ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Secure password-based authenticated key exchange for web services
Full text PdfPdf (396 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 2004 workshop on Secure web service table of contents
Fairfax, Virginia
Pages: 9 - 15  
Year of Publication: 2004
ISBN:1-58113-973-X
Authors
Liang Fang  Indiana University
Samuel Meder  University of Chicago
Olivier Chevassut  Lawrence Berkeley National Laboratory
Frank Siebenlist  Argonne National Laboratory
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 16,   Downloads (12 Months): 86,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1111348.1111350
What is a DOI?

ABSTRACT

This paper discusses an implementation of an authenticated key-exchange method rendered on message primitives defined in the WS-Trust and WS-SecureConversation specifications. This IEEE-specified cryptographic method (AuthA) is proven-secure for password-based authentication and key exchange, while the WS-Trust and WS-SecureConversation are emerging Web Services Security specifications that extend the WS-Security specification. A prototype of the presented protocol is integrated in the WS-ResourceFramework-compliant Globus Toolkit V4. Further hardening of the implementation is expected to result in a version that will be shipped with future Globus Toolkit releases. This could help address the current unavailability of decent shared-secret-based authentication options in the Web Services and Grid world. Future work will be to integrate One-Time-Password (OTP) features in the authentication protocol.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Abdalla M, Chevassut O, Pointcheval D, "One-Time Verifier-based Encrypted Key Exchange", 8th International Workshop on Practice and Theory in Public Key Cryptography (PKC), Jan 2005.
 
2
Bellare M. and Rogaway P., The AuthA Protocol for Password-based Authenticated Key Exchange. March 14, 2000.
 
3
Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
 
4
Bresson E., Chevassut O., and Pointcheval D., New Security Results on Encrypted Key Exchange, the 7th International Workshop on Theory and Practice in Public Key Cryptography, March, 2004.
5
Emmanuel Bresson , Olivier Chevassut , David Pointcheval, Security proofs for an efficient password-based key exchange, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948142]
 
6
Diffie W. and Hellman M., New directions in cryptography, IEEE Transactions on Information Theory IT-22, 6 (Nov.), 1976, pp. 644--654.
 
7
Foster I., Kesselman C., Nick J. and Tuecke S. The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration, Globus Project, 2002. http://www.globus.org/research/papers/ogsa.pdf.
 
8
Foster I., Kesselman C., Globus: A Metacomputing Infrastructure Toolkit, Intl J. Supercomputer Applications, 11(2):115--128, 1997.
 
9
Ian Foster , Carl Kesselman, Computational grids, The grid: blueprint for a new computing infrastructure, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1998
 
10
Jason Novotny , Steven Tuecke , Von Welch, An Online Credential Repository for the Grid: MyProxy, Proceedings of the 10th IEEE International Symposium on High Performance Distributed Computing (HPDC-10'01), p.104, August 07-09, 2001
 
11
Satoshi Shirasuna , Aleksander Slominski , Liang Fang , Dennis Gannon, Performance Comparison of Security Mechanisms for Grid Services, Proceedings of the Fifth IEEE/ACM International Workshop on Grid Computing (GRID'04), p.360-364, November 08-08, 2004  [doi>10.1109/GRID.2004.50]
 
12
Steiner M., Buhler P., Eirich T., and Waidner M., Secure Password-Based Cipher Suite for TLS, the Proceedings of Network and Distributed Systems Security Symposium, San Diego, CA, Feb. 3-4, 2000, pp. 129--142.
 
13
Taylor D., Wu T., Mavroyanopoulos N., and Perrin T., Using SRP for TLS Authentication, TLS Working Group, IETF Internet Draft, August 2004.
 
14
Von Welch , Frank Siebenlist , Ian Foster , John Bresnahan , Karl Czajkowski , Jarek Gawor , Carl Kesselman , Sam Meder , Laura Pearlman , Steven Tuecke, Security for Grid Services, Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing (HPDC'03), p.48, June 22-24, 2003
 
15
Welch V., Foster I., Kesselman C., Mulmo O., Pearlman L., Tuecke S., Gawor J., Meder S., Siebenlist F., X.509 Proxy Certificates for Dynamic Delegation, 3rd Annual PKI R&D Workshop, 2004.
 
16
Apache Web Services Project, Axis, http://ws.apache.org/axis.
 
17
Apache WSS4J, http://ws.apache.org/ws-fx/wss4j.
 
18
BEA, Computer Associates, IBM, Layer7, Microsoft, Netegrity, Oblix, OpenNetwork, Ping Identity, Reactivity, RSA Security, VeriSign, Westbridge, Web Services Trust Language, March 2004. "http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-trust.asp"
 
19
IETF, A One-Time Password System (RFC 2289), February, 1998. http://www.ietf.org/rfc/rfc2289.txt.
 
20
Legion of Bouncy Castle, Bouncy Castle library, http://www.bouncycastle.org.
 
21
OASIS, "Web Service Resource Framework", March 2004.
 
22
OASIS, "Web Services Security: SOAP Message Security" March 15 2004.
 
23
BEA, Computer Associates, IBM, Layer7, Microsoft, Netegrity, Oblix, OpenNetwork, Ping Identity, Reactivity, RSA Security, VeriSign, Westbridge, "Web Services Secure Conversation Language" May 2004. "http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-secureconversation.asp"
 
24
Open Grid Services Architecture, OGSA-working-group at GGF, https://forge.gridforum.org/projects/ogsa-wg.

CITED BY  2
Michel Abdalla , Emmanuel Bresson , Olivier Chevassut , Bodo Möller , David Pointcheval, Provably secure password-based authentication in TLS, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
SeongHan Shin , Kazukuni Kobara , Hideki Imai, A Secure Authenticated Key Exchange Protocol for Credential Services, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, v.E91-A n.1, p.139-149, January 2008

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Design, Security


Keywords:
authenticated key exchange, password, security, web services

Collaborative Colleagues:
Liang Fang: colleagues
Samuel Meder: colleagues
Olivier Chevassut: colleagues
Frank Siebenlist: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player