Abstract
Modern distributed applications are embedding an increasing degree of dynamism, from dynamic supply-chain management, enterprise federations, and virtual collaborations to dynamic resource acquisitions and service interactions across organizations. Such dynamism leads to new challenges in security and dependability. Collaborating services in a system with a Service-Oriented Architecture (SOA) may belong to different security realms but often need to be engaged dynamically at runtime. If their security realms do not have a direct cross-realm authentication relationship, it is technically difficult to enable any secure collaboration between the services. A potential solution to this would be to locate intermediate realms at runtime, which serve as an authentication path between the two separate realms. However, the process of generating an authentication path for two distributed services can be highly complicated. It could involve a large number of extra operations for credential conversion and require a long chain of invocations to intermediate services. In this paper, we address this problem by designing and implementing a new cross-realm authentication protocol for dynamic service interactions, based on the notion of service-oriented multiparty business sessions. Our protocol requires neither credential conversion nor establishment of any authentication path between the participating services in a business session. The correctness of the protocol is formally analyzed and proven, and an empirical study is performed using two production-quality Grid systems, Globus 4 and CROWN. The experimental results indicate that the proposed protocol and its implementation have a sound level of scalability and impose only a limited degree of performance overhead, which is for example comparable with those security-related overheads in Globus 4.
Highlights
With the emergence of service-oriented technologies, actual execution of a process can be “one-of-a-kind” [4]. dynamism and flexibility are becoming the core char- The applications and services involved in a complex busiacteristics of modern inter-organizational business process- ness process are typically heterogeneous, provided by difes, such as business application integration, distributed auc- ferent organizations
In a Web Service context, a dynamic business process may involve many applications and services from different organisations and security realms, which are combined at runtime and collaborate in a peer-to-peer way
The dynamic authentication process between organisations could be highly complex and time-consuming since intermediate authentication paths need to be created at runtime to dynamically covert credentials from different security realms
Summary
With the emergence of service-oriented technologies, actual execution of a process can be “one-of-a-kind” [4]. dynamism and flexibility are becoming the core char- The applications and services involved in a complex busiacteristics of modern inter-organizational business process- ness process are typically heterogeneous, provided by difes, such as business application integration, distributed auc- ferent organizations. A security realm is a interact at runtime with the services provided by other or- group of principals (e.g. people, computers, services) that ganizations Such dynamic interactions at runtime are registered with an authentication authority and managed raise immediate problems of security, trust and dependabil- through a consistent set of security processes and policies ity [3]. We have designed and implemented an authentication system that employs the multi-party session protocols and allows service instances working inside a business session to authenticate each other based on a variety of credentials available, e.g. shared session keys and session memberships This system has been incorporated into the CROWN-C Grid middleware [8]. Without the existence of an authentication path, two realms to collaborate have to follow a more traditional and time-consuming method for building mutual trust, possibly with the support of contractual arrangements, multi-round negotiation, and human intervention
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
