Apurva Kumar

Filter Based Directory Replication: Algorithms and Performance

Directories have become an important component of the enterprise security and identity management middleware. This paper describes a novel filter based replication model for lightweight directory access protocol (LDAP) directories. Instead of replicating entire subtrees from a directory information tree (DIT), only entries matching a filter specification are replicated. Efficient algorithms for selecting such filters, keeping them synchronized with the master copy and for using them to answer directory queries have been proposed. Advantages of the filter based replication framework over existing subtree based mechanisms have been demonstrated for a real enterprise directory using real workloads

Model driven security analysis of IDaaS protocols

Offloading user management functions like authentication and authorization to identity providers is a key enabler for cloud computing based services. Protocols used to provide identity as a service (IDaaS) are the foundation of security for many business transactions on the web and need to be thoroughly analyzed. While analysis of cryptographic protocols has been an active research area over the past three decades, the techniques have not been adapted to analyze security for complex web interactions. In this paper, we identify gaps in the area and propose means to address them. We extend an important belief logic (the so-called BAN logic) used for analyzing security in authentication protocols to support new concepts that are specific to browser based IDaaS protocols. We also address the problem of automating belief based security analysis through a UML based model driven approach which can be easily integrated with existing software engineering tools. We demonstrate benefits of the extended logic and model driven approach by analyzing two of the most commonly used IDaaS protocols.

Using automated model analysis for reasoning about security of web protocols

Interoperable identity and trust management infrastructure plays an important role in enabling integrations in cloud computing environments. In the past decade or so, several web-based workflows have emerged as de-facto standards for user identity and resource access across enterprises. Establishing correctness of such web protocols is of immense importance to a large number of common business transactions on the web. In this paper, we propose a framework for analyzing security in web protocols. A novel aspect of our proposal is bringing together two contrasting styles used for security protocol analysis. We use the inference construction style, in which the well-known BAN logic has been extended to reason about web protocols, in conjunction with, an attack construction style that performs SAT based model-checking to rule out certain active attacks. The result is an analysis method that shares simplicity and intuitive appeal of belief logics, at the same time covers a wider range of protocols, along with an ability to automatically find attacks. To illustrate effectiveness, case study of a leading web identity and access management protocol is presented, where application of our analysis method results in a previously unreported attack being identified.

A Lightweight Formal Approach for Analyzing Security of Web Protocols

Existing model checking tools for cryptographic protocol analysis have two drawbacks, when applied to present day web based protocols. Firstly, they require expertise in specialized formalisms which limits their use to a small fragment of scientific community. Secondly, they do not support common web constructs and attacks making the analysis both cumbersome as well as error-prone. In this paper, we propose a novel security analysis technique specialized for web protocols. We provide explicit support for common web mechanisms and an adversary capable of exploiting browser-based interaction. Our approach has two unique aspects. It represents the only tool built using a general purpose first-order logic based modeling language – Alloy – that can be used to analyze security of industrial strength web protocols. The other unique aspect is our use of an inference system that analyzes beliefs at honest participants to simplify the protocol model. Despite its simplicity, we demonstrate effectiveness of our approach through a case-study of SAML, where we identify a previously unknown vulnerability in its identity federation workflow.

A belief logic for analyzing security of web protocols

Many useful transactions on the web are implemented as a sequence of interactions that a user performs with multiple collaborating providers. Safety of such transactions requires the user to not only trust individual providers and communication channels, but also the web protocols that manage security of these transactions. A protocol can be trusted for a particular usage, if the guarantees that it provides its participants are considered acceptable in the context. An important set of approaches for cryptographic protocol analysis are based on the so-called BAN logic which is used to reason about beliefs established at protocol participants. In this paper, we attempt at providing a similar approach for web protocols. The new logic extends BAN and supports key concepts that simplify security analysis of web protocols. It also takes into account additional challenges introduced due to browser-based interaction. Through examples of two leading cross-domain identity and access management protocols, we demonstrate efficacy of our analysis in establishing precisely what a protocol achieves, in deciding whether it can be trusted for a particular need and in proposing fixes that improve trust levels.

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

The problem of providing unified web security management in an environment with multiple autonomous security domains is considered. Security vendors provide separate security management solutions for cross-domain browser based and web service based interactions. This is partly due to the fact that different web standards dominate in each space. E.g. Security Assertion Markup Language (SAML) which is an important standard in cross domain single sign on (SSO) specializes in browser based access while WS-* standards focus on security needs of web services. However, cross domain web services are often invoked in context of a secure browser session. Considering these interactions in isolation will lead to a fractured security solution. This paper proposes a solution that provides seamless transfer of security context across various types of cross-domain web interactions.

Filter based directory replication and caching

This paper describes a novel filter based replication model for lightweight directory access protocol (LDAP) directories. Instead of replicating entire subtrees from the directory information tree (DIT), only entries matching a filter specification are replicated Advantages of the filter based replication framework over existing subtree based mechanisms have been demonstrated for a real enterprise directory using real workloads.

Managing trust and secrecy in identity management clouds

User management services were one of the first to be offloaded to third party cloud vendors. Today, a large number of service providers rely on trusted identity providers for managing users and their resources. At the core of these interactions involving multiple providers are a set of web-based workflows that have emerged as de-facto standards. In this paper, we propose a framework especially addressing needs of analyzing security in such web protocols. To analyze trust between collaborating service providers on the web, we extend the well-known BAN logic. We study secrecy properties to examine security of user identity management across multiple domains, using a SAT based model-checking approach. The result is a hybrid approach that inherits simplicity and intuitive appeal of belief logics without being affected by soundness problems associated with these logics. We illustrate the method through analysis of a premier web identity management protocol where we use our method to automatically discover a new attack trace.

Edge Caching for Directory Based Web Applications

In this paper, a dynamic content caching framework is proposed for deploying directory based applications at the edge of the network, closer to the client. The framework consists of a Lightweight Directory Access Protocol (LDAP) directory cache and the offloaded application running at a proxy. The LDAP directory cache is an enhanced LDAP proxy server which stores results and semantic information for search requests (queries) and answers incoming queries which are semantically contained in them. A simplified query containment approach based on the concept of LDAP templates is proposed. Caching algorithms have been proposed which take advantage of referential locality in the access pattern. A generic framework is used to offload the application at the edge and to support prefetching of LDAP queries based on application logic. A real enterprise directory application and real workloads are used to evaluate performance of the caching algorithms. The LDAP directory cache architecture, along with the proposed algorithms can be used to improve performance and scalability of directory based services

Privacy Preserving Social Mobile Applications

Mobile users can obtain a wide range of services by maintaining associations, and sharing location and social context, with service providers. But multiple associations are cumbersome to maintain, and sharing private information with untrusted providers is risky. Using a trusted broker to mediate interactions by managing interfaces, user identities, context, social network links, policies, and enabling cross-domain associations, results in more privacy and reduced management burden for users, as we show in this paper. We also describe the prototype implementations of two practically useful applications that require awareness of participants’ location and social context: (i) targeted advertising, and (ii) social network-assisted online purchases.