Um Modelo Funcional para Serviços de Identificação e Autenticação Tolerantes a Faltas e Intrusões
Abstract
The correct and continuous operation of identity providers and access control services is critical in new generations of networks and online systems, such as virtualized networks and on-demand services of cloud computing. In this perspective, this paper proposes and demonstrates a functional model for architectures of identification and authentication services that are faultand intrusion-tolerant. The feasibility and applicability of the model are evaluated through prototypes implemented for OpenID and RADIUS services. The results and analysis indicate that a functional model for prototyping and deploying more resilient and reliable identification and authentication services is feasible.References
Alchieri, E. A. P., Bessani, A. N., and Fraga, J. d. S. (2008). A dependable infrastructure for cooperative web services coordination. In IEEE ICWS.
Clamshell (2013). Clamshell: An OpenID Server. https://goo.gl/09pYF.
Correia, M., Neves, N., and Verissimo, P. (2004). How to tolerate half less one byzantine nodes in practical distributed systems. In IEEE SRDS.
Distler, T., Kapitza, R., Popov, I., Reiser, H. P., and Schröder-Preikschat, W. (2011). Spare: Replicas on hold. In NDSS.
Feng, J. (2009). Analysis, Implementation and Extensions of RADIUS Protocol. In International Conference on Networking and Digital Society.
FreeRADIUS (2012). Documentation. https://goo.gl/6g8Qy.
Heiser, G., Elphinstone, K., Kuz, I., Klein, G., and Petters, S. M. (2007). Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev., 41(4):3-11.
Juniper Networks (2010). Steel belted radius carrier 7.0 administration and configuration guide. https://goo.gl/Y5b9k.
Kreutz, D., Niedermayer, H., Feitosa, E., da Silva Fraga, J., and Malichevskyy, O. (2013). Architecture components for resilient networks. http://goo.gl/xBHCNb.
Lau, J., Barreto, L., and da Silva Fraga, J. (2012). An infrastructure based in virtualization for intrusion tolerant services. In IEEE ICWS.
Leicher, A., Schmidt, A., Shah, Y., and Cha, I. (2010). Trusted computing enhanced openid. In ICITST, pages 1-8.
Malichevskyy, O., Kreutz, D., Pasin, M., and Bessani, A. (2012). O vigia dos vigias: um serviço RADIUS resiliente. In INForum.
OpenID (2010). OpenID community https://wiki.goo.gl/PCASy.
OpenID4Java (2013). Openid 2.0 java libraries. https://goo.gl/c3kFV.
Prince, M. (2012). Ceasefires Don't End Cyberwars. https://goo.gl/GI506.
Prince, M. (2013). The DDoS That Almost Broke the Internet. https://goo.gl/g5Qs1.
RADIUS Partnerships (2008). Deploying RADIUS: Practices and Principles for AAA solutions. https://goo.gl/fslu7.
Recordon, D. and Reed, D. (2006). OpenID 2.0: a platform for user-centric identity management. In 2nd ACM workshop on Digital identity management. ACM.
Rigney, C., Willens, S., Rubens, A., and Simpson, W. (2000). RFC 2865 - Remote Authentication Dial In User Service (RADIUS).
Sousa, J. and Bessani, A. (2012). From Byzantine Consensus to BFT State Machine Replication: A Latency-Optimal Transformation. In Ninth EDCC.
Sun, S.-T., Hawkey, K., and Beznosov, K. (2012). Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465-483.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network Security, 2011(8).
Urien, P., Marie, E., and Kiennert, C. (2010). An innovative solution for cloud computing authentication: Grids of EAP-TLS smart cards. In Fifth ICDT.
Uruena, M., Munoz, A., and Larrabeiti, D. (2012). Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Apps.
van Delft, B. and Oostdijk, M. (2010). A Security Analysis of OpenID. In IFIP Advances in Information and Comm. Tech., volume 343. Springer.
Verissimo, P., Correia, M., Neves, N. F., and Sousa, P. (2009). Intrusion-resilient middleware design and validation. Information Assurance, Security and Privacy Services, 4:615-678.
Veríssimo, P. E. (2006). Travelling through wormholes: a new look at distributed systems models. SIGACT News, 37(1):66-81.
Verizon RISK Team (2013). Data breach investigations report. Technical report. https://goo.gl/7mIBy.
Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE SSP, pages 380-395.
Clamshell (2013). Clamshell: An OpenID Server. https://goo.gl/09pYF.
Correia, M., Neves, N., and Verissimo, P. (2004). How to tolerate half less one byzantine nodes in practical distributed systems. In IEEE SRDS.
Distler, T., Kapitza, R., Popov, I., Reiser, H. P., and Schröder-Preikschat, W. (2011). Spare: Replicas on hold. In NDSS.
Feng, J. (2009). Analysis, Implementation and Extensions of RADIUS Protocol. In International Conference on Networking and Digital Society.
FreeRADIUS (2012). Documentation. https://goo.gl/6g8Qy.
Heiser, G., Elphinstone, K., Kuz, I., Klein, G., and Petters, S. M. (2007). Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev., 41(4):3-11.
Juniper Networks (2010). Steel belted radius carrier 7.0 administration and configuration guide. https://goo.gl/Y5b9k.
Kreutz, D., Niedermayer, H., Feitosa, E., da Silva Fraga, J., and Malichevskyy, O. (2013). Architecture components for resilient networks. http://goo.gl/xBHCNb.
Lau, J., Barreto, L., and da Silva Fraga, J. (2012). An infrastructure based in virtualization for intrusion tolerant services. In IEEE ICWS.
Leicher, A., Schmidt, A., Shah, Y., and Cha, I. (2010). Trusted computing enhanced openid. In ICITST, pages 1-8.
Malichevskyy, O., Kreutz, D., Pasin, M., and Bessani, A. (2012). O vigia dos vigias: um serviço RADIUS resiliente. In INForum.
OpenID (2010). OpenID community https://wiki.goo.gl/PCASy.
OpenID4Java (2013). Openid 2.0 java libraries. https://goo.gl/c3kFV.
Prince, M. (2012). Ceasefires Don't End Cyberwars. https://goo.gl/GI506.
Prince, M. (2013). The DDoS That Almost Broke the Internet. https://goo.gl/g5Qs1.
RADIUS Partnerships (2008). Deploying RADIUS: Practices and Principles for AAA solutions. https://goo.gl/fslu7.
Recordon, D. and Reed, D. (2006). OpenID 2.0: a platform for user-centric identity management. In 2nd ACM workshop on Digital identity management. ACM.
Rigney, C., Willens, S., Rubens, A., and Simpson, W. (2000). RFC 2865 - Remote Authentication Dial In User Service (RADIUS).
Sousa, J. and Bessani, A. (2012). From Byzantine Consensus to BFT State Machine Replication: A Latency-Optimal Transformation. In Ninth EDCC.
Sun, S.-T., Hawkey, K., and Beznosov, K. (2012). Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security, 31(4):465-483.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network Security, 2011(8).
Urien, P., Marie, E., and Kiennert, C. (2010). An innovative solution for cloud computing authentication: Grids of EAP-TLS smart cards. In Fifth ICDT.
Uruena, M., Munoz, A., and Larrabeiti, D. (2012). Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Apps.
van Delft, B. and Oostdijk, M. (2010). A Security Analysis of OpenID. In IFIP Advances in Information and Comm. Tech., volume 343. Springer.
Verissimo, P., Correia, M., Neves, N. F., and Sousa, P. (2009). Intrusion-resilient middleware design and validation. Information Assurance, Security and Privacy Services, 4:615-678.
Veríssimo, P. E. (2006). Travelling through wormholes: a new look at distributed systems models. SIGACT News, 37(1):66-81.
Verizon RISK Team (2013). Data breach investigations report. Technical report. https://goo.gl/7mIBy.
Wang, Z. and Jiang, X. (2010). Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In IEEE SSP, pages 380-395.
Published
2013-11-11
How to Cite
KREUTZ, Diego; FEITOSA, Eduardo; MALICHEVSKYY, Oleksandr; BARBOSA, Kaio R. S.; CUNHA, Hugo.
Um Modelo Funcional para Serviços de Identificação e Autenticação Tolerantes a Faltas e Intrusões. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 30-43.
DOI: https://doi.org/10.5753/sbseg.2013.19534.
