Um Modelo Funcional para Serviços de Identificação e Autenticação Tolerantes a Faltas e Intrusões
Resumo
A operação correta e contínua de provedores de identidade e serviços de controle de acesso são pontos críticos em novas gerações de redes e sistemas online, como redes virtualizadas e serviços sob demanda da computação em nuvem. Nesta perspectiva, este artigo tem como objetivo propor e demonstrar um modelo funcional para arquiteturas de serviços de identificação e autenticação tolerantes a faltas e intrusões. A viabilidade e aplicabilidade do modelo são avaliadas através de protótipos concretizados para os serviços OpenID e RADIUS. Os resultados indicam que um modelo funcional para o desenvolvimento de serviços de identificação e autenticação mais resilientes e confiáveis é viável.Referências
Alchieri, E. A. P., Bessani, A. N., and Fraga, J. d. S. (2008). A dependable infrastructure for cooperative web services coordination. In IEEE ICWS.
Clamshell (2013). Clamshell: An OpenID Server. https://goo.gl/09pYF.
Correia, M., Neves, N., and Verissimo, P. (2004). How to tolerate half less one byzantine nodes in practical distributed systems. In IEEE SRDS.
Distler, T., Kapitza, R., Popov, I., Reiser, H. P., and Schröder-Preikschat, W. (2011). Spare: Replicas on hold. In NDSS.
Feng, J. (2009). Analysis, Implementation and Extensions of RADIUS Protocol. In International Conference on Networking and Digital Society.
FreeRADIUS (2012). Documentation. https://goo.gl/6g8Qy.
Heiser, G., Elphinstone, K., Kuz, I., Klein, G., and Petters, S. M. (2007). Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev., 41(4):3-11.
Juniper Networks (2010). Steel belted radius carrier 7.0 administration and configuration guide. https://goo.gl/Y5b9k.
Kreutz, D., Niedermayer, H., Feitosa, E., da Silva Fraga, J., and Malichevskyy, O. (2013). Architecture components for resilient networks. http://goo.gl/xBHCNb.
Lau, J., Barreto, L., and da Silva Fraga, J. (2012). An infrastructure based in virtualization for intrusion tolerant services. In IEEE ICWS.
Leicher, A., Schmidt, A., Shah, Y., and Cha, I. (2010). Trusted computing enhanced openid. In ICITST, pages 1-8.
Malichevskyy, O., Kreutz, D., Pasin, M., and Bessani, A. (2012). O vigia dos vigias: um serviço RADIUS resiliente. In INForum.
OpenID (2010). OpenID community https://wiki.goo.gl/PCASy.
OpenID4Java (2013). Openid 2.0 java libraries. https://goo.gl/c3kFV.
Prince, M. (2012). Ceasefires Don't End Cyberwars. https://goo.gl/GI506.
Prince, M. (2013). The DDoS That Almost Broke the Internet. https://goo.gl/g5Qs1.
RADIUS Partnerships (2008). Deploying RADIUS: Practices and Principles for AAA solutions. https://goo.gl/fslu7.
Recordon, D. and Reed, D. (2006). OpenID 2.0: a platform for user-centric identity management. In 2nd ACM workshop on Digital identity management. ACM.
Rigney, C., Willens, S., Rubens, A., and Simpson, W. (2000). RFC 2865 - Remote Authentication Dial In User Service (RADIUS).
Sousa, J. and Bessani, A. (2012). From Byzantine Consensus to BFT State Machine Replication: A Latency-Optimal Transformation. In Ninth EDCC.
Sun, S.-T., Hawkey, K., and Beznosov, K. (2012). Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465-483.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network Security, 2011(8).
Urien, P., Marie, E., and Kiennert, C. (2010). An innovative solution for cloud computing authentication: Grids of EAP-TLS smart cards. In Fifth ICDT.
Uruena, M., Munoz, A., and Larrabeiti, D. (2012). Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Apps.
van Delft, B. and Oostdijk, M. (2010). A Security Analysis of OpenID. In IFIP Advances in Information and Comm. Tech., volume 343. Springer.
Verissimo, P., Correia, M., Neves, N. F., and Sousa, P. (2009). Intrusion-resilient middleware design and validation. Information Assurance, Security and Privacy Services, 4:615-678.
Veríssimo, P. E. (2006). Travelling through wormholes: a new look at distributed systems models. SIGACT News, 37(1):66-81.
Verizon RISK Team (2013). Data breach investigations report. Technical report. https://goo.gl/7mIBy.
Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE SSP, pages 380-395.
Clamshell (2013). Clamshell: An OpenID Server. https://goo.gl/09pYF.
Correia, M., Neves, N., and Verissimo, P. (2004). How to tolerate half less one byzantine nodes in practical distributed systems. In IEEE SRDS.
Distler, T., Kapitza, R., Popov, I., Reiser, H. P., and Schröder-Preikschat, W. (2011). Spare: Replicas on hold. In NDSS.
Feng, J. (2009). Analysis, Implementation and Extensions of RADIUS Protocol. In International Conference on Networking and Digital Society.
FreeRADIUS (2012). Documentation. https://goo.gl/6g8Qy.
Heiser, G., Elphinstone, K., Kuz, I., Klein, G., and Petters, S. M. (2007). Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev., 41(4):3-11.
Juniper Networks (2010). Steel belted radius carrier 7.0 administration and configuration guide. https://goo.gl/Y5b9k.
Kreutz, D., Niedermayer, H., Feitosa, E., da Silva Fraga, J., and Malichevskyy, O. (2013). Architecture components for resilient networks. http://goo.gl/xBHCNb.
Lau, J., Barreto, L., and da Silva Fraga, J. (2012). An infrastructure based in virtualization for intrusion tolerant services. In IEEE ICWS.
Leicher, A., Schmidt, A., Shah, Y., and Cha, I. (2010). Trusted computing enhanced openid. In ICITST, pages 1-8.
Malichevskyy, O., Kreutz, D., Pasin, M., and Bessani, A. (2012). O vigia dos vigias: um serviço RADIUS resiliente. In INForum.
OpenID (2010). OpenID community https://wiki.goo.gl/PCASy.
OpenID4Java (2013). Openid 2.0 java libraries. https://goo.gl/c3kFV.
Prince, M. (2012). Ceasefires Don't End Cyberwars. https://goo.gl/GI506.
Prince, M. (2013). The DDoS That Almost Broke the Internet. https://goo.gl/g5Qs1.
RADIUS Partnerships (2008). Deploying RADIUS: Practices and Principles for AAA solutions. https://goo.gl/fslu7.
Recordon, D. and Reed, D. (2006). OpenID 2.0: a platform for user-centric identity management. In 2nd ACM workshop on Digital identity management. ACM.
Rigney, C., Willens, S., Rubens, A., and Simpson, W. (2000). RFC 2865 - Remote Authentication Dial In User Service (RADIUS).
Sousa, J. and Bessani, A. (2012). From Byzantine Consensus to BFT State Machine Replication: A Latency-Optimal Transformation. In Ninth EDCC.
Sun, S.-T., Hawkey, K., and Beznosov, K. (2012). Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465-483.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network Security, 2011(8).
Urien, P., Marie, E., and Kiennert, C. (2010). An innovative solution for cloud computing authentication: Grids of EAP-TLS smart cards. In Fifth ICDT.
Uruena, M., Munoz, A., and Larrabeiti, D. (2012). Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Apps.
van Delft, B. and Oostdijk, M. (2010). A Security Analysis of OpenID. In IFIP Advances in Information and Comm. Tech., volume 343. Springer.
Verissimo, P., Correia, M., Neves, N. F., and Sousa, P. (2009). Intrusion-resilient middleware design and validation. Information Assurance, Security and Privacy Services, 4:615-678.
Veríssimo, P. E. (2006). Travelling through wormholes: a new look at distributed systems models. SIGACT News, 37(1):66-81.
Verizon RISK Team (2013). Data breach investigations report. Technical report. https://goo.gl/7mIBy.
Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE SSP, pages 380-395.
Publicado
11/11/2013
Como Citar
KREUTZ, Diego; FEITOSA, Eduardo; MALICHEVSKYY, Oleksandr; BARBOSA, Kaio R. S.; CUNHA, Hugo.
Um Modelo Funcional para Serviços de Identificação e Autenticação Tolerantes a Faltas e Intrusões. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 30-43.
DOI: https://doi.org/10.5753/sbseg.2013.19534.
