Mobile Web services authentication using SAML and 3GPP generic bootstrapping architecture

In this paper we present a platform for the direct consumption of web services by a Mobile Station. We give an architectural solution where Mobile Operators play the role of Trusted Third Parties supplying service credentials that allow a co-located 3GPP Network Application Function and Liberty-enabled Identity Provider entity to implement a controlled Shopping Mall service to Mobile Stations from multiple trust domains. We consider both the protocol and the structure and syntax of the various tokens required to minimise service latency over the bandwidth and performance constrained mobile system, whilst providing adequate security services to protect against the perceived threat model. To validate our proposal we have developed code to create a Web Service test scenario using SAML authentication tokens utilising readily available J2ME, Java Card, J2SE and J2EE platforms, Web Services tools from Apache, the KToolBar emulator from Sun, and the JCOPS suite of tools for Java Card applet development

Privacy considerations for secure identification in social wireless networks

This thesis focuses on privacy aspects of identification and key exchange schemes for mobile social networks. In particular, we consider identification schemes that combine wide area mobile communication with short range communication such as Bluetooth, WiFi. The goal of the thesis is to identify possible security threats to personal information of users and to define a framework of security and privacy requirements in the context of mobile social networking. The main focus of the work is on security in closed groups and the procedures of secure registration, identification and invitation of users in mobile social networks. The thesis includes an evaluation of the proposed identification and key exchange schemes and a proposal for a series of modifications that augments its privacy-preserving capabilities. The ultimate design provides secure and effective identity management in the context of, and in respect to, the protection of user identity privacy in mobile social networks

Authentication and privacy in mobile web services

This thesis looks at the issue of authentication and privacy in mobile Web services. The work in this thesis builds on GSM and UMTS security framework to develop security protocols for mobile Web services environment. The thesis initially highlights some core principles of designing security protocols in such environment. The next two chapters look at the core technologies and building blocks in Web services systems and the core security features in mobile networks mainly GSM and UMTS. Registration and authentication were identified as security issues in federated systems. Proposed solutions were developed utilizing XML security mechanisms with SIM card security in GSM environment to address these issues. Also a novel system was proposed in which it is possible for a mobile user to securely authenticate and have full anonymity as far as the service providers are concerned; however it is possible for a trusted authority to reveal the identity of the user if he or she is suspected of illegal activities. The next section analyze in detail the Generic Authentication Architecture from 3GPP. Combining SAML with the Generic Authentication Architecture, we propose a novel "generic mobile Web service platform" for M-Commerce. Various solutions have been proposed to address privacy concern in distributed networks; the Platform for Privacy Preferences is one of the popular proposal, though it has many desirable features, it is not easy to enforce it. We argue that this limitation can be managed in federated system such as the Liberty Alliance framework. In the final chapter we make the case for using timestamp based authentication protocol in mobile Web service on the ground of efficiency gain

Flexible Single Sign-On for SIP: Bridging the Identity Chasm

Abstract-Identity federation is a key requirement for today's distributed services. This technology allows managed sharing of users' identity information between identity providers (IDP), and subsequently, the use of federated identities to access service providers (SP). Single Sign-On (SSO) is a core feature provided by these systems. The Session Initiation Protocol (SIP) is a signaling framework for session call control. It is becoming a widely accepted layer for applications and services, especially in the telecommunications and multimedia domain. In this paper, we explore solutions to incorporate SSO process into the SIP framework in order to simplify the services and resources access. Our design leverages the Liberty Alliance specifications and extends the existing SIP standards to support SSO functionality. We also present a prototype implementation at the end of this paper

Network service federated identity (NS-FId) protocol for service authorization in 5G network

Fifth generation mobile network (5G) will make network services available anywhere from multiple Service Providers (SP) and its provisioning raises security concerns. The users will require seamless connectivity and secure access to these services. Mobile Network Operator (MNO) will want to provide services to users and be able to share infrastructure resources with other MNOs. This requires robust authentication and authorization mechanisms that can provide secure access and provisioning of service to multiple users and providers in heterogeneous network. Therefore, Federated Identity (FId) with Single Sign On (SSO) could be used for seamless access and provisioning to network services in 5G. So, we propose Network Service Federated Identity (NS-FId) protocol, a federated protocol that provides secure access to services from multiple SPs and provides SSO to users. We formally verify and analyse the proposed NSFId protocol using ProVerif. We also conduct a security analysis of the protocol’s security properties

Sécurité et performances des réseaux de nouvelle génération

L’IMS (IP Multimedia Subsystem) constitue l’architecture clé de contrôle pour les réseaux de nouvelle génération (NGN : Next Generation Network). IMS offre aux opérateurs réseaux la possibilité d'étendre leurs services, en intégrant la voix et des communications multimédia et de les livrer dans de nouveaux environnements avec de nouveaux objectifs. Sa sécurité totale mais à moindre coût est donc primordiale, principalement l’authentification. En IMS l’authentification est divisée en deux phases, une au niveau du domaine PS (Packet-Switch) avec le protocole 3GPP-AKA, et l’autre au niveau IMS en utilisant le protocole IMS-AKA. Dans notre première contribution, nous proposons un nouveau protocole d’authentification plus sécurisé que celui utilisé en IMS (IMS-AKA) et plus performant en termes d’utilisation de la bande passante et de temps de traitement. Notre méthode d’analyse repose sur la quantification de la signalisation induite par l’authentification IMS. La quantification est effectuée à l’aide d’expérimentations réelles. Sur la base des résultats obtenues, nous pouvons confirmer que notre protocole (1) peut économiser au moins 21,5% du trafic SIP/Cx par rapport à l’IMS-AKA, (2) permet de réduire la consommation de la bande passante de 27% par rapport à l’IMS-AKA, (3) résiste aux attaques atteignant la confidentialité et l’intégrité des données lors d’un enregistrement IMS (validé par AVISPA). Dans notre seconde contribution, nous avons présenté un nouveau modèle, nommé virtual walled-garden, de fourniture de services centré sur l'utilisateur en IMS. Ce modèle de fourniture de service permet d'offrir plus de liberté d'utiliser les services de tout fournisseur de contenu en fonction des besoins et préférences des utilisateurs. De cette manière les trois parties (utilisateur, fournisseurs de services et opérateur IMS) sont satisfaites. Les utilisateurs auront accès à un plus large éventail de services soutenus par l'IMS, les fournisseurs de services peuvent mettre en œuvre un large éventail de services IMS/SIP sans aucun investissement sur la mise en œuvre d'un réseau de cœur IMS ou de sa maintenance. Quant aux opérateurs cette façon de faire constitue une nouvelle forme de partenariat d'affaires avec les fournisseurs de services. Le modèle virtual walled-garden se base sur une fédération d'identité multi niveaux pour prendre en considération plusieurs niveaux de sécurité selon la criticité des applications sollicitées. ABSTRACT : The IMS (IP Multimedia Subsystem) architecture is the key control for next generation networks (NGN). IMS gives network operators the opportunity to extend their services, including voice and multimedia communications and deliver them in new environments with new goals. Its security is paramount, especially authentication. In IMS, authentication is divided into two phases a PS (Packet-Switch) domain-level with the 3GPP-AKA protocol, and a second at IMS level using the IMS-AKA protocol. In our first contribution, we propose a new IMS authentication mechanism that improves the IMS-AKA in terms of security and more efficient in the use of bandwidth and processing time. Based on the results obtained, we can confirm that our protocol can save at least 21.5% of SIP/Cx traffic compared to the IMS-AKA and resists to attack reaching the confidentiality and integrity of data in an IMS registration (validated by AVISPA). In our second contribution, we propose a new Service provisioning model: Virtual Walled-Garden. This new model allows the user accessing all the applications, even the external ones transparently, simulating a walled-garden environment. This model will create a trust link between IMS domain and external services, and will reduce the burden of both end users and SPs through a Single Sign-On (SSO) feature, using identity federation. We also introduce the notion of security level to classify the SPs in a Multi-level model

Authentication and key agreement on the application layer in the Web of Things environment

Web of Things -ympäristöjen (WoT) hypertekstimäisen sisällön tuomiseen ympärillemme oleville laitteille kustannustehokkaasti tarvitaan resurssitehokkaita ratkaisuja. Resurssiongelmia helpottamaan on kehitetty resurssirajoitteisille optimoitu tiedonsiirtoprotokolla Constrained Application Protocol (CoAP). CoAP perustuu RESTful-arkkitehtuuriin, joka on kehitetty Hypertext Transfer Protocol (HTTP) -protokollan arkkitehtuurista. Yhteinen arkkitehtuuripohja mahdollistaa edeltävien protokollien välillä tiedonsiirron yhdyskäytävän avulla. HTTP - ja CoAP -protokollien välinen tiedonsiirto on tarpeen WoT-ympäristöjen yleistymisessä, koska suurin osa verkon palvelimien toiminnasta perustuu HTTP-protokollaan. CoAP-asiakkaan tietoturvallisen yhteydenoton HTTP-palvelimelle mahdollistavasta sovellustason yhdyskäytävästä ei kuitenkaan ole toteutusta. Työssä esitellään edellä mainitut protokollat ja kuvataan niiden keinoja tietoturvasta huolehtimiseen ja soveltuvuuteen toimia yhdyskäytävän läpi. Pyrkimyksenä työssä on toteuttaa turvallinen autentikointi sekä tiedonsiirto asiakkaalta palvelimelle ja takaisin yhdyskäytävän läpi. Reunaehtoina ovat resurssirajoitteisten laitteiden vaatima yksinkertaisuus ja pysyminen kerrosmallien sovellustasolla. Työssä tutkitaan JavaScript Object Notation (JSON) -notaation ja sen tietoturvaksi kehitetyn JSON Web Token (JWT) -esitysmallin soveltuvuutta edellä selvitettyihin tarpeisiin. Autentikointi toteutetaan 3rd Generation Partnership Project (3GPP):n yleistä autentikointiarkkitehtuuria (GAA) käyttäen, jolloin avaimet saadaan SIM-operaattorilta HTTP-Digest-autentikaatioon perustuvalla AKA-Digest-autentikointitavalla. Suunnitelmien toimivuuden ja tulevien ongelmien havainnoimiseksi toteutettiin valittuja tekniikoita käyttäen demonstraatio, jonka komponentteja olivat CoAP-asiakas, yhdyskäytävä ja HTTP-palvelin. Toteutukset tehtiin Java-kielellä pyrkien käyttämään valmiita ohjelmistokirjastoja mahdollisuuksien mukaan. Toteutusvaiheessa havaitut ongelmat tulivat Digest-autentikaatio-ohjelmistoista, hajallaan olevasta dokumentaatiosta ja uusien ohjelmistokirjastojen keskeneräisyydestä. Digest-autentikaatiota toteuttavat ohjelmistot toimivat epästandardeilla tavoilla. 3GPP-dokumentit oli kohdennettu organisaatioille ja siten vaikeaselkoisia yksittäiselle lukijalle. Demonstraatiototeutus havaittiin toimivaksi WoT-ympäristöissä. Toteutuksen ja testauksen aikana syntyi erilaisia ideoita, joiden pohjalta toteutus on jatkokehitettävissä todellisiin ympäristöihin

Internet Authentication for Remote Access

It is expected that future IP devices will employ a variety of different network access technologies to gain ubiquitous connectivity. Currently there are no authentication protocols available that are lightweight, can be carried over arbitrary access networks, and are flexible enough to be re-used in the many different contexts that are likely to arise in future Internet remote access. Furthermore, existing access procedures need to be enhanced to offer protection against Denial-of-Service (DoS) attacks, and do not provide non-repudiation. In addition to being limited to specific access media, some of these protocols are limited to specific network topologies and are not scalable. This thesis reviews the authentication infrastructure challenges for future Internet remote access supporting ubiquitous client mobility, and proposes a series of solutions obtained by adapting and reinforcing security techniques arising from a variety of different sources. The focus is on entity authentication protocols that can be carried both by the IETF PANA authentication carrier and by the EAP mechanisms, and possibly making use of an AAA infrastructure. The core idea is to adapt authentication protocols arising from the mobile telecommunications sphere to Internet remote access. A proposal is also given for Internet access using a public key based authentication protocol. The subsequent security analysis of the proposed authentication protocols covers a variety of aspects, including: key freshness, DoS-resistance, and "false-entity-in-the-middle" attacks, in addition to identity privacy of users accessing the Internet via mobile devices. This work aims primarily at contributing to ongoing research on the authentication infrastructure for the Internet remote access environment, and at reviewing and adapting authentication solutions implemented in other spheres, for instance in mobile telecommunications systems, for use in Internet remote access networks supporting ubiquitous mobilit

OpenID with certificate-based user authentication on smartcard

Ankara : The Department of Computer Engineering and the Graduate School of Engineering and Science of Bilkent University, 2013.Thesis (Master's) -- Bilkent University, 2013.Includes bibliographical references leaves 52-57.From the point of its users, federated identity systems provide great convenience to log in to varied web sites without bothering of registration in advance. Looking from a vantage point, federated identity management gives the opportunity to users of one IT system to access data and sources of another IT system seamlessly and securely without handling a complete user administration. Single signon mechanisms manage user authentication process of these systems prompting log in once and assure access control across those multiple independent systems. OpenID is a widely used federated identity/single sign-on scheme generally implemented with username-password authentication. In this work, we augment the user authentication phase of OpenID with certi cate-based authentication using smartcard technology. Our solution provides a secure method to authenticate the user with user's digital certi cate written on the smartcard.Kişin, Bahar BernaM.S

A prototype and demonstrator of Akogrimo’s architecture: An approach of merging grids, SOA, and the mobile Internet

The trend of merging telecommunication infrastructures with traditional Information Technology (IT) infrastructures is ongoing and important for commercial service providers. The driver behind this development is, on one hand, the strong need for enhanced services and on the other hand, the need of telecommunication operators aiming at value-added service provisioning to a wide variety of customers. In the telecommunications sector, the IP Multimedia Subsystem (IMS) is a promising service platform, which may become a ''standard'' for supporting added-value services on top of the next generation network infrastructure. However, since its range of applicability is bound to SIP- enabled services, IMS extensions are being proposed by ''SIPifying'' applications. In parallel to these developments within the traditional IT sector, the notion of Virtual Organizations (VO) enabling collaborative businesses across organizational boundaries is addressed in the framework of Web Services (WS) standards implementing a Service-oriented Architecture (SOA). Here, concepts for controlled resource and service sharing based on WS and Semantic Technologies have been consolidated. Since the telecommunications sector has become, in the meantime ''mobile'', all concepts brought into this infrastructure must cope with the dynamics mobility brings in. Therefore, within the Akogrimo project the VO concept has been extended towards a Mobile Dynamic Virtual Organization (MDVO) concept, additionally considering key requirements of mobile users and resources. Especial attention is given to ensure the duality of the merge of both, SOA and IMS approaches to holistically support SOA-enabled mobile added-value services and their users. This work describes major results of the Akogrimo project, paying special attention to the overall Akogrimo architecture, the prototype implemented, and the key scenario in which the instantiated Akogrimo architecture shows a very clear picture of applicability, use, and an additional functional evaluation