Mobile%20Agent%20for%20Secure%20Web-Service - PowerPoint PPT Presentation

About This Presentation
Title:

Mobile%20Agent%20for%20Secure%20Web-Service

Description:

Principal agent PA has the complete control over all delegation operations. No agent can delegate its rights to other agent without PA's approval ... – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 36
Provided by: admi967
Category:

less

Transcript and Presenter's Notes

Title: Mobile%20Agent%20for%20Secure%20Web-Service


1
Mobile Agent for Secure Web-Service
  • Debashis Roy
  • Katayoon Moazzami
  • Rachita Singh

2
Outline
  • Introduction
  • Security issues in mobile agent web service
    integration
  • Selected Papers
  • Agent-based Delegation Model
  • Bilinear Diffie-Hellman Public Key System
  • Boneh-Franklin ID-based Public Key Scheme
  • Conclusion

3
Introduction
  • Web services
  • Based on XML,SOAP,WSDL
  • Enables communication between software client
  • Invokes services from service provider
  • Information retrieval, online calculation and etc
  • Mobile agent
  • Mobile executable object
  • Dispatched from owner/agent service provider
  • Migrates autonomously in the network

4
Why Mobile Agent?
  • Mobile agent can migrate in the network
    independently
  • Returns back to the owner after finishing the
    task
  • Does not need continuous network connection as
    the conventional RPC
  • Applicable to devices with limited bandwidth and
    resources

5
Security Issues
  • Non-repudiation
  • Verify the sender the recipient are the parties
    who claim to send or receive the message
  • Authentication
  • Verify digital identity of the sender/receiver
  • Authorization
  • Decide the access to data or function
  • Use traditional ACL (Access Control List) or RBAC
    (Role Based Access Control)

6
Selected Papers
  • H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim, D.
    S. Park, Agent-Based Delegation Model for the
    Secure Web Service in Ubiquitous Computing
    Environments, International Conference on Hybrid
    Information Technology, ICHIT '06, Volume 1,
    pp.51-57, Nov. 2006.
  • J. Zhang, Y. Wang, V. Varadharajan, Mobile Agent
    and Web Service Integration Security
    Architecture, IEEE International Conference on
    Service-Oriented Computing and Applications, SOCA
    '07, pp.172-179, June 2007.
  • J. Zhang, Y. Wang, V. Varadharajan, A New
    Security Scheme for Integration of Mobile Agents
    and Web Services, Second International
    Conference on Internet and Web Applications and
    Services (ICIW'07), pp.43-48, May 2007.

7
Agent-based Delegation Model
  • All the communication are done with the help of
    agents.
  • User gives his/her credentials to his/her agents,
    the agents transfer users credentials to web
    service providers.
  • Extends from SAML 1.1/2.0 (Security Assertion
    Markup Language) specification to transfer the
    delegation information among the user and the
    agents

8
Components of Delegation Model
  • Web-Service Management Server (WSMS)
  • Based on XACML (eXtensible Access Control Markup
    Language) model.
  • Mediator between the users and the web service
    providers
  • Manages the web services and the policies
    registers by the web service providers
  • Assigns appropriate roles to the user.

9
Components of Delegation Model (contd.)
  • Principal (P)
  • The user who delegates his/her rights to agents
  • Principal Agent (PA)
  • Communicates with other agents on behalf of P
  • Carrier Agent (CA)
  • PA delegates its rights to CA
  • CA can communicates with other agents if required
  • Service Agent (SA)
  • Verifies the validity of delegation assertion
  • Processes Ps service request

10
Components of Delegation Model (contd.)
  • Authentication Authority (AA)
  • Authenticates Ps or agents
  • Delegation Authority (DA)
  • Issues delegation assertions to authenticated
    agents

11
The Delegation Model
12
Delegation Assertion
  • Indicates whether P or agent is capable of
    delegating their rights or not.
  • Based on the SAML (Security Assertion Markup
    Language) specification
  • Digitally signed by DA
  • Ps information is encrypted with AAs public key
  • Contains additional information such as
  • Service providers URL
  • Inputs to the WSDL
  • Least role,
  • Recipient agent PA
  • Encrypted with service providers public key

13
Delegation Interaction
14
Discussion
  • Agents can delegate their rights to other agents
    without any privacy disclosure
  • Principal agent PA has the complete control over
    all delegation operations
  • No agent can delegate its rights to other agent
    without PAs approval
  • The communication between any two components is
    encrypted with public key cryptosystem
  • Requires a considerable amount of time and
    resource for encryption and decryption

15
Bilinear Diffie-Hellman Public Key System
  • ID-based authentication instead of the
    certification authority (CA)
  • One key required for encrypting a service
    available to a group of users
  • based on the computational Diffe-Hellman and the
    Bilinear Diffe-Hellman assumption

16
Assumptions
  • Web service provider consists of different web
    services to which users can be assigned
  • Each of these users has a mobile agent
  • The users that are assigned to a specific web
    service resource form a group
  • Web service provider acts as a key distribution
    centre (KDC)
  • Keys allocated to each group of users
  • The users are free to join any web service
    resource and leave any one

17
Steps
  • System setup
  • Subscription
  • Signature scheme
  • Authentication scheme
  • Encryption
  • Decryption
  • Re-keying

18
System setup
  • p2q1
  • G1 , G2 of order p(BDH assumption )
  • Master key s?Zq
  • P belonging to the additive group G1
  • H10,1?G1,H20,1?G2
  • PpubsP
  • sIDsQID(QIDH1(ID)) private key

19
Subscription
  • If there are n users using l web service
    resources a nl matrix is set where the ij th
    element is 1 if user i is a part of user group j
    and 0 otherwise
  • Signature is a triple (Ri,Si,m)
  • m message
  • RirQi
  • Si(H2(m,Ri)r)sIDi

20
Authentication
  • Signed message can be authenticated using the
    public key and the user ID
  • Should check
  • e(Si,P)e(H2(Mr,Ri)H1(IDi)Ri,Ppub)
  • e is a computable bilinear map,for some a,b?Zq
    and P,Q?G1
  • e(aP,bQ)e(P.Q)ab

21
Encryption
  • considering the kth service provider , tk the
    number of users using this service resource, Qt
    be the users public key and Mk a session key or
    a message for this group of users
  • and matrices denoted by aik are
    set up thus
  • The ciphertext (Uik,Vk) obtained by
  • U1krkP,UikrQVik (2iktk)
  • VkMk?H2(e(Ppub,rkQV1k)) ( rk?Zq a random
    number)

22
Decryption
  • Qv1k calculated
  • Mk calculated using

23
Re-keying
  • Member changes
  • Re-keying of the group session key is done by the
    WSP
  • changing the group registration matrix S
  • adding a new row when a member joins
  • removing a row when a member leaves
  • recalculating the values of U,V
  • Web-service changes
  • adding a new column in the matrix S and
    recalculating all the parameters

24
Boneh-Franklin ID-based Public Key Scheme
  • Security scheme employs an Identity-based public
    key system
  • New authentication protocol without using the
    username/password pair
  • Alternative method for security mechanism without
    using the Certification Authorities (CA)

25
System Description
  • Web Service provider (WSP) acts as a Key
    Distribution Centre (KDC)
  • Have secure channels to distribute keys to the
    users
  • Registered users with same web service resource
    form a group
  • Groups denoted as G1,G2,.Gl, resources as
    r1,r2,.,rl and l as cardinality of web services

26
New Scheme Setup
  • Based on ID based encryption algorithm
  • WSP computes the system public key PpubsP and
    sends to all registered users
  • User has to provide his/her identity whenever
    he/she joins the group
  • WSP authorize the user by sending users private
    key SIDsQID where QIDH1(ID)
  • H10,1?G1 and H2G1?0,1 are two one way
    hash functions

27
New Scheme Setup (cont)
  • For n users and l services,WSP provides matrix S
    as
  • Where Smk1 if user um is a member of web service
    Gk

28
Authentication Scheme
  • User Ui has a unique identification IDi
  • Message Mr
  • Random number r?Zq
  • Generator P?G1
  • Public hash function H20,1?q
  • Computes Ri?rQi and Si?(H2(m,Ri)r)sIDi
  • Signature is the triple (Ri,Si,Mr)
  • WSP verifies the signature using public key and
    the senders IDi.

29
Secure Web Service Scheme
  • Describes about web service data encryption
  • Assumes one encryption key for each service
  • Data can be encrypted depending on its size
  • If data set is not large then it is directly
    encrypted with the service encryption key
  • For large data set, data is first encrypted with
    a session key and then the session key is
    encrypted with the service encryption key
  • Receiver decrypts the session key with its
    private key then uses session key to decrypt the
    data

30
Re-keying for member changes and service changes
  • Three cases for re-keying
  • New member joins
  • Existing member leaves
  • Member switches from one group to another
  • Member switches from group Gk to Gk where
    k?k ,WSP updates the registration matrix S

31
Re-keying for member changes and service changes
(cont)
  • WSP recomputed the polynomial function fk(x) to
    revoke the member Um from Gk, and then
    recomputes another polynomial function fk(x) to
    add the member Um to the data group Gk.
  • The function fk(x) is given as
  • Where

32
Discussion
  • New ID-based public key management scheme for
    securing the integration of mobile agents and web
    services
  • Without use of Certification Authorities (CA),
    also does not use the username/password pair.
  • Simplifies the key management
  • Drawbacks
  • users must have their private key pair based on
    PKI
  • calculate the username/password token
  • use different keys for different user's

33
Conclusion
  • All communications among the users, agents or
    service providers needed to be encrypted
  • Symmetric encryption cannot be used
  • Asymmetric encryption based on the public key
    infrastructure (PKI) is most suitable for
    agent-based web service integration
  • PKI also has some drawbacks
  • All users must have his/her public/private key
    pair
  • A server has to manage and verify all the public
    keys
  • Server has to search the users public key and
    use different keys to encrypt different messages
    for different users
  • Requires a considerable amount of resource for
    encryption and decryption

34
References
  • 1 H. S. Hwang, H. J. Ko, K. I. Kim, U. M. Kim,
    D. S. Park, Agent-Based Delegation Model for the
    Secure Web Service in Ubiquitous Computing
    Environments, International Conference on Hybrid
    Information Technology, ICHIT '06, Volume 1,
    pp.51-57, Nov. 2006.
  • 2 J. Zhang, Y. Wang, V. Varadharajan, Mobile
    Agent and Web Service Integration Security
    Architecture, IEEE International Conference on
    Service-Oriented Computing and Applications, SOCA
    '07, pp.172-179, June 2007.
  • 3 J. Zhang, Y. Wang, V. Varadharajan, A New
    Security Scheme for Integration of Mobile Agents
    and Web Services, Second International
    Conference on Internet and Web Applications and
    Services (ICIW'07), pp.43-48, May 2007.
  • 4 C. A. Ardagna, E. Damiani, S. De Capitani di
    Vimercati, P.Samarati, XML-based Access Control
    Language, 2004.
  • 5 Web services, http//www.webopedia.com/TERM/W/
    Web_services.html.
  • 6 Mobile Agent, http//en.wikipedia.org/wiki/
    Mobile_agent
  • 7 SAML, http//en.wikipedia.org/wiki/SAML

35
Any Questions??
Write a Comment
User Comments (0)
About PowerShow.com