Infraestrutura de Autenticação e Autorização Baseada em SmartCards com Controle de Atributos Centrado no Usuário
Resumo
Este artigo apresenta uma Infraestrutura de Autenticação e Autorização que estende os protocolos do OpenID para realizar autenticação baseada em SmartCards e controle de liberação de atributos centrado no usuário. Um componente Seletor de Identidade foi elaborado para mediar a comunicação entre o Provedor de Identidade e o SmartCard, além de apresentar uma interface para o usuário escolher quais atributos deseja liberar a cada Provedor de Serviço. Um protótipo da infraestrutura foi desenvolvido a fim de avaliar sua viabilidade.Referências
Ahn, G.-J., Ko, M. and Shehab, M. (2009) Privacy-enhanced User-Centric Identity Management, In Communications, 2009. ICC '09. IEEE International Conference on. IEEE.
Bhargav-Spantzel, A., Camenisch, J., Gross, T., and Sommer, D. (2007). User centricity: a taxonomy and open issues. Journal of Computer Security, 15(5):493-527.
Cameron, K. (2007). Integrating OpenID and Infocard Part 1. http://www.identityblog.com/?p=659.
Chappell, D. (2006). Introducing windows cardspace. Msnd technical articles, Microsoft Corporation. http://msdn.microsoft.com/en-us/library/aa480189.aspx.
Florencio, D. and Herley, C. (2007). A large-scale study of web password habits. In WWW ’07: Proceedings of the 16th International Conference on World Wide Web, pp 657– 666, New York, NY, USA. ACM.
EclipseFoundation (2010). Higgins open source identity framework. http://www.eclipse.org/higgins/.
Jøsang, A. and Pope, S. (2005). User centric identity management. In AusCERT Asia Pacific Information Technology Security Conference. 2005.
Jøsang, A., Fabre, J., Hay, B., Dalziel, J., e Pope, S. (2005). Trust requirements in identity management. In CRPIT ’44: Proceedings of the 2005 Australasian workshop on Grid computing and e-research, pages 99–108, Darlinghurst, Australia. Australian Computer Society, Inc.
Lee, H., Jeun, I., Chun, K. and Song, J. (2008). A New Anti-Phishing Method in OpenID. In: SECURWARE '08. Second International Conference on, pp.243,247, IEEE.
Leicher, A., Schmidt, A. U. and Shah, Y. (2012) Smart OpenID: A Smart Card Based OpenID Protocol, In IFIP Advances in Information and Communication Technology v. 376, pp 75-86, Springer.
Liberty (2003). Introduction to the Liberty Alliance Identity Architecture. Liberty Alliance.
OpenID (2007). Openid authentication 2.0. OPENID. http://openid.net/specs/openidauthentication-2_0.html.
RSA Laboratories (2009). PKCS 11: Cryptographic Token Interface Standard. http://www.rsa.com/rsalabs/node.asp?id=2133
Scavo, T. e Cantor, S. (2005). Shibboleth Architecture. [link].
Urien, P. (2010). An OpenID Provider based on SSL Smart Cards. In Consumer Communications and Networking Conference (CCNC), 2010 7th IEEE. http://dx.doi.org/10.1109/CCNC.2010.5421756.
Vossaert, J., Lapon, J., Decker, B. and Naessens, V. (2011) User-centric identity management using trusted modules. In Lecture Notes in Computer Science, v. 6711, pp 155-170, Springer.
Bhargav-Spantzel, A., Camenisch, J., Gross, T., and Sommer, D. (2007). User centricity: a taxonomy and open issues. Journal of Computer Security, 15(5):493-527.
Cameron, K. (2007). Integrating OpenID and Infocard Part 1. http://www.identityblog.com/?p=659.
Chappell, D. (2006). Introducing windows cardspace. Msnd technical articles, Microsoft Corporation. http://msdn.microsoft.com/en-us/library/aa480189.aspx.
Florencio, D. and Herley, C. (2007). A large-scale study of web password habits. In WWW ’07: Proceedings of the 16th International Conference on World Wide Web, pp 657– 666, New York, NY, USA. ACM.
EclipseFoundation (2010). Higgins open source identity framework. http://www.eclipse.org/higgins/.
Jøsang, A. and Pope, S. (2005). User centric identity management. In AusCERT Asia Pacific Information Technology Security Conference. 2005.
Jøsang, A., Fabre, J., Hay, B., Dalziel, J., e Pope, S. (2005). Trust requirements in identity management. In CRPIT ’44: Proceedings of the 2005 Australasian workshop on Grid computing and e-research, pages 99–108, Darlinghurst, Australia. Australian Computer Society, Inc.
Lee, H., Jeun, I., Chun, K. and Song, J. (2008). A New Anti-Phishing Method in OpenID. In: SECURWARE '08. Second International Conference on, pp.243,247, IEEE.
Leicher, A., Schmidt, A. U. and Shah, Y. (2012) Smart OpenID: A Smart Card Based OpenID Protocol, In IFIP Advances in Information and Communication Technology v. 376, pp 75-86, Springer.
Liberty (2003). Introduction to the Liberty Alliance Identity Architecture. Liberty Alliance.
OpenID (2007). Openid authentication 2.0. OPENID. http://openid.net/specs/openidauthentication-2_0.html.
RSA Laboratories (2009). PKCS 11: Cryptographic Token Interface Standard. http://www.rsa.com/rsalabs/node.asp?id=2133
Scavo, T. e Cantor, S. (2005). Shibboleth Architecture. [link].
Urien, P. (2010). An OpenID Provider based on SSL Smart Cards. In Consumer Communications and Networking Conference (CCNC), 2010 7th IEEE. http://dx.doi.org/10.1109/CCNC.2010.5421756.
Vossaert, J., Lapon, J., Decker, B. and Naessens, V. (2011) User-centric identity management using trusted modules. In Lecture Notes in Computer Science, v. 6711, pp 155-170, Springer.
Publicado
11/11/2013
Como Citar
BÖGER, Davi da Silva; BARRETO, Luciano; FRAGA, Joni da Silva; SANTOS, André; FRANÇA, Davi Teles.
Infraestrutura de Autenticação e Autorização Baseada em SmartCards com Controle de Atributos Centrado no Usuário. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 2-15.
DOI: https://doi.org/10.5753/sbseg.2013.19532.