Multi-party authentication protocols for web services

Abstract

The Web service technology allows the dynamic composition of a workflow (or a business flow) by composing a set of existing Web services scattered across the Internet. While a given Web service may have multiple service instances taking part in several workflows simultaneously, a workflow often involves a set of service instances that belong to different Web services. In order to establish trust relationships amongst service instances, new security protocols are urgently needed. Hada and Maruyama [HAD02] presented a session-oriented, multi-party authentication protocol to resolve this problem. Within a session the protocol provides a common session secret shared by all the service instances, thereby distinguishing the instances from those of other sessions. However, individual instances cannot be distinguished and identified by the session secret. This leads to vulnerable session management and poor threat containment. In this thesis, we present a new design for a multi-party authentication protocol. In this protocol, each service instance is provided with a unique identifier. The Diffie-Hellman Key Agreement scheme is employed to generate the trust relationship between service instances within the same flow. The Coordinated Atomic Action scheme is exploited for achieving an improved level of threat containment. The new protocol was implemented in Java and evaluated by a combined use of experiments and model-based analysis. The results show that the time consumption for multi-party authentication increases linearly as the number of service instances that are introduced into a session increases. Our solution is therefore potentially applicable for Web service flow with a large number of participants. Various public key algorithms are also compared and evaluated during the experiments in order to select the most suitable one for our new protocol.