Scalable Access Control For Web Services - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Scalable Access Control For Web Services

Description:

http://grouse.hpl.hp.com:46000/cgi-bin/csi.cgi? ... grouse.hpl.hp.com:46000. planetlab1.ucsd.edu. Measurement Request. Measurement Response ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 20
Provided by: gayatrisw
Category:

less

Transcript and Presenter's Notes

Title: Scalable Access Control For Web Services


1
Scalable Access Control For Web Services
  • Gayatri Swamynathan
  • UC Santa Barbara

Tyler Close, Sujata Banerjee, Rick McGeer HP
Labs, Palo Alto
Ben Zhao, Kevin Almeroth UC Santa Barbara
2
Controlling User Access to Web Services
  • Authentication
  • Are you who you claim to be?
  • Passwords, Digital certificates
  • Authorization
  • Do you have access to the resource?
  • Read, Write-only
  • Accountability
  • What did you do? When did you do it?
  • Keeping track of a users service usage

3
Traditional Access Control Approaches
  • Access control lists
  • Prevent access to illegal requests
  • Simple and easy
  • But
  • Huge maintenance/synchronization overheads
  • Poor response times
  • Passwords make authority difficult to protect
  • Poor flexibility (delegation, revocation)

4
Traditional Access Control Approaches
  • Capability
  • Prevent users to present illegal requests
  • Resources are no longer guessable
  • Possession of a capability verifies identity and
    authority
  • Principle of least privilege
  • But
  • Non-traditional alternative
  • New skill to develop
  • Vulnerability to capability theft
  • Authorization-based Access Control (ABAC) URL
    Rewriter

5
An Ideal Access Control Solution
  • Decentralized
  • Efficient
  • Lightweight
  • Scalable and Extensible
  • Flexible
  • Resistant to Attacks

6
The S3 Web Service
  • Real-time monitoring and management of large
    networked systems
  • Third-party measurements between any two end
    hosts using URLs

http//grouse.hpl.hp.com46000/cgi-bin/csi.cgi? C
OMMANDPINGDESTplanetlab1.ucsd.eduCOUNT5INTER
VAL0.2
7
The S3 Web Service
planetlab1.ucsd.edu
S3 SERVICE
ping
HTTP CLIENT
S3 SERVICE
Measurement Request
Measurement Response
grouse.hpl.hp.com46000
http//grouse.hpl.hp.com46000/cgi-bin/csi.cgi? C
OMMANDPINGDESTplanetlab1.ucsd.eduCOUNT5INTER
VAL0.2
8
(No Transcript)
9
Vulnerabilities of S3
  • Easily guessable URL syntax
  • Easily modifiable parameters
  • Rate control difficult
  • Preventing DOS attacks
  • Controlling user access is a critical issue

http//grouse.hpl.hp.com46000/cgi-bin/csi.cgi? C
OMMANDPINGDESTplanetlab1.ucsd.eduCOUNT5INTER
VAL0.2
10
ABAC Server Identity Certificates
Identity Certificate Authority
Master private key pair Master certificate
ADMIN SERVER
Server private key pair Server certificate
....
Measurement Server
11
ABAC Client Identity Certificates
Identity Certificate Authority
Master private key pair Master certificate
ADMIN SERVER
Client private key pair Client certificate
CLIENT
CLIENT
....
S3 Client
12
ABAC Client Capability Certificates
Capability Certificate Authority
Master private key pair Master certificate
ADMIN SERVER
Capability certificate (PING)
CLIENT
CLIENT
....
  • A capability certificate encapsulates the policy
    specification for the user (command, number of
    accesses)

13
Sample Capability Certificate
Certificate Data Version 3 (0x2)
Serial Number 1 (0x1) Signature
Algorithm md5WithRSAEncryption Issuer
CUS, STCA, LPalo Alto, OHP Labs, OUMMSL,
CNCAP Certificate Master Validity
Not Before Aug 17 000801 2006 GMT
Not After Aug 17 000801 2007 GMT
Subject CUS, STCA, LSanta Barbara, OUCSB,
OUNMSL, CNping Subject Public Key
Info Public Key Algorithm
rsaEncryption RSA Public Key (1024
bit) Modulus (1024 bit)
00b5d9fc0f4f358df4a424777c
0294 Exponent 65537
(0x10001) Signature Algorithm
md5WithRSAEncryption 91003d4f9a095d
f3ee58049637278359a4db
-----BEGIN CERTIFICATE-----MIIDSDCCArGgAwIBAgIBATA
NBgkqhkiG9w0BAQQFADBwyQswCQYDVQQGEwJVUzEL -----END
CERTIFICATE-----
14
The New HTTPS Implementation
S3 SERVICE
ping
HTTPS Measurement Request
HTTP CLIENT
ABAC Wrapper
Response
httpS//grouse.hpl.hp.com46000/cgi-bin/csi.cgi?
COMMANDPINGDESTplanetlab1.ucsd.eduCOUNT5INTE
RVAL0.2 CAPABILITYMIIDSDCCAr
15
Secure S3 Algorithm
  • Create SSL Session Verify authenticity of client
    and server certificate
  • If not verified, then Quit
  • Parse QUERY_STRING to extract service parameters
  • Verify CAPABILITY signature
  • If not verified, then Quit
  • Compare public_keys
  • If not equal, then Quit
  • Extract common name (CN)
  • Verify CN SERVICE COMMAND (from QUERY_STRING)
  • If not equal, then Quit
  • Send request to S3 measurement server
  • Log KEY activity (type of request, parameters,
    etc)

16
Salient Features S3 Access Control
  • Resistance to attacks
  • Unauthorized users
  • Unauthorized services
  • Theft of capability
  • Service usage abuse
  • Decentralized access control
  • Lightweight and scalable
  • New services and new users
  • Negligible run-time overhead
  • Use of standard libraries and tools

17
Secure S3 Performance
18
Conclusions
  • Pluggable security wrapper for any web service

Security Wrapper
Secure Request
CLIENT
Response
19
Future Work
  • Capability revocation
  • Periodic renewal of capability certificates
  • Time granularity of activity log processing
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Scalable Access Control For Web Services" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!