View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Göteborgs universitets publikationer - e-publicering och e-arkiv Authentication and Authorization for Mobile Devices Bachelor of Science Thesis in Software Engineering and Management NAVID RANJBAR MAHDI ABDINEJADI The Author grants to Chalmers University of Technology and University of Gothenburg the non-exclusive right to publish the Work electronically and in a non-commercial purpose make it accessible on the Internet. The Author warrants that he/she is the author to the Work, and warrants that the Work does not contain text, pictures or other material that violates copyright law. The Author shall, when transferring the rights of the Work to a third party (for example a publisher or a company), acknowledge the third party about this agreement. If the Author has signed a copyright agreement with a third party regarding the Work, the Author warrants hereby that he/she has obtained any necessary permission from this third party to let Chalmers University of Technology and University of Gothenburg store the Work electronically and make it accessible on the Internet. Authentication and Authorization for Mobile Devices NAVID RANJBAR MAHDI ABDINEJADI © NAVID RANJBAR, June 2012. © MAHDI ABDINEJADI, June 2012. Examiner: HELENA HOLMSTRÖM OLSSON University of Gothenburg Chalmers University of Technology Department of Computer Science and Engineering SE-412 96 Göteborg Sweden Telephone + 46 (0)31-772 1000 Department of Computer Science and Engineering Göteborg, Sweden June 2012 2 Authentication and Authorization for Mobile Devices Navid Ranjbar Mahdi Abdinejadi Department of Computer Science and Engineering Department of Computer Science and Engineering University of Gothenburg University of Gothenburg Gothenburg, Sweden Gothenburg, Sweden [email protected] [email protected] Abstract— Nowadays market demand forces companies to adapt to mobile technology. For an enterprise company, this Volvo is one of the companies that are in the process of change will bring up security challenges. In this article, we coping with the mentioned challenges. They are looking on investigate authentication and authorization aspects of security. We conduct a case study in Volvo IT in order to different security aspect like authorization and authentication extract their requirements regarding to authentication and of mobile users to their backend systems. Thus they want to authorization of their current and future mobile applications. investigate different protocols in industry that handle these Also we investigate three security protocols: OAuth, OpenID challenges. In this article we are going to research three and SAML to find out to what extent they can satisfy the protocols, which can be implemented for mobile security in challenges and requirements. enterprise environments. OAuth is an authorization protocol, which is in its nature considering mobile client and Keywords-component; Authentication; Authorization; application as well as web application and platforms. Also Mobility; Mobile Devices; OAuth; OpenID; SAML. OpenID is a web based authentication protocol that enables users to get authenticated through third party identity I. INTRODUCTION providers as well as in-house identity providers. SAML is Mobile technologies are enabling new form of customers another protocol, which deals with the transforming and business applications (Teng & Helps, 2010). Mobile authentication and authorization information between businesses on the other hand are boosting enterprise by security domains. We are mainly trying to answer the providing the easy access to the services for third party question of: How OAuth, OpenID, and SAML can help business partners, consultants and customers (Fitzgerald, mobile devices in getting secure access to resources and 2009). Enterprises are adopting mobile technology and services from Volvo backend servers? providing to market various applications to increase their functioning competence by offering customers and The remainder of this report is structured as follows: in employees greater access to the real-time information section II, we are going to describe what are OAuth, (Unhelkar & Murugesan, 2010). OpenID, and SAML? How do they work? Section III is mainly about the research method we used to address the With advancement of mobile technology, new form of problems of our case study and which steps we took to customers and applications emerged which produces new gather our data. Section IV is the place that we present our challenges for companies. The challenges mainly caused by analyzed data that we collected during the research period. In integrating to mobile services; in order to get adapted to section V we map Volvo requirements with the capabilities mobile advancement, companies should expand the of OAuth, OpenID and SAML and try to figure out in what boundary of their internal services through Internet. This extent these protocols can satisfy the requirements of Volvo. change will enable mobile devices to get access to services, Finally, we are going to conclude and discuss about possible which are usually available inside the company through future works at section VI. native mobile applications. In this article we are going to address only OAuth 2.0, One of the main concerns with mobile technology and OpenID 2.0 and SAML 2.0. mobile devices is how enterprise companies should deal with II. KNOWLEDGE BASE the challenges of security. User experience in mobile devices could be completely different than what enterprise used to Information considered as an asset for individuals and deal internally. Also enterprise companies are constantly organizations; so, they try to protect their information assets dealing with the trade-off between making their application from any posing threat (Todorov, 2007). Security methods easier to use and making them more secure. help to protect the information. Authentication and 3 authorization are aspects of security and we mainly focus on up with security breach in some degree (Sandhu & Samarati, them in this article. 1994). A. Authentication C. OAuth Authentication is the process of proving who really you This section we define common terms and actors in are. It often happens at first step of interaction between user OAuth authorization protocol as well as brief description of and operating system or any services. Todorov (2007) important OAuth flows of work. mentioned that authentication usually refers to determining and validating user’s identity. This process should occur 1) What is OAuth based on one or combination of the three sorts of credentials: OAuth is an open protocol to allow secure API something you have, something you are, something you authorization in a simple and standard method from desktop, know (Windley, 2005). For example, ID and password web and mobile applications. OAuth allows a user to grant combination is something that only an individual knows or access to an application to perform on behalf of user; this certificate is something that an individual have. The most application can only perform the authorized tasks. common authentication function is ID and password. Windley (2005) defined strong authentication is an a) Access Token authentication method that required two or more credentials Access token is a credential that used to access services like ID/password combination plus certificate. or resources; it is a string representation of access allowance to the resources, which is generated by the grant of resource B. Authorization owner from the authorization server (Recordon et al., 2012). “Authorization is the process of determining whether an b) OAuth Roles already identified and authenticated user is allowed to access There are several key actors according to (Boyd, 2012) in information resources in a specific way.” (Todorov, 2007) the OAuth as follows: By authorization systems determine the level of access • Resource server: The server, which is hosting user’s and right of a user to certain resources or services. data, which is protected by OAuth. Authorization comes after authentication as a result • Resource owner: The owner of data, in other words authentication is fundamental for authorization; the reason the user of the application. behind that is user should be proved who is she then system • Client: The application which makes API request to should assign her right and control access. This chain of get protected resources on behalf of the resource event always happens sequentially unless user’s identity is owner. not important like public services (Windley, 2005). • Authorization server: This server gets permission from resource owner and issues access token to User can be authenticated by a specific identity; also she client for accessing protected resources available on can apply for authorization under another identity. Such a the resource server. request for authorization under another identity to access a service typically refers as Authentication Identity; and if this It is necessary that to register applications with the process happens by an application or service acting on behalf authorization servers since API requests need to be properly of the user, it called Impersonation. Impersonation can be identified. The protocol allow this process by the automated permanent or temporary. Impersonation is suitable for means but most of API providers request manual registration client/server in the way that servers or applications can through filling out
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-