Smart card authentication and authorization framework

Date

2005-05

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Service-oriented approach to computing has gained the widespread attention of researchers and the industry. Major initiatives include service-oriented programming (SOP) for constructing software components and service-oriented architectures (SOA) for distributed applications. Software programs developed using SOP can be thought of as mega programs, where the component programs can exchange messages through clearly defined interfaces. SOP environment relies on the exchange of information between various services over various networks.

Services may exchange sensitive information that should only be available for a limited number of persons. Therefore it is necessary that various principals (people, computers, servers) can authenticate themselves. Authentication means that a principal can prove his identity. This can be done by means of secrets, usually cryptographic keys. The process of deciding if user X is allowed to have access to service Y is called authorization. SOP environments may require authorization based on user interaction before he/she is allowed access to the services. Further, if sensible information is sent over an open network, an eavesdropper should not be able to understand the information that is sent and he should not be able to change this information without the receiver detecting this.

Smart cards and the online authentication technology known as Public Key Infrastructure (PKI) seems the perfect solution to achieve this. They are designed to allow individuals anywhere in the world to identify each other, exchange data in encrypted form and to digitally sign documents in ways that cannot later be repudiated.

My research is based on designing a Smart Card based framework for SORCER that will provide user authentication and authorization. This standard security mechanism will not only enforce more consistent security policies, but application developers will be freed from the low-level drudgery of building explicit security controls into their software.

Description

Citation