Embed Size (px)
Citation preview
Mobile Agent for Mobile Agent for Secure Web-ServiceSecure Web-Service
Debashis RoyKatayoon MoazzamiRachita Singh
OutlineOutlineIntroductionSecurity issues in mobile agent &
web service integrationSelected PapersAgent-based Delegation ModelBilinear Diffie-Hellman Public Key
SystemBoneh-Franklin ID-based Public Key
SchemeConclusion
IntroductionIntroductionWeb services
◦ Based on XML,SOAP,WSDL ◦ Enables communication between software &
client◦ Invokes services from service provider◦ Information retrieval, online calculation and
etc Mobile agent
◦ Mobile executable object◦ Dispatched from owner/agent service
provider◦ Migrates autonomously in the network
Why Mobile Agent?Why Mobile Agent?Mobile agent can migrate in the
network independentlyReturns back to the owner after
finishing the taskDoes not need continuous
network connection as the conventional RPC
Applicable to devices with limited bandwidth and resources
Security Issues Security Issues Non-repudiation
◦Verify the sender & the recipient are the parties who claim to send or receive the message
Authentication◦Verify digital identity of the
sender/receiverAuthorization
◦Decide the access to data or function◦Use traditional ACL (Access Control List)
or RBAC (Role Based Access Control)
Selected PapersSelected Papers H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D. S. Park,
“Agent-Based Delegation Model for the Secure Web Service in Ubiquitous Computing Environments”, International Conference on Hybrid Information Technology, ICHIT '06, Volume 1, pp.51-57, Nov. 2006.
J. Zhang, Y. Wang, V. Varadharajan, “Mobile Agent and Web Service Integration Security Architecture”, IEEE International Conference on Service-Oriented Computing and Applications, SOCA '07, pp.172-179, June 2007.
J. Zhang, Y. Wang, V. Varadharajan, “A New Security Scheme for Integration of Mobile Agents and Web Services”, Second International Conference on Internet and Web Applications and Services (ICIW'07), pp.43-48, May 2007.
Agent-based Delegation Agent-based Delegation ModelModel
All the communication are done with the help of agents.
User gives his/her credentials to his/her agents, the agents transfer user’s credentials to web service providers.
Extends from SAML 1.1/2.0 (Security Assertion Markup Language) specification to transfer the delegation information among the user and the agents
Components of Delegation Components of Delegation ModelModelWeb-Service Management Server
(WSMS)◦Based on XACML (eXtensible Access
Control Markup Language) model.◦Mediator between the users and the
web service providers◦Manages the web services and the
policies registers by the web service providers
◦Assigns appropriate roles to the user.
Components of Delegation Components of Delegation Model (contd.)Model (contd.)Principal (P)
◦The user who delegates his/her rights to agents
Principal Agent (PA)◦Communicates with other agents on
behalf of PCarrier Agent (CA)
◦PA delegates its rights to CA◦CA can communicates with other agents if
requiredService Agent (SA)
◦Verifies the validity of delegation assertion◦Processes P’s service request
Components of Components of Delegation Model Delegation Model (contd.)(contd.)Authentication Authority (AA)
◦Authenticates Ps or agentsDelegation Authority (DA)
◦Issues delegation assertions to authenticated agents
The Delegation ModelThe Delegation Model
Delegation AssertionDelegation AssertionIndicates whether P or agent is capable
of delegating their rights or not.Based on the SAML (Security Assertion
Markup Language) specificationDigitally signed by DAP’s information is encrypted with AA’s
public keyContains additional information such as
◦ Service provider’s URL◦ Inputs to the WSDL◦ Least role,◦ Recipient agent PA◦ Encrypted with service provider’s public key
Delegation InteractionDelegation Interaction
DiscussionDiscussionAgents can delegate their rights to
other agents without any privacy disclosure
Principal agent PA has the complete control over all delegation operations
No agent can delegate its rights to other agent without PA’s approval
The communication between any two components is encrypted with public key cryptosystem
Requires a considerable amount of time and resource for encryption and decryption
Bilinear Diffie-Hellman Bilinear Diffie-Hellman Public Key SystemPublic Key SystemID-based authentication instead
of the certification authority (CA) One key required for encrypting a
service available to a group of users
based on the computational Diffe-Hellman and the Bilinear Diffe-Hellman assumption
AssumptionsAssumptionsWeb service provider consists of
different web services to which users can be assigned
Each of these users has a mobile agentThe users that are assigned to a
specific web service resource form a group
Web service provider acts as a key distribution centre (KDC)
Keys allocated to each group of usersThe users are free to join any web
service resource and leave any one
StepsStepsSystem setupSubscriptionSignature schemeAuthentication schemeEncryptionDecryption Re-keying
System setupSystem setup p=2q+1 G1 , G2 of order p(BDH
assumption )Master key sZq
*
P belonging to the additive group G1
H1:{0,1}*G1,H2:{0,1}*G2 Ppub=sP sID=sQID(QID=H1(ID)) private key
SubscriptionSubscription If there are n users using l web
service resources a n×l matrix is set where the ij th element is 1 if user i is a part of user group j and 0 otherwise
Signature is a triple (Ri,Si,m) m messageRi=rQi
Si=(H2(m,Ri)+r)sIDi
AuthenticationAuthentication Signed message can be
authenticated using the public key and the user ID
Should check e(Si,P)=e(H2(Mr,Ri)H1(IDi)
+Ri,Ppub) e is a computable bilinear
map,for some a,bZq and P,QG1
e(aP,bQ)=e(P.Q)ab
EncryptionEncryption considering the kth service provider , tk
the number of users using this service resource, Qt be the user’s public key and Mk a session key or a message for this group of users
and matrices denoted by aik are set up thus
The ciphertext (Uik,Vk) obtained byU1k=rkP,Uik=rQVik (2≤ik≤tk)Vk=MkH2(e(Ppub,rkQV1k)) ( rkZq* a
random number)
k
k
t
ikikv QQ
11
kk ttl )1(iktkkv aQQQ
ik ),...,( 1
DecryptionDecryption Qv1k calculatedMk calculated using
)),((12 kvkpubkk QrPeHvM
Re-keying Re-keying Member changes
◦Re-keying of the group session key is done by the WSP
◦changing the group registration matrix S adding a new row when a member joins removing a row when a member leaves
◦ recalculating the values of U,V Web-service changes
◦adding a new column in the matrix S and recalculating all the parameters
Boneh-Franklin ID-based Boneh-Franklin ID-based Public Key SchemePublic Key SchemeSecurity scheme employs an
Identity-based public key system New authentication protocol
without using the username/password pair
Alternative method for security mechanism without using the Certification Authorities (CA)
System DescriptionSystem Description Web Service provider (WSP) acts
as a Key Distribution Centre (KDC) Have secure channels to distribute
keys to the users Registered users with same web
service resource form a groupGroups denoted as G[1],G[2],
…….G[l], resources as r1,r2,….,rl and l as cardinality of web services
New Scheme SetupNew Scheme Setup Based on ID based encryption algorithm WSP computes the system public key
Ppub=sP and sends to all registered users
User has to provide his/her identity whenever he/she joins the group
WSP authorize the user by sending user’s private key SID=sQID where QID=H1(ID)
H1:{0,1}*G1 and H2:G1{0,1}* are two one way hash functions
New Scheme Setup New Scheme Setup (cont)(cont)For n users and l services,WSP
provides matrix S as
Where Smk=1 if user um is a member of web service G[k]
Authentication SchemeAuthentication Scheme User Ui has a unique identification IDi Message Mr
Random number rZq
Generator PG1 Public hash function H2:{0,1}*q Computes Ri←rQi and Si←(H2(m,Ri)
+r)sIDi
Signature is the triple (Ri,Si,Mr)WSP verifies the signature using
public key and the senders IDi.
Secure Web Service Secure Web Service SchemeScheme
Describes about web service data encryption
Assumes one encryption key for each service
Data can be encrypted depending on its size
If data set is not large then it is directly encrypted with the service encryption key
For large data set, data is first encrypted with a session key and then the session key is encrypted with the service encryption key
Receiver decrypts the session key with its private key then uses session key to decrypt the data
Re-keying for member Re-keying for member changes and service changes and service changeschanges Three cases for re-keying
◦New member joins◦Existing member leaves◦Member switches from one group to
anotherMember switches from group
G[k] to G[k’] where k≠k’ ,WSP updates the registration matrix S
Re-keying for member Re-keying for member changes and service changes and service changes (cont)changes (cont)WSP recomputed the polynomial
function fk(x) to revoke the member Um from G[k], and then recomputes another polynomial function fk’(x) to add the member Um to the data group G[k’].
The function fk(x) is given as
Where
Discussion Discussion New ID-based public key management
scheme for securing the integration of mobile agents and web services
Without use of Certification Authorities (CA), also does not use the username/password pair.
Simplifies the key management Drawbacks
◦ users must have their private key pair based on PKI
◦ calculate the username/password token◦ use different keys for different user's
ConclusionConclusionAll communications among the users, agents
or service providers needed to be encryptedSymmetric encryption cannot be usedAsymmetric encryption based on the public
key infrastructure (PKI) is most suitable for agent-based web service integration
PKI also has some drawbacks◦ All users must have his/her public/private key
pair◦ A server has to manage and verify all the public
keys◦ Server has to search the user’s public key and
use different keys to encrypt different messages for different users
◦ Requires a considerable amount of resource for encryption and decryption
ReferencesReferences [1] H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D. S. Park,
“Agent-Based Delegation Model for the Secure Web Service in Ubiquitous Computing Environments”, International Conference on Hybrid Information Technology, ICHIT '06, Volume 1, pp.51-57, Nov. 2006.
[2] J. Zhang, Y. Wang, V. Varadharajan, “Mobile Agent and Web Service Integration Security Architecture”, IEEE International Conference on Service-Oriented Computing and Applications, SOCA '07, pp.172-179, June 2007.
[3] J. Zhang, Y. Wang, V. Varadharajan, “A New Security Scheme for Integration of Mobile Agents and Web Services”, Second International Conference on Internet and Web Applications and Services (ICIW'07), pp.43-48, May 2007.
[4] C. A. Ardagna, E. Damiani, S. De Capitani di Vimercati, P.Samarati, XML-based Access Control Language, 2004.
[5] Web services, http://www.webopedia.com/TERM/W/ Web_services.html.
[6] Mobile Agent, http://en.wikipedia.org/wiki/ Mobile_agent [7] SAML, http://en.wikipedia.org/wiki/SAML
Any Questions??Any Questions??
