sorting the tree as we envision frequently accessed attributes to be closer to the root (minimizing the access’ time) is also provided. Formal validation of the above mentioned ideas has been carried out through simulations and the development of prototypes. Besides, dissemination activities were performed in projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí

Participant Domain Name Token Profile for security enhancements supporting service oriented architecture

This research proposes a new secure token profile for improving the existing Web Services security standards. It provides a new authentication mechanism. This additional level of security is important for the Service-Oriented Architecture (SOA), which is an architectural style that uses a set of principles and design rules to shape interacting applications and maintain interoperability. Currently, the market push is towards SOA, which provides several advantages, for instance: integration with heterogeneous systems, services reuse, standardization of data exchange, etc. Web Services is one of the technologies to implement SOA and it can be implemented using Simple Object Access Protocol (SOAP). A SOAP-based Web Service relies on XML for its message format and common application layer protocols for message negotiation and transmission. However, it is a security challenge when a message is transmitted over the network, especially on the Internet. The Organization for Advancement of Structured Information Standards (OASIS) announced a set of Web Services Security standards that focus on two major areas. “Who” can use the Web Service and “What” are the permissions. However, the location or domain of the message sender is not authenticated. Therefore, a new secure token profile called: Participant Domain Name Token Profile (PDNT) is created to tackle this issue. The PDNT provides a new security feature, which the existing token profiles do not address. Location-based authentication is achieved if adopting the PDNT when using Web Services. In the performance evaluation, PDNT is demonstrated to be significantly faster than other secure token profiles. The processing overhead of using the PDNT with other secure token profiles is very small given the additional security provided. Therefore all the participants can acquire the benefits of increased security and performance at low cost