A Secure Token-Based Communication for Authentication and Authorization Servers

详细信息    查看全文

• 关键词：OpenID ; OAuth2.0 ; Security ; Authentication ; Authorization ; Token ; Encryption
• 刊名：Lecture Notes in Computer Science
• 出版年：2016
• 出版时间：2016
• 年：2016
• 卷：10018
• 期：1
• 页码：237-250
• 全文大小：1,004 KB
• 参考文献：1.Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management. DIM 2006, pp. 11–16. ACM, New York (2006)
  2.Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, RFC Editor, October 2012
  3.The Apache Software Foundation: SSL/TLS Configuration HOW-TO (2016). https://​tomcat.​apache.​org/​tomcat-8.​0-doc/​ssl-howto.​html#Introduction_​to_​SSL . Accessed 3 Sept 2016
  4.Trustworthy Internet Movement: SSL Pulse - Survey of the SSL Implementation of the Most Popular Web Sites. https://​www.​trustworthyinter​net.​org/​ssl-pulse . Accessed 3 Sept 2016
  5.Yang, F., Manoharan, S.: A security analysis of the OAuth protocol. In: 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), pp. 271–276, August 2013
  6.Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations. RFC 6819, RFC Editor, January 2013
  7.Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. The OpenID Foundation, S3 (2014)
  8.The Apache Software Foundation: Apache Oltu: An OAuth Open Source framework. https://​cwiki.​apache.​org/​confluence/​display/​OLTU/​Index (2013). Accessed 3 Sept 2016
  9.RestLet Inc.: RestLet Framework (2016). https://​restlet.​com/​technical-resources/​restlet-framework/​guide/​2.​3/​extensions/​oauth . Accessed 3 Sept 2016
  10.Harsta, O.: OAuth-Apis: OAuth Authorization as a Service (2012–2016). https://​github.​com/​OAuth-Apis/​apis . Accessed 3 Sept 2016
  11.Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://​bitcoin.​org/​bitcoin.​pdf . Accessed 3 Sept 2016
  12.Travis, P.: The Bitcoin Revolution: An Internet of Money. Travis Patron (2015) Accessed 3 Sept 2016
  13.Jones, M.B., Hardt, D.: The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750, RFC Editor, October 2012
  14.Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, RFC Editor, June 1999
  15.RSA Security: Information Security, Governance, Risk, and Compliance - EMC (2014). http://​www.​rsa.​com . Accessed 3 Sept 2016
  16.Barker, E., Barker, W., Burr, W., Polk, T., Smid, M., Zieglar, L.: NIST Special Publication 800-57 Revision 4 Recommendation for Key Management Part 1: General (2016). http://​dx.​doi.​org/​10.​6028/​NIST.​Spp.​ 800-57pt1r4
  17.CLAFIS Project: CLAFIS: crop, livestock and forests integrated system for intelligent automation (2013–2016). http://​www.​clafis-project.​eu EU Seventh Framework Programme NMP.2013.3.0-2
  18.Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008
  
• 作者单位：Jan Kubovy (20)
  Christian Huber (19)
  Markus Jäger (19)
  Josef Küng (19)
  
  20. Informations- u. Prozesstechnik, Anwendungen, Eigenentwicklungen, Stadtwerke München GmbH, München, Germany
  19. Institute for Application Oriented Knowledge Processing (FAW), Faculty of Engineering and Natural Sciences (TNF), Johannes Kepler University (JKU), Linz, Austria
  
• 丛书名：Future Data and Security Engineering
• ISBN：978-3-319-48057-2
• 刊物类别：Computer Science
• 刊物主题：Artificial Intelligence and Robotics
  Computer Communication Networks
  Software Engineering
  Data Encryption
  Database Management
  Computation by Abstract Devices
  Algorithm Analysis and Problem Complexity
  
• 出版者：Springer Berlin / Heidelberg
• ISSN：1611-3349
• 卷排序：10018

文摘

Today, software projects often have several independent subsystems which provide resources to clients. To protect all subsystems from unauthorized access, the mechanisms proposed in the OAuth2.0 framework and the OpenID Standard are often used. The communication between the servers, described in the OAuth2.0 framework, must be encrypted. Usually, this is achieved using Transport Layer Security (TLS), but administrators can forget to activate this protocol in the server configuration. This makes the whole system vulnerable. Neither the developer, nor the user of the system is able to check whether the communication between servers is safe. This paper presents a way to ensure secure communication between authentication-, authorization-, and resource servers without relying in on a correct server configuration. For this purpose, this paper introduces an additional encryption of the transmitted tokens to secure the transmission independently from the server configuration. Further this paper introduces the Central Authentication & Authorization System (CAAS), an implementation of the OpenId standard and the OAuth2.0 framework that uses the token encryption presented in this paper.