276 research outputs found
GridCertLib: a Single Sign-on Solution for Grid Web Applications and Portals
This paper describes the design and implementation of GridCertLib, a Java
library leveraging a Shibboleth-based authentication infrastructure and the
SLCS online certificate signing service, to provide short-lived X.509
certificates and Grid proxies. The main use case envisioned for GridCertLib, is
to provide seamless and secure access to Grid/X.509 certificates and proxies in
web applications and portals: when a user logs in to the portal using
Shibboleth authentication, GridCertLib can automatically obtain a Grid/X.509
certificate from the SLCS service and generate a VOMS proxy from it. We give an
overview of the architecture of GridCertLib and briefly describe its
programming model. Its application to some deployment scenarios is outlined, as
well as a report on practical experience integrating GridCertLib into portals
for Bioinformatics and Computational Chemistry applications, based on the
popular P-GRADE and Django softwares.Comment: 18 pages, 1 figure; final manuscript accepted for publication by the
"Journal of Grid Computing
Implementation of a single sign on solution using security assertion markup language
Estágio realizado na ALERT Life Sciences Computing, S.A. e orientado pelo Eng.º Filipe PereiraTese de mestrado integrado. Engenharia Informática e Computação. Faculdade de Engenharia. Universidade do Porto. 200
A standard-driven communication protocol for disconnected clinics in rural areas
The importance of the Electronic Health Record (EHR), which stores all healthcare-related data belonging to a patient, has been recognized in recent years by governments, institutions, and industry. Initiatives like Integrating the Healthcare Enterprise (IHE) have been developed for the definition of standard methodologies for secure and interoperable EHR exchanges among clinics and hospitals. Using the requisites specified by these initiatives, many large-scale projects have been set up to enable healthcare professionals to handle patients' EHRs. Applications deployed in these settings are often considered safety-critical, thus ensuring such security properties as confidentiality, authentication, and authorization is crucial for their success. In this paper, we propose a communication protocol, based on the IHE specifications, for authenticating healthcare professionals and assuring patients' safety in settings where no network connection is available, such as in rural areas of some developing countries. We define a specific threat model, driven by the experience of use cases covered by international projects, and prove that an intruder cannot cause damages to the safety of patients and their data by performing any of the attacks falling within this threat model. To demonstrate the feasibility and effectiveness of our protocol, we have fully implemented it
Context-aware multi-factor authentication
Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia InformáticaAuthentication systems, as available today, are inappropriate for the requirements of ubiquitous,
heterogeneous and large scale distributed systems. Some important limitations are: (i)
the use of weak or rigid authentication factors as principal’s identity proofs, (ii) non flexibility
to combine different authentication modes for dynamic and context-aware interaction criteria,
(iii) not being extensible models to integrate new or emergent pervasive authentication factors
and (iv) difficulty to manage the coexistence of multi-factor authentication proofs in a unified
single sign-on solution. The objective of this dissertation is the design, implementation and
experimental evaluation of a platform supporting multi-factor authentication services, as a contribution
to overcome the above limitations. The devised platform will provide a uniform and
flexible authentication base for multi-factor authentication requirements and context-aware authentication
modes for ubiquitous applications and services. The main contribution is focused
on the design and implementation of an extensible authentication framework model, integrating
classic as well as new pervasive authentication factors that can be composed for different
context-aware dynamic requirements. Flexibility criteria are addressed by the establishment of a
unified authentication back-end, supporting authentication modes as defined processes and rules
expressed in a SAML based declarative markup language. The authentication base supports an
extended single sign-on system that can be dynamically tailored for multi-factor authentication
policies, considering large scale distributed applications and according with ubiquitous interaction
needs
GridCertLib: A Single Sign-on Solution for Grid Web Applications and Portals
This paper describes the design and implementation of GridCertLib, a Java library leveraging a Shibboleth-based authentication infrastructure and the SLCS online certificate signing service, to provide short-lived X.509 certificates and Grid proxies. The main use case envisioned for GridCertLib, is to provide seamless and secure access to Grid X.509 certificates and proxies in web applications and portals: when a user logs in to the portal using SAML-based Shibboleth authentication, GridCertLib uses the SAML assertion to obtain a Grid X.509 certificate from the SLCS service and generate a VOMS proxy from it. We give an overview of the architecture of GridCertLib and briefly describe its programming model. Its application to some deployment scenarios is outlined, as well as a report on practical experience integrating GridCertLib into portals for Bioinformatics and Computational Chemistry applications, based on the popular P-GRADE and Django software
Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
Single Sign-On (SSO) systems simplify login procedures by using an an
Identity Provider (IdP) to issue authentication tokens which can be consumed by
Service Providers (SPs). Traditionally, IdPs are modeled as trusted third
parties. This is reasonable for SSO systems like Kerberos, MS Passport and
SAML, where each SP explicitely specifies which IdP he trusts. However, in open
systems like OpenID and OpenID Connect, each user may set up his own IdP, and a
discovery phase is added to the protocol flow. Thus it is easy for an attacker
to set up its own IdP. In this paper we use a novel approach for analyzing SSO
authentication schemes by introducing a malicious IdP. With this approach we
evaluate one of the most popular and widely deployed SSO protocols - OpenID. We
found four novel attack classes on OpenID, which were not covered by previous
research, and show their applicability to real-life implementations. As a
result, we were able to compromise 11 out of 16 existing OpenID implementations
like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks
in a open source tool OpenID Attacker, which additionally allows fine-granular
testing of all parameters in OpenID implementations. Our research helps to
better understand the message flow in the OpenID protocol, trust assumptions in
the different components of the system, and implementation issues in OpenID
components. It is applicable to other SSO systems like OpenID Connect and SAML.
All OpenID implementations have been informed about their vulnerabilities and
we supported them in fixing the issues
The Community Authorization Service: Status and Future
Virtual organizations (VOs) are communities of resource providers and users
distributed over multiple policy domains. These VOs often wish to define and
enforce consistent policies in addition to the policies of their underlying
domains. This is challenging, not only because of the problems in distributing
the policy to the domains, but also because of the fact that those domains may
each have different capabilities for enforcing the policy. The Community
Authorization Service (CAS) solves this problem by allowing resource providers
to delegate some policy authority to the VO while maintaining ultimate control
over their resources. In this paper we describe CAS and our past and current
implementations of CAS, and we discuss our plans for CAS-related research.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics
(CHEP03), La Jolla, Ca, USA, March 2003. 9 Pages, PD
- …