Towards a framework of authentication and authorization patterns for ensuring availability in service composition

Securing availability of applications and services is increasingly important for provisioning services in today's and future networks and systems. For fulfilling user expectations, availability depends more and more on the characteristics and requirements of the services themselves and the different requirements of certain users. In order to address service availability, we see availability as a composite notion consisting of the ability to ensure access for authorized users only, and the property of being on hand and useable when needed. Service composition is an approach to incremental service development contributing to rapid service design and development. This paper presents a set of authentication and authorization patterns addressing the aspect of ensuring access to authorized users only in service composition. We provide a framework and classification of these patterns, and we demonstrate how the patterns can be composed with services using a policy-driven approach.

[1]  Rolv Bræk,et al.  A Policy-driven Approach to Dynamic Composition of Authentication and Authorization Patterns and Services , 2006, J. Comput..

[2]  Frank Alexander Kraemer,et al.  Using UML 2.0 collaborations for compositional service specification , 2005, MoDELS'05.

[3]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[4]  Stephan Reiff-Marganiec,et al.  A Policy Architecture for Enhancing and Controlling Features , 2003, FIW.

[5]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[6]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[7]  Jacqueline Floch,et al.  A Compositional Approach to Service Validation , 2005, SDL Forum.

[8]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[9]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[10]  Rolv Bræk,et al.  Dynamic Role Binding in a Service Oriented Architecture , 2005, INTELLCOMM.

[11]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[12]  Marc Stevens,et al.  Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2006, IACR Cryptol. ePrint Arch..

[13]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[16]  Daniel Amyot,et al.  Service Discovery and Component Reuse with Semantic Interfaces , 2005, SDL Forum.

[17]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[18]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[19]  Richard Torbjørn Sanders,et al.  Modeling peer-to-peer service goals in UML , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[20]  John Ronan,et al.  Authentication Issues in Multi-service Residential Access Networks , 2003, MMNS.

[21]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification using Object Constraint Language , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[22]  Bruce Schneier,et al.  Cryptanalysis of Microsoft's point-to-point tunneling protocol (PPTP) , 1998, CCS '98.

[23]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[24]  Mass Soldal Lund,et al.  A Conceptual Model for Service Availability , 2006, Quality of Protection.

[25]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[26]  Richard Torbjørn Sanders,et al.  Collaborations, Semantic Interfaces and Service Goals: a way forward for Service Engineering , 2007 .

[27]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[28]  Christopher Alexander,et al.  The Timeless Way of Building , 1979 .

[29]  Indrakshi Ray,et al.  Using uml to visualize role-based access control constraints , 2004, SACMAT '04.

[30]  Emil C. Lupu,et al.  Reconciling role based management and role based access control , 1997, RBAC '97.

[31]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.