The Experts below are selected from a list of 294 Experts worldwide ranked by ideXlab platform
Souhwan Jung - One of the best experts on this subject based on the ideXlab platform.
-
personal oauth Authorization Server and push oauth for internet of things
International Journal of Distributed Sensor Networks, 2017Co-Authors: Seung Wook Jung, Souhwan JungAbstract:Internet of Things will connect millions of things to the Internet to make our lives more convenient. However, Internet of Things security is an essential factor. OAuth is one of the most successful authentication and Authorization protocols on the Internet. This article proposes push OAuth and personal OAuth Authorization Server by expanding OAuth for a secure access to the information on Internet of Things devices. In personal OAuth, the smartphones that communicate with remote Servers to deliver information on Internet of Things devices can be the OAuth Authorization Server. Hospitals (OAuth client) that intend to access the information on Internet of Things devices cannot know millions of OAuth Authorization Server when the smartphone becomes the OAuth Authorization Server. This article proposes the push OAuth that changes the OAuth protocol and issues the OAuth token when the OAuth Authorization Server registers to the OAuth client first. Personal OAuth Authorization Server is far more trustworthy th...
-
Personal OAuth Authorization Server and push OAuth for Internet of Things
International Journal of Distributed Sensor Networks, 2017Co-Authors: Seung Wook Jung, Souhwan JungAbstract:Internet of Things will connect millions of things to the Internet to make our lives more convenient. However, Internet of Things security is an essential factor. OAuth is one of the most successful authentication and Authorization protocols on the Internet. This article proposes push OAuth and personal OAuth Authorization Server by expanding OAuth for a secure access to the information on Internet of Things devices. In personal OAuth, the smartphones that communicate with remote Servers to deliver information on Internet of Things devices can be the OAuth Authorization Server. Hospitals (OAuth client) that intend to access the information on Internet of Things devices cannot know millions of OAuth Authorization Server when the smartphone becomes the OAuth Authorization Server. This article proposes the push OAuth that changes the OAuth protocol and issues the OAuth token when the OAuth Authorization Server registers to the OAuth client first. Personal OAuth Authorization Server is far more trustworthy than using a third-party OAuth Authorization Server to authenticate because users directly control access to the information generated by Internet of Things devices. The personal OAuth Authorization Server and push OAuth suggested here are expected to create a more secure Internet of Things environment as users can directly authenticate the OAuth client that can access the information on their Internet of Things devices. © The Author(s) 2017
-
WISA - A Study of OAuth 2.0 Risk Notification and Token Revocation from Resource Server
Information Security Applications, 2015Co-Authors: Jungsoo Park, Minho Park, Souhwan JungAbstract:OAuth was created to simplify authentication procedure. OAuth is a protocol that allows access to the user's assets in 3rd party web sites or applications without exposing the user's identity and credential. OAuth can be used to grant the access rights for the user without exposing the user's information to third parties. By utilizing the Token issued by the Authorization Server, client is able to gain access to the resources in the Resource Server. However, in current standards, the restrictions of token usage are not clearly defined. Although it specified Token expiration time, in reality, malicious client can reuse the Token to access Resource Server. The existing Token Revocation operation has been carried out in a way that the client performs Revocation by requesting to the Authorization Server when special cases occur such as logout or identity change by resource owner. The revocation does not happen for the case that malicious code targets the Resource Server. This paper proposes a method for revoking the Token by requesting Revocation when the Resource Server performs abnormal behaviors by using Token.
John Bradley - One of the best experts on this subject based on the ideXlab platform.
-
Resource Indicators for OAuth 2.0
2020Co-Authors: John Bradley, Brian Campbell, Hannes TschofenigAbstract:This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an Authorization Server about the identity of the protected resource(s) to which it is requesting access.
-
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
2020Co-Authors: John Bradley, Torsten Lodderstedt, Brian Campbell, Nat SakimuraAbstract:This document describes OAuth client authentication and certificate- bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the Authorization Server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth Authorization Servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.
-
OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
2019Co-Authors: John Bradley, Michael Jones, Hannes Tschofenig, Mihaly Meszaros, Phil HuntAbstract:RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource Server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.
-
oauth 2 0 Authorization Server metadata
RFC, 2018Co-Authors: John Bradley, Nat Sakimura, Michael JonesAbstract:This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 Authorization Server, including its endpoint locations and Authorization Server capabilities.
-
OAuth 2.0 Discovery
2016Co-Authors: John Bradley, Nat Sakimura, Michael JonesAbstract:This specification defines a mechanism for an OAuth 2.0 client to discover the resource owner's OAuth 2.0 Authorization Server and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations and Authorization Server capabilities.
Justin Richer - One of the best experts on this subject based on the ideXlab platform.
-
Federated Authorization for User-Managed Access (UMA) 2.0
2019Co-Authors: Eve Maler, Maciej Machulak, Thomas Hardjono, Justin RicherAbstract:This specification defines a means for an UMA-enabled Authorization Server and resource Server to be loosely coupled, or federated, in a secure and authorized resource owner context.
-
OAuth 2.0 Token Introspection
2015Co-Authors: Justin RicherAbstract:This specification defines a method for a protected resource to query an OAuth 2.0 Authorization Server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the Authorization context of the token from the Authorization Server to the protected resource.
-
OAuth 2.0 Dynamic Client Registration Protocol
2015Co-Authors: John Bradley, Michael Jones, Maciej Machulak, Justin Richer, Phil HuntAbstract:This specification defines mechanisms for dynamically registering OAuth 2.0 clients with Authorization Servers. Registration requests send a set of desired client metadata values to the Authorization Server. The resulting registration responses return a client identifier to use at the Authorization Server and the client metadata values registered for the client. The client can then use this registration information to communicate with the Authorization Server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.
-
OAuth Token Introspection
2014Co-Authors: Justin RicherAbstract:This specification defines a method for a client or protected resource to query an OAuth Authorization Server to determine meta- information about an OAuth token.
-
OAuth 2.0 Core Dynamic Client Registration
2013Co-Authors: John Bradley, Michael Jones, Maciej Machulak, Justin RicherAbstract:This specification defines an endpoint and protocol for dynamic registration of OAuth 2.0 clients at an Authorization Server.
Michael Jones - One of the best experts on this subject based on the ideXlab platform.
-
OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
2019Co-Authors: John Bradley, Michael Jones, Hannes Tschofenig, Mihaly Meszaros, Phil HuntAbstract:RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource Server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.
-
oauth 2 0 Authorization Server metadata
RFC, 2018Co-Authors: John Bradley, Nat Sakimura, Michael JonesAbstract:This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 Authorization Server, including its endpoint locations and Authorization Server capabilities.
-
OAuth 2.0 Discovery
2016Co-Authors: John Bradley, Nat Sakimura, Michael JonesAbstract:This specification defines a mechanism for an OAuth 2.0 client to discover the resource owner's OAuth 2.0 Authorization Server and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations and Authorization Server capabilities.
-
OAuth 2.0 Mix-Up Mitigation
2016Co-Authors: John Bradley, Nat Sakimura, Michael JonesAbstract:This specification defines an extension to The OAuth 2.0 Authorization Framework that enables the Authorization Server to dynamically provide the client using it with additional information about the current protocol interaction that can be validated by the client and that enables the client to dynamically provide the Authorization Server with additional information about the current protocol interaction that can be validated by the Authorization Server. This additional information can be used by the client and the Authorization Server to prevent classes of attacks in which the client might otherwise be tricked into using inconsistent sets of metadata from multiple Authorization Servers, including potentially using a token endpoint that does not belong to the same Authorization Server as the Authorization endpoint used. Recent research publications refer to these as "IdP Mix-Up" and "Malicious Endpoint" attacks.
-
OAuth 2.0 Dynamic Client Registration Protocol
2015Co-Authors: John Bradley, Michael Jones, Maciej Machulak, Justin Richer, Phil HuntAbstract:This specification defines mechanisms for dynamically registering OAuth 2.0 clients with Authorization Servers. Registration requests send a set of desired client metadata values to the Authorization Server. The resulting registration responses return a client identifier to use at the Authorization Server and the client metadata values registered for the client. The client can then use this registration information to communicate with the Authorization Server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.
Konstantin Beznosov - One of the best experts on this subject based on the ideXlab platform.
-
Authorization recycling in hierarchical RBAC systems
ACM Transactions on Information and System Security, 2011Co-Authors: Jason Crampton, Konstantin Beznosov, Matei RipeanuAbstract:As distributed applications increase in size and complexity, traditional Authorization architectures based on a dedicated Authorization Server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the reuse of previous Authorization decisions, is one technique that has been used to address these challenges. This article introduces and evaluates the mechanisms for Authorization “recycling” in RBAC enterprise systems. The algorithms that support these mechanisms allow making precise and approximate Authorization decisions, thereby masking possible failures of the Authorization Server and reducing its load. We evaluate these algorithms analytically as well as using simulation and a prototype implementation. Our evaluation results demonstrate that Authorization recycling can improve the performance of distributed-access control mechanisms.
-
Cooperative Secondary Authorization Recycling
IEEE Transactions on Parallel and Distributed Systems, 2009Co-Authors: Matei Ripeanu, Konstantin BeznosovAbstract:As enterprise systems, Grids, and other distributed applications scale up and become increasingly complex, their Authorization infrastructures--based predominantly on the request-response paradigm--are facing the challenges of fragility and poor scalability. We propose an approach where each application Server recycles previously received Authorizations and shares them with other application Servers to mask Authorization Server failures and network delays. This paper presents the design of our cooperative secondary Authorization recycling system and its evaluation using simulation and prototype implementation. The results demonstrate that our approach improves the availability and performance of Authorization infrastructures. Specifically, by sharing Authorizations, the cache hit rate--an indirect metric of availability--can reach 70 percent, even when only 10 percent of Authorizations are cached. Depending on the deployment scenario, the average time for authorizing an application request can be reduced by up to a factor of two compared with systems that do not employ cooperation.
-
HPDC - Cooperative secondary Authorization recycling
Proceedings of the 16th international symposium on High performance distributed computing - HPDC '07, 2007Co-Authors: Matei Ripeanu, Konstantin BeznosovAbstract:As distributed applications such as Grid and enterprise systems scale up and become increasingly complex, their Authorization infrastructures-based predominantly on the request-response paradigm-are facing challenges in terms of fragility and poor scalability. We propose an approach where each application Server caches previously received Authorizations at its secondary decision point and shares them with other application Servers to mask Authorization Server failures and network delays.This paper presents the design of our cooperative secondary Authorization recycling system and its evaluation using simulation and prototype implementation. The results demonstrate that our approach improves the availability of Authorization infrastructures while preserving their performance characteristics. Specifically, by sharing Authorizations, the cache hit rate.an indirect metric of availability.can reach 70%, even when only 10% of Authorizations are cached. Depending on the deployment scenario, the performance in terms of the average time for authorizing an application request can be reduced by up to 30%.
-
SACMAT - The secondary and approximate Authorization model and its application to Bell-LaPadula policies
Proceedings of the eleventh ACM symposium on Access control models and technologies - SACMAT '06, 2006Co-Authors: Jason Crampton, Leung, Konstantin BeznosovAbstract:We introduce the concept, model, and policy-specific algorithms for inferring new access control decisions from previous ones. Our secondary and approximate Authorization model (SAAM) defines the notions of primary vs. secondary and precise vs. approximate Authorizations. Approximate Authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the Authorization Server is unavailable or slow. The ability to compute approximate Authorizations improves the reliability and performance of access control sub-systems and ultimately the application systems themselves.The operation of a system that employs SAAM depends on the type of access control policy it implements. We propose and analyze algorithms for computing secondary Authorizations in the case of policies based on the Bell-LaPadula model. In this context, we define a dominance graph, and describe its construction and usage for generating secondary responses to Authorization requests. Preliminary results of evaluating SAAM BLP algorithms demonstrate a 30% increase in the number of Authorization requests that can be served without consulting access control policies.
