10-11-2012, 02:00 PM
A proposal of a method for evaluating third-party
authentication services
A proposal of a method for evaluating.pdf (Size: 740.66 KB / Downloads: 46)
Abstract
The security eld is a highly studied area of knowledge, since the consequences of failing
can be catastrophic; if an external user accesses information or function she should not be
able to access. Third{party authentication is a growing concept that tries to remedy the
problem of users having to register at most websites they want to access. With an account
at a third{party authentication service a user can access all websites that support the third{
party service without having to register there. While this seems like a good architecture are
the capabilities and limitations of third{party services not well understood and there are no
common protocols for authenticating users.
This master thesis aims at increasing the knowledge about these services by reviews current
literature in the eld in order to dene a method for evaluating third{party authentication
services. Furthermore, in the scope of the thesis is to explore the possibility of circumventing
the problem that there is no common protocol for authenticating users by creating a plug{
in based authentication solution that utilizes third{party authentication services for user
authentication.
An evaluation method that tries to to capture the essential aspects of third{party user authentication
is proposed. In addition a proof{of{concept implementation of the previously
mentioned plug{in based authentication solution is implemented to show that it is possible
to circumvent the described problem
Introduction
This section will present the background and purpose if the thesis. It will start by presenting
some denitions of concepts relevant to the report. After that the background followed by
the purpose will be presented.
Denitions
This section will give denitions to terms used in this report. Some other terms are described
in short in the glossary.
Identity and Authentication
Agudo{Ruiz [1] provides a good description of what a digital identity and identity management
are. He refers to RFC 2828 [2] when he describes an entity as a person or an automated
process that incorporates a specic set of capabilities (in this report entities will be referred to
as users.). A user can have several identities, each uniquely identifying her in a given context.
An identity is associated with a set of access rights or privileges within the given context.
Authentication is the act of attesting ownership of an identity using some credentials that
connects the entity and the identity, Isaac refers to this as an ID{card. A real world example
of this is the use of a passport at the passport control. By showing her passport the bearer
can prove that the person holding the passport has the name and nationality indicated on the
passport. Dierent IMSs have dierent identity and ID{card concepts; some services use email
addresses for identication while others use unique ids generated using some domain{specic
policy.
`Certainty of identity' is a relevant term with the meaning of how sure the system can be
that the identity provided contains correct information about the user. In a scenario of low
certainty of identity the entity can herself assert any information in the digital identity. On
the other hand, high certainty can be achieved, for example, if the information of the identity
is provided by a government authority. This aspect can be deemed of high interest to some
services (e.g. money transferring) while most are satised with a way to uniquely identify
users.
Identity Provider and Service Provider
An Identity Provider (IdP), as the name suggests, provides identication for a site or application,
known in this context as a Service Provider (SP). The communication protocol between
these parties varies between providers. However, the overarching communication
ow is often
similar; here follows a description of a service access scenario (see Figure 1).
The user starts out on the SP and requests to log in. The user is redirected to the IdP. The
user logs into the IdP using her existing credentials, independent of the SP. After the user
has been authenticated at the IdP, she is sent back to the SP with the result from the IdP.
The response is validated by the SP, and if found valid her login is accepted.
Identity Management Solution
Identity Management Solution (IMS) is a term this report will use for any service that provides
a method to handle identities. The IMS contains all the information related to authentication,
such as identity, password and any other information relevant to that IMS. An IMS consists
of one or more IdP, that is the service that actually issue authentication assertions.
Dierent IMSs have dierent structures; two common structures are identity federation and
single IdP. An identity federation is when several services, with their own internal user management
system, come together to share authentications and cooperate as a single IMS. In an
identity federation, a user can authenticate with his aliated provider and then gain access
to services oered by the other federation members. The single IdP is a centralized solution
where all authentications are done against a single point. While these two structures are
common there also exist other structures.
1.1.4 Plug{in Authentication Security Service
Plug{in Authentication Security Service (PASS) is a service for authentication handling,
introduced in this thesis, which supports multiple IMSs. A PASS is pre{congured with a
set of IMS that can be used to authenticate users. The plug{in part of PASS indicates that
it is designed to support any type and any number of IMSs. However the IMSs need to
be determined by the owner of the system that PASS is used with. That is, IMSs that are
unknown to the PASS cannot be used to authenticate users. In this system, a user may use
several of her identities as login options to access the service. The dierent identities used
to log in all give access to the user's account, if they are associated properly. The IMSs
Page 2 of 44
October 23, 2011 A proposal of a method for evaluating third-party authentication services
supported are built in a plug{in architecture to support easy addition of new IMSs.
The Company
This report is conducted for a company that has a system where business clients are able to
send documents to other businesses, strictly B2B, but at this point there is only a limited
possibility to send such documents to consumers and no platform for consumers to utilize.
The company is now looking into creating such a platform.
The company has looked into ways of making the platform attractive and easy to access for
consumers. One way to make people more prone to using this service is to minimize the
eort required to get started with it. The company has identied the registration step as an
obstacle, and wants to minimize the eort needed in this step. On today's market, there is a
variety of third{party authentication services that can take the responsibility of authentication
users away from the service. Using these services could potentially be a solution to the
registration problem. The goal of this thesis is to evaluate the possibility of out-sourcing the
user authentication to these services.
Background
Many websites on the Internet today require some form of knowledge about the people visiting
the site. Some websites are only interested in being able to connect a user{name with an
identity and to make the same connection on future visits (e.g. blog comments), while other
websites require knowledge of a physical person, that can be held accountable for her actions
(e.g. e{commerce). A common denominator for all these services is that the user has to
register at the rst visit to the site, possibly providing some information about herself, and at
later visits authenticate the ownership of a registration. Due to the large amount of services
available today are the users required to register and manage a large amount of accounts. This
causes problems for the user as they have to remember the authentication information used
at all the services, and they also needs to keep their information up to date on all services.
To deal with these problems a variety of so called Identity Management Services (IMS) (see
subsubsection 1.1.3) have been deployed on the Internet, but also for other systems. They
enable users to authenticate themselves on one domain and thereafter gain access to resources
on other domains. The user stores her information at the IMS, which in turn provide the
information to services (called service provider) when requested by the user. Using these
IMSs would solve the registration problem. However since there are multiple IMSs in use
today a service provider cannot only support one of these and expect all users to be able to
access the service.