The Community for Technology Leaders
RSS Icon
Issue No.01 - Jan.-March (2012 vol.5)
pp: 20-32
Jie Xu , University of Leeds, Leeds
Dacheng Zhang , Huawei Technology, Beijing
Lu Liu , Middlesex University, London
Xianxian Li , Beihang University, Beijing
Modern distributed applications are embedding an increasing degree of dynamism, from dynamic supply-chain management, enterprise federations, and virtual collaborations to dynamic resource acquisitions and service interactions across organizations. Such dynamism leads to new challenges in security and dependability. Collaborating services in a system with a Service-Oriented Architecture (SOA) may belong to different security realms but often need to be engaged dynamically at runtime. If their security realms do not have a direct cross-realm authentication relationship, it is technically difficult to enable any secure collaboration between the services. A potential solution to this would be to locate intermediate realms at runtime, which serve as an authentication path between the two separate realms. However, the process of generating an authentication path for two distributed services can be highly complicated. It could involve a large number of extra operations for credential conversion and require a long chain of invocations to intermediate services. In this paper, we address this problem by designing and implementing a new cross-realm authentication protocol for dynamic service interactions, based on the notion of service-oriented multiparty business sessions. Our protocol requires neither credential conversion nor establishment of any authentication path between the participating services in a business session. The correctness of the protocol is formally analyzed and proven, and an empirical study is performed using two production-quality Grid systems, Globus 4 and CROWN. The experimental results indicate that the proposed protocol and its implementation have a sound level of scalability and impose only a limited degree of performance overhead, which is for example comparable with those security-related overheads in Globus 4.
Authentication, interorganizational security, multiparty interactions, service-oriented architecture, web services.
Jie Xu, Dacheng Zhang, Lu Liu, Xianxian Li, "Dynamic Authentication for Cross-Realm SOA-Based Business Processes", IEEE Transactions on Services Computing, vol.5, no. 1, pp. 20-32, Jan.-March 2012, doi:10.1109/TSC.2010.33
[1] S. Hada and H. Maruyama, "Session Authentication Protocol for Web Services," Proc. Symp. Application and the Internet, pp. 158-165, 2002.
[2] N. Cook, S. Shirvastava, and S. Wheater, "Distributed Object Middleware to Support Dependable Information Sharing between Organisations," Proc. Int'l Conf. Dependable Systems and Networks, pp. 249-258, 2002.
[3] J. Xu, B. Randell, A. Romanovsky, R.J. Stroud, A.F. Zorzo, E. Canver, and F. von Henke, "Rigorous Development of a Fault-Tolerant Embedded System Based on Coordinated Atomic Actions," IEEE Trans. Computers, Special Issue on Fault-Tolerant Embedded Systems, vol. 51, no. 2, pp. 164-179, Feb. 2002.
[4] D. Georgakopoulos and M. Hornick, "An Overview of Workflow Management: From Process Modelling to Workflow Automation Infrastructure," Distributed and Parallel Database, vol. 3, pp. 119-153, Mar. 2005.
[5] J.D. Clercq, "Single Sign-On Architectures," Proc. Int'l Conf. Infrastructure Security (InfraSec '02), pp. 40-58, 2002.
[6] P.V. Oorschot, "Extending Cryptographic Logics of Belief to Key Agreement Protocols," Proc. First ACM Conf. Computer and Comm. Security, pp. 233-243, 1993.
[7] M. Burrows, M. Abadi, and R. Needham, "A Logic of Authentication," ACM Trans. Computer Systems, vol. 8, pp. 18-36, Feb. 1990.
[8] P. Townend, J. Huai, J. Xu, N. Looker, D. Zhang, J. Li, and L. Zhong, "CROWN-C: A High-Assurance Service-Oriented Grid Middleware System," Computer, vol. 41, no. 8, pp. 30-38, Aug. 2008.
[9] H. Sun, Y. Zhu, C. Hu, J. Huai, Y. Liu, and J. Li, "Early Experience of Remote and Hot Service Deployment with Trustworthiness in CROWN Grid," Proc. Sixth Int'l Workshop Advanced Parallel Processing Technologies (APPT '05), 2005.
[10] P. Mishra, "Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0. OASIS Draft," 3412sstc-saml-diff-1.1-draft-01.pdf , 2003.
[11] D. Fox, "Personal Theories of Teaching," Studies in Higher Education, vol. 8, pp. 151-163, 1983.
[12] W3C, "Web Services Choreography Description Language Version 1.0," , 2005.
[13] V. Bertocci, G. Serack, and C. Baker, Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities. Addison-Wesley, 2007.
[14] J. Li, N. Li, X. Wang, and T. Yu, "Denial of Service Attacks and Defenses in Decentralized Trust Management," Int'l J. Information Security, vol. 8, pp. 89-101, 2009.
[15] M.P. Papazoglou and D. Georgakopoulos, "Service-Oriented Computing," Comm. ACM, vol. 46, pp. 25-28, Oct. 2003.
[16] L. Gong, "Increasing Availability and Security of an Authentication Service," IEEE J. Selected Areas in Comm., vol. 11, no. 5, pp. 657-662, June 1993.
[17] W. Stallings, Cryptography and Network Security: Principles and Practice, second ed. Prentice-Hall, Inc., 1999.
[18] J. Huai, Y. Zhang, X. Li, and Y. Liu, "Distributed Access Control in CROWN Groups," Proc. 34th Int'l Conf. Parallel Processing (ICPP '05), 2005.
[19] G. Itkis, "Forward Security: Adaptive Cryptography - Time Evolution," Handbook of Information Security, John Wiley and Sons, 2006.
[20] S. Rafaeli and D. Hutchison, "A Survey of Key Management for Secure Group Communication," ACM Computing Surveys, vol. 35, pp. 309-329, Sept. 2003.
[21] C.K. Wong, M.G. Gouda, and S.S. Lam, "Secure Group Communications Using Key Graphs," Proc. ACM SIGCOMM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm., pp. 68-79, 1998.
[22] M. Steiner, G. Tsudik, and M. Waidner, "Diffie-Hellman Key Distribution Extended to Group Communication," Proc. Third ACM Conf. Computer and Comm. Security, pp. 31-37, Mar. 1996.
[23] K.P. Birman, T.A. Joseph, T. Raeuchle, and A.E. Abbadi, "Implementing Fault-Tolerant Distributed Objects," IEEE Trans. Software Eng., vol. 11, no. 6, pp. 502-508, June 1985.
[24] F. Cabrera, G. Copeland, T. Freund, J. Klein, D. Langworthy, D. Orchard, J. Shewchuk, and T. Storey, "Web Services Coordination (WS-Coordination)," library ws-coor, 2007.
[25] J. Heather, G. Lowe, and S. Schneider, "How to Prevent Type Flaw Attacks on Security Protocols," Proc. 13th IEEE Computer Security Foundations Workshop, pp. 255-268, 2000.
[26] K. Czajkowski, D. Ferguson, I. Foster, J. Frey, S. Graham, I. Sedukhin, D. Snelling, S. Tuecke, and W. Vambenepe, "The WS-Resource Framework Version 1.0," , 2004.
[27] O. Kornievskaia, P. Honeyman, B. Doster, and K. Coffman, "Kerberized Credential Translation: A Solution to Web Access Control," Proc. 10th Conf. USENIX Security Symp., 2001.
[28] P.R. Zimmermann, The Official PGP User's Guide. MIT, 1995.
[29] J. Jokl, J. Basney, and M. Humphrey, "Experiences Using Bridge CAS for Grids," Proc. UK Workshop Grid Security Experiences, 2004.
[30] M.K. Reiter and S.G. Stubblebine, "Resilient Authentication Using Path Independence," IEEE Trans. Computers, vol. 47, no. 12, pp. 1351-1362, Dec. 1998.
[31] S. Bajaj, G. Della-Libera, B. Dixon, M. Dusche, M. Hondo, M. Hur, C. Kaler, H. Lockhart, H. Maruyama, A. Nadalin, N. Nagaratnam, A. Nash, H. Prafullchandra, and J. Shewchuk, "Web Services Federation Language (WS-Federation)," http://msdn2. libraryms951236.aspx, 2007.
[32] M. Hondo, N. Nagaratnam, and A.J. Nadalin, "Securing Web Services," IBM Systems J., vol. 41, no. 2, pp. 228-241, 2002.
[33] D. Zhang, "Dynamic Authentication for Multi-Party Service Interactions," PhD thesis, School of Computing, Univ. of Leeds, 2008.
[34] J. Li, D. Zhang, J. Huai, and J. Xu, "Context-Aware Trust Negotiation in Peer-to-Peer Service Collaborations," Peer-to-Peer Networking and Applications, vol. 2, pp. 164-177, 2009.
18 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool