An Authentication and Authorization Infrastructure the PAPI System
- Slides: 10
An Authentication and Authorization Infrastructure: the PAPI System
Index • An approximation to the solution • PAPI Architecture • JAVA – JWS • Possible Scenarios • Future works
Approximation: Working with E-Certificates Authentication Server Temporal Authentication E-certificates Advantages: data HTTP + E-certificate S 1 request §Temporal. Web access to authorized browser services E-certificate S 1 E-certificate §Allow mobile. S 2 users E-certificate S 3 Problems: Web page Web Server S 1 §Not transparent HTTP + E-certificate S 2 request §Password in browser §Choose Web page DB the right certified §Authentication adapted to user organizations Web for §Web servers not adapted Server S 2 this technology §Technology implemented in main web servers §Allow copy of valid certifies
Approximation: Partial Solutions No transparent -> encrypted cookies Problems: Advantages: z Web servers not adapted -> Points of Access §Temporal access to authorized services Authentication Server §Domain problems in cookies §Allow copy of valid cookies §Allow mobile users Temporal to user §Authentication adapted Encrypt-cookies organizations data HTTP + Encry-cookie S 1 request adapted to web §Control access Web servers of browser information providers Encry-cookie §Transparent for. S 1 the user Encry-cookie S 2 Encry-cookie S 3 Web page HTTP request Point of Access Web page Web Server S 1
Approximation: Partial Solutions Domain problems in cookies -> Cookies served by PAs Authentication Server Authentication data Temporal Signed-URLs Signed-URL Point of Access Encry-cookie Web browser Encry-cookie S 1 Encry-cookie S 2 Encry-cookie S 3 Signed-URL Encry-cookie Point of Access
Approximation: Partial Solutions z Copy of valid cookies -> Data base of cookies Short time expiration HTTP + Encry-cookie S 1 request Web Browser 1 DB of Enc-cookie HTTP request New Encry-cookie Enc-cook. S 1 Web page + New Enc-cook S 1 Web Browser 2 Encry-cookie S 1 Point of Access HTTP + Encry-cookie S 1 request Web page Colision Web Server S 1
Architecture of PAPI system §URL: K_priv SA (user code + server + path + Exp. Time + sign time) Authentication Server Authentication data Temporal Signed-URLs Web browser Encry-cookies HTTP + Hcook+Lcook request Web page + New Hcook+Lcook DB of Hcook HTTP request Point of Access Web page Web Server S 1 §Hcook 1: K 1_PA (user code + server + path + Exp. Time + Random Block) §Lcook: K 2_PA (server + path + creation time)
JWS – JAVA compatibility Authentication Server User Credentials Signed URL Access point cookie. Loader. jnlp Web browser Encry-cookie S 1 Encry-cookie S 2 Signed URL Encry-cookie HTTPClass Encry-cookie Access Point
Scenarios Authentication Server Point of Access Web browser Point of Access Authentication Server Point of Access Web Server
Future works • Enhance PAPI compatibility with other technologies q A-Select q Shibboleth q Athens • Include new type of clients q WIFI access q Kerberos q VPNs • Improve the administration tools