THE UNIVERSITY OF HULL An Investigation of Interoperability Issues between Authorisation Systems within Web Services being a Thesis submitted for the Degree of Doctor of Philosophy in Internet Computing in the University of Hull by Yunxi Zhang September 2014 Table of Contents Acknowledgements ................................................................................................................................. I Abstract ....................................................................................................................................................... II Chapter 1. Introduction ........................................................................................................................ 1 1.1 Background and Motivation .................................................................................................................. 1 1.2 Problem Statement, Research Aims, Questions and Objectives ............................................ 4 1.2.1 Research problems .......................................................................................................................... 4 1.2.2 Research questions .......................................................................................................................... 5 1.2.3 Research aims .................................................................................................................................... 5 1.2.4 Objectives ............................................................................................................................................. 5 1.3 Research Methodology and Methods ................................................................................................ 6 1.4 Scope and Limitations of the Research Contributions .............................................................. 8 1.5 Thesis Outline .............................................................................................................................................. 9 1.6 Chapter Summary ................................................................................................................................... 11 Chapter 2. Review of Security-Related Standards, Authentication Services, RBAC, ABAC Approaches and the Relevant Authorisation Systems Within Web Services 12 2.1 Introduction .............................................................................................................................................. 12 2.2 Definition of Web Services .................................................................................................................. 13 2.3 Interoperability Issues and Protocols ............................................................................................ 15 2.4 Security-related Standards, Authentication Services Within Web Services ................. 19 2.4.1 Official consortiums and protocol standardisation ........................................................ 19 2.4.2 XML and Schema ............................................................................................................................ 19 2.4.3 SOAP .................................................................................................................................................... 20 2.4.4 WSDL ................................................................................................................................................... 22 2.4.5 UDDI .................................................................................................................................................... 22 2.4.6 XML-Encryption and XML-Signature .................................................................................... 24 2.4.7 WS-Security ...................................................................................................................................... 25 2.4.8 WS-Trust ............................................................................................................................................ 26 2.4.9 WS-SecureConversation ............................................................................................................. 27 2.4.10 WS-Policy and WS-SecurityPolicy ....................................................................................... 28 2.4.11 SAML and XACML ........................................................................................................................ 29 2.5 Access Control Methods ....................................................................................................................... 31 2.5.1 RBAC .................................................................................................................................................... 32 i 2.5.2 ABAC .................................................................................................................................................... 34 2.6 EXisting RBAC/ABAC-based Authorisation Systems ............................................................... 35 2.7. EXisting Solutions for Providing Interoperability between ABAC-based Authorisation Systems within Web Services ..................................................................................... 36 2.7.1 SAML Messages ............................................................................................................................... 36 2.7.2 An object-oriented framework for adopting different policy languages ............... 39 2.8 Limitation of the Application of ABAC within Web Services ............................................... 40 Chapter 3. Trust Negotiation and Interoperability: State of the Art .............................. 42 3.1 Introduction .............................................................................................................................................. 42 3.2 Concept of TN ........................................................................................................................................... 43 3.3 Review of TN ............................................................................................................................................. 45 3.3.1 Strategy .............................................................................................................................................. 46 3.3.2 Credential and policy ................................................................................................................... 54 3.3.3 Declaration ....................................................................................................................................... 56 3.3.4 EXisting TN-based authorisation systems .......................................................................... 56 3.4 Interoperability Issues between Authorisation Systems in Web Services .................... 61 3.5 An Improved Multi-layered Interoperability Model ................................................................ 67 3.6 Related Work ............................................................................................................................................ 73 3.7 Research Problem ................................................................................................................................... 74 3.8 Discussion of Potential Solutions ..................................................................................................... 75 3.9 Chapter Summary ................................................................................................................................... 76 Chapter 4. A Protocol-based Approach for Providing Interoperability between Authorisation Systems within Web Services ............................................................................ 77 4.1 Introduction .............................................................................................................................................. 77 4.2 Overview of A Protocol-based Solution Design ......................................................................... 79 4.3 Protocol Requirements Elicitation .................................................................................................. 83 4.4 Overview of An Improved TN Protocol ......................................................................................... 90 4.4.1 Scope and limitation of the protocol ..................................................................................... 90 4.4.2 An improved TN protocol .......................................................................................................... 90 4.5 Preparation Stage ................................................................................................................................... 92 4.5.1 Step one – Sends out a <TNPrepareRequest> message ................................................ 93 4.5.2 Step Two – Receives an incoming <TNPrepareRequest> and sends out an outgoing <TNPrepareResponse> message .................................................................................... 94 4.6 Negotiation Stage .................................................................................................................................... 97 4.6.1 Step one – Receives an incoming <TNPrepareResponse> message and sends out an outgoing <AuthzDecisionQuery> message .............................................................................. 97 ii 4.6.2 Step two – Receives an incoming <AuthzDecisionQuery> message and