2194 Mobile Code and Security Issues Language Support for Safety The features of the language needed to ensure that various code units do not interfere with each other, and with the system are given next. • Heavy address space protection mecha- nisms • Type-safe feature to ensure that arrays stay in bounds, pointers are always valid, and code cannot violate variable typing (such as placing code in a string and then executing it) • Designing a modular system, separating in- terfaces from implementations in programs, and with appropriate layering of libraries and module groups, with particular care being taken at the interfaces between security boundaries. • Replace general library routines that could FRPSURPLVH VHFXULW\ ZLWK PRUH VSHFL¿F V D IHURQH V)RUH[DPSO H D JHQHU D O¿ OHDFFHVV routine can be replaced with one that can ZULWH¿OHVRQO\LQDWHPSRUDU\GLUHFWRU\ • Granting access to resources: Determin- ing exactly which resources a particular code unit is to be granted access to. That is, there is a need for a security policy that GHWHUPLQHVZKDWW\SHDFFHVVDQ\³PRELOH code” unit has. This policy may be: 1. Fixed for all “mobile code” units: Ver y restrictive but easy, and the approach cur- rently is used to handle applet security in Web browsers such as Netscape. 2. 8VHUYHU L¿HVHDFKVHFXULW \UHODWH GDFFH VV requests: Relatively easy, but rapidly gets annoying, and eventually is self-defeating when users stop taking notice of the details of the requests. Whilst there is a place for querying the user, it should be used exceed- ingly sparingly. 3. Negotiate for each “mobile code” unit: Much harder, as some basis is needed for negotiation, perhaps based on various pro- ¿OHVEXWXOWLPDWHO\WKLVLVOLNHO\WREHWKH best approach. OS Level Security The types of events to be monitored in association with the agent execution are very similar to those audited for the system’s users. Moreover, the agents can be easily grouped and differentiated within the system. In addition to extensive authentication and authorization mechanisms, accounting and auditing mechanisms should be implemented. ,QDV\VWHPOLNH³GLVWULEXWHGDJHQWVRQWKHJR´ (DAGO) (Felmetsger & Vigna, 2005), a mobile agent is viewed as an ordinary system’s user who logs in to the host and uses some of the system’s resources for its own needs. Every incoming mobile agent is given an individual account and DXQLTXHXVHULGHQWL¿HU8,'IRUWKHGXUDWLRQRI its execution on a host. This approach allows the hosting OS to apply to mobile agents the same set of rules and policies that are applied by the OS to all of its users. In Unix, a number of logging, auditing, and accounting mechanisms are available to monitor the action of its users and the status of its resources. These tools can work at the system call level and can EHFRQ ¿JXUHGEDVHGRQGLIIHUHQWW\SHVRIHYHQWVVXFK DVRSHQLQJDQGFORVLQJRI¿OHVUHDGVDQGZULWHVSUR- grams executed, and so on. They also can allow one to specify groups of system objects to be monitored for certain activities, and can track system usage by recording the statistics about CPU and memory us- age, I/O operations, running time, and other forms of system resource usage, along with the user IDs of the processes involved. These tools can be easily leveraged and extended to a multiagent environment. A variety of customizable tools, such as SNARE — system intrusion analysis and report- ing environment (SNARE, 2005), BSM — basic security module provide a greater degree of secu- rity assurance. SNARE is a dynamically loadable 2195 Mobile Code and Security Issues kernel nodule that can be used as a stand-alone auditing system or as a distributed tool. The tool FDQEHFRQ¿JXUHGWRPRQLWRUHYHQWVDVVRFLDWHG ZLWKFHUWDLQJURXSVRIXVHUV¿OWHUWKHPRQLWRUHG HYHQWVZLWKVSHFL¿F³VHDUFKH[SUHVVLRQV´DQGVXE- mit reports in different formats and time frames. 7 K H W \ S H RIHYHQW V P R Q L W R U H G F D Q E H H LW K H U G H ¿ Q H G by a category (for example, system calls) or by an LGHQWL¿HUVXFKDV³GHQLHGDFFHVV´ Safety Policies for Mobile Code Programs A safety policy is a set of restrictions placed upon locally run untrusted code to ensure that the program does not behave in a manner that is detrimental to the system or to the system security. At the very least, a safety policy should guaran- tee the following fundamental safety properties (Muller, 2000): • &RQWUROÀRZVDIHW\The program should never jump to and start executing code that lies outside of the program’s own code seg- ment. All function calls should be to valid function entry points, and function returns should return to the location from where the function was called. • Memory safety: The program should never be allowed to access random locations in memory. The program should only access memory in its own static data segment, live s y s t e m h e a p m e m o r y t h a t h a s b e e n e x p l i c i t l y allocated to it, and valid stack frames. • Stack safety: The program should only be allowed to access the top of the stack. Ac- cess to other areas of the stack should be completely restricted. These three properties, combined, offer the minimum nontrivial level of security for mobile code. More complicated security policies are pos- sible, depending on the application. Trust Security is based on the notion of trust. Basically, software can be divided into two categories, namely, software that is trusted and software that is not, separated by an imaginary trust boundary. All software on our side of the trust boundary is trusted and is known as the trusted code base. All security implementations rely on some trusted code. As a result, a trust model of a particu- lar implementation can be made. The trust model EDVLFDOO\VSHFL¿HVZKLFKFRGHLVWREHLQFOXGHGLQ the trusted-code base and which code lies outside of the trust boundary. At the very least, the trusted-code base should include the local operating system kernel, but can also include other items of trusted software, like trusted compilers or trusted program run- time environments (e.g., the Java interpreter). It is desirable, however, to keep the trusted-code base as small as possible to reduce the security vulnerabilities. Performance and Security Unfortunately, as it is in most applications, per- IRUPDQFHLVVDFUL¿FHGIRULQFUHDVHGVHFXULW\,W ZRXOGKRZHYHUEHSUR¿WDEOHWRKDYHDSSOLFDWLRQV that are both secure and perform well at the same time. For this reason, there is much research con- FHUQHGZLWKUHVROYLQJWKHFRQÀLFWEHWZHHQWKHVH concepts in some way. CONCLUSION The purpose of this chapter is to raise readers’ awareness of mobile code and various approaches to addressing security of mobile code and agents. All of the techniques discussed in this chapter of- fer different approaches to combating malicious mobile code. However, the best approach is prob- ably a combination of security mechanisms. The 2196 Mobile Code and Security Issues sandbox and code signing approaches are already K\EULGL]HG &RPELQLQJ WKHVH ZLWK ¿UHZDOOLQJ techniques, such as the playground, gives an extra layer of security. PCC is still very much in the research and development phase at present. In order to make the mobile code approach practical, it is essential to develop advanced and innovative solutions to restrict the operations that mobile code can perform, but without unduly restricting its functionality. It is also necessary to develop formal, extremely easy–to-use safety languages to specify safety policy. Organizations relying on the Internet face VLJ Q L ¿ F D Q W F K D O O H Q J H V W R H Q V X U H W K D W W K H L U Q H W ZRUN V operate safely, and that their systems continue to provide critical services, even in the face of attack. Even the strictest of security policies will not be able to prevent security breaches. Educating us- ers in social-engineering attacks based around mobile code is also necessary. REFERENCES Alfalayleh, M., & Brankovic, L. (2004). An over- view of security issues and techniques in mobile agents. Retrieved from http://sec.isi.salford.ac.uk/ FPV3URJUDP&06¿QDOSDSGI Brown, L. (1996). Mobile code security [Electronic version]. Retrieved from http://www.unsw.adfa. edu.au/~lpb/papers/mcode96.html Chan, H. W., & Anthony. (1999). Secure mobile agents: Techniques, modeling and application. Retrieved from http://www.cse.cuhk.edu.hk/~lyu/ student/mphil/anthony/term3.ppt Felmetsger, V., & Vigna, G. (2005). Exploiting OS-level mechanisms to implement mobile code security. Retrieved from http://www.cs.ucsb.edu/ ~vigna/pub/2005_felmetsger_vigna_ICECCS05. pdf Ghezzi, C., & Vigna, G. (1997). Mobile code paradigms and technologies: A case study. In K. Rothermet & R. Popescu-Zeletin (Eds.), Mobile agents, First International Workshop, MA’97, Proceedings (LNCS 1219, pp. 39-49) Berlin, Germany: Springer. Hefeeda, M., & Bharat, B. (n.d.) On mobile code security. Center of Education and Research in Information Assurance and Security, and Depart- ment of Computer Science, Purdue University, West Lafayette, IN. Retrieved from http://www. cs.sfu.ca/~mhefeeda/Papers/OnMobileCodeSe- curity.pdf Hohl, F. (1997). An approach to solve the problem of malicious hosts. Universität Stuttgart, Fakultät In- formatik, Fakultätsbericht Nr. 1997/03. Retrieved from http://www.informatik.uni-stuttgart.de/cgi- bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ncstrl. XVWXWWJDUWB¿7575ELE Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from malicious hosts. Retrieved from http://citeseer.ist.psu.edu/hohl- 98time.html Hohl, F. (1998). Mobile agent security and reli- ability. Proceedings of the Ninth International Symposium on Software Reliability Engineering (ISSRE ’98). Hohl, F. (1998). Time limited blackbox security: Protecting mobile agents from malicious hosts. Mobile Agents and Security, 1419 of LNCS. Springer-Verlag. IBM Aglets. (2002). Retrieved from http://www. trl.ibm.com/aglets/ Jansen, W., & Karygiannis, T. (n.d.). Mobile agent security (NIST Special Publication 800-19) Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-19/sp800-19.pdf Java Agent Development Framework. (2005). Retrieved from http://jade.tilab.com/ Karjoth, G., Lange, D. B., & Oshima, M. (1997). A security model for aglets. IEEE Internet 2197 Mobile Code and Security Issues Computing, 1(4), 68-77. [Electronic version]. Retrieved from http://www.ibm.com/java/educa- tion/aglets/ Loureiro, S., Molva, R., & Roudier, Y. (2000, February). Mobile code security. Proceedings of ISYPAR 2000 (4ème Ecole d’Informatique des Systems Parallèles et Répartis), Code Mo- bile, France. Retrieved from www.eurecom. fr/~nsteam/Papers/mcs5.pdf Lucco, S., Sharp, O., & Wahbe, R. (1995). Om- niware: A universal substrate for mobile code. In Fourth International World Wide Web Confer- ence, MIT. [Electronic version] Retrieved from http://www.w3.org/pub/Conferences/WWW4/ Papers/165/ McGraw, G., & Morrisett, G. (2000). Attacking malicious code. Retrieved from http://www. cs.cornell.edu/Info/People/jgm/lang-based-se- curity/maliciouscode.pdf Mobile Code and Mobile Code Security. (2005). Retrieved from http://www.cs.nyu.edu/~yingxu/ privacy/0407/main.html Mobile Code Security. (1996). [Electronic ver- sion] Retrieved from http://www.unsw.adfa.edu. au/~lpb/papers/mcode96.html Mobile Code Security and Computing with En- crypted Functions [Electronic version] Retrieved from http://www.zurich.ibm.com/security/mo- bile Motlekar, S. (2005). Code obfuscation. Retrieved from http://palisade.paladion.net/issues/2005Aug/ code-obfuscation/ Muller, A. (2000). Mobile code security: Taking the Trojans out of the Trojan horse. Retrieved from www.cs.uct.ac.za/courses/CS400W/NIS/ papers00/amuller/essay1.htm Necula, G. C., & Lee, P. (1998). Safe, untrusted agents using proof-carrying code. Lecture Notes in Computer Science, (1419). Springer-Verlag. Oppliger, R. (2000). Security technologies for the World Wide Web. Computer Security Series. Artech House Publishers. Proof-Carrying Code. (2002). Retrieved from http://raw.cs.berkeley.edu/pcc.html Robust Obfuscation. (2005). Retrieved from http://www.cs.arizona.edu/~collberg/Research/ Obfuscation/ Roger, A. G. (2001). Malicious mobile code: Vi- rus protection for Windows [Electronic version]. O’Reilly & Associates. Rubin, A. D., & Geer, D. E. (1998). Mobile code security. IEEE Internet Computing. Sander, T., & Tschudin, C. (1998a). Towards mobile cryptography. Proceedings of the IEEE Symposium on Security and Privacy. Sander, T., & Tschudin, C. (1998b). Protecting mobile agents against malicious hosts. [Electronic version] In G. Vigna (Ed.). Mobile agents and se- curity, Lecture Notes in Computer Science, 1419 (pp. 44-60). Retrieved from http://citeseer.ist.psu. edu/article/sander97protecting.html SNARE — System iNtrusion Analysis and Re- porting Environment (2005). [Electronic version] Retrieved from http://www.intersectalliance. com/projects/Snare Telescript Language Reference. (1995). Retrieved from http://citeseer.ist.psu.edu/inc95telescript. html Tennenhouse, D. L., & Wetherall, D. J. (1996) Towards an active network architecture. Computer Communication Review. Retrieved from http:// www.tns.lcs.mit.edu/publications/ccr96.html Vigna, G. (1997, June). Protecting mobile agents through tracing. Proceedings of the 3rd ECOOP Work shop on M obile Objec t Sy stems, Jyvälskylä, Finland. Retrieved from http://www.cs.ucsb. edu/~vigna/listpub.html This work was previously published in Web Services Security and E-Business, edited by G. Radhamani and G. Rao, pp. 75-92, copyright 2007 by IGI Publishing (an imprint of IGI Global). 2198 Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 7.15 Secure Authentication Process for High Sensitive Data E-Services: A Roadmap Claudio Agostino Ardagna University of Milan, Italy Ernesto Damiani University of Milan, Italy Fulvio Frati University of Milan, Italy Salvatore Reale Siemens Mobile Communication S.p.A., Italy EXECUTIVE SUMMARY The widespread diffusion of online services pro- YLGHGE\SXEOLFDQGSULYDWHRUJDQL]DWLRQV¿UVWO\ driven by e-commerce and more recently by e- government applications, has stressed the need of secure ways to authenticate users who need to access online resources. The huge number of resources accessible on the Web leads to differ- ent authentication mechanisms implementations that often require multiple log-on actions also in intradomain multiservices scenario. In case of high sensitive services, users’ authentication plays a role of paramount importance. In this article is presented a case study that gives a roadmap of authentication mechanisms implemented at different levels of services’ software structure. The discussion starts by illustrating different authentication solutions implemented at operating system, application server or components level to conclude with Single Sign-On approach. For each solution, pros and cons are discussed. The SSO system, called CAS++, developed as an extension to Yale University’s CAS, is then presented. 2199 Secure Authentication Process for High Sensitive Data E-Services ORGANIZATION BACKGROUND Established in early July 2002, Siemens Mobile Communications S.p.A. (SMC) is involved in PRELOHQHWZRUNVIRU,WDO\DQG¿[HGDQGPRELOH network access systems (for the international market). It works in close collaboration with the Siemens AG Information and Communica- tion Mobile group. The company is among the foremost research and development centers in the telecommunications industry, with a large percentage of its staff employed at the Cassina dè Pecchi and Cinisello Balsamo (Milan) prem- ises. Manufacturing mainly takes place at the Marcianise plant (in the province of Caserta), as well as in Cassina. Turnover for 2003–2004 came in at 1,171 mil- lion euros, with staff levels at 2,562. Siemens Mobile Communications’ busi- ness divisions are marked by their aggressively market-oriented approach and a commitment to excellence in partnerships with mobile operators – regardless of whether they are new or existing clients – in every area of telecommunications, fully capitalizing on the synergies offered by the Siemens Information and Communications group in Italy and internationally. The company comprises two business divisions: •Mobile Networks: Siemens Mobile Com- m u n i c a t i o n p r o p o s e s i t s e l f a s o n e o f t h e l e a d - ing companies in the mobile communication market. Its products are made to answer in the better possible way to the requirements of the costumers. The infrastructure range includes technologies for GSM, GPRS e 3G systems. The processes of technological innovation realized by the research centers pose Siemens always at the highest level in the development of new technologies for the Mobile Network. •Microwave Networks: Microwave Net- works division has a lead-house role in Siemens with the mission of developing, manufacturing, promoting, selling, and sup- porting microwave and WiMAX products. Siemens offers innovative radio products and solutions for the transmission and access to WKHPRELOHDQG¿[HGQHWZRUNVWKDQ NVWRWKH proven turn-key capability and world-wide presence. SETTING THE STAGE The increasing usage of GSM mobile phones and the upcoming of a new generation of mobile systems (called third-generation or 3G) have led to the development of applications that manage the mobile network and provide new services to users. In this scenario, every network technician, that has to use multiple parallel services, must manage several pairs username/password, raising a great amount of security concerns (Bettini, Jajodia, Sean Wang & Wijesekera, 2002). In particular, when the organization manages very sensitive data, the main problem that has to be addressed LVWKHHI¿FLHQF\DQGVHFXULW\RIWKHDXWKHQWLFDWLRQ SURFHVVWKH¿UVWSRLQWRIFRQWDFWEHWZHHQXVHUV and systems. Hence, in this scenario, the major challenges were to improve authentication pro- cess in order to avoid malicious accesses, privacy violations and data correlation. The importance of security mechanisms, in fact, arose when a solu- tion for remote management had been adopted for simplifying and improving network management performances. In this scenario, the high sensibility of the information and the risks introduced by the adoption of remote services imposed to provide a strong solution to security issues. 7KH SUHVHQWHG FDVH VWXG\ QDPHG ³3LWDJRUD Project”, is managed in the context of a joint research project that involved Siemens Mobile Communication S.p.A. and the Software Engi- neering and Advanced Architectures Group of the Department of Information Technology of Crema (DTI), University of Milan. This project, started in January 2004, is focused on security 2200 Secure Authentication Process for High Sensitive Data E-Services and authentication issues applied to real-life ex- periences of Information Technology (IT) in an important organization. Project Pitagora gave a solution that allowed the implementation of security architecture, also in an e-services scenario, that integrated and protected all the services, components, and ap- plications composing the studied environment. More in detail, this environment included the IROORZLQJLQQRYDWLYHDSSOLFDWLRQVLQWKH¿HOGRI mobile communication: •IMW was the application tool, developed from March 2004 to November 2004, which provided and controlled the access, request- ed by users/technicians, to the Operation and Maintenance Center system (OMC), the system used to manage the network elements that composed the real mobile network. In particular, users were able to manage, con- ¿JXUHDQGFKHFNWKH20&PRELOHQHWZRUN using different technologies and devices, such as traditional PCs/laptops, PDAs, and mobile phones. Hence, IMW managed all the communication processes between us- ers and the OMC system, through different technologies such as Web browsers and the HTTP/HTTPS protocol, WAP browsers, and SMS. IMW kept the technicians informed on the supervised network state, notifying alarms and warnings, at which the users were previously registered. To conclude, the users FRXOGFRQ¿JXUHDQGGHWHFWWKHFRPSRQHQWV V W D W H U H F H L Y L Q J D O D U PQRW L ¿F D W LRQ V L Q F D V H RI hardware or software failures, and could try to solve the problems running actions and tests over the damaged components. To sum- PDUL]H,0:IXO¿OOHGDOOWKHUHTXLUHPHQWV for the remote management environment for mobile networks. • i-Geo (intelligent Geo-Location) was the application involved in the geo-location of customers mobiles (Anisetti, Bellandi, Damiani & Reale, 2005). In particular, i-Geo WRRODOORZHGWKHGH¿QLWLRQRIWKHQXPEHUDQG position of mobile antennas, the calculation RISURGXFHGHOHFWURPDJQHWLF¿HOGWKHFDOFX- lation of sensibility map, the geo-location of DPRELOHSKRQHDQG¿QDOO\WKHFRPSXWDWLRQ of the path of a mobile phone during a time interval. Future enhancements could be pro- vided to compute the best antennas positions to optimize the mobile signal covering. The i-Geo application implementation, started in September 2004 is still under development. ,WV¿UVWYHUVLRQKDVEHHQFRPSOHWHGLQ$SULO 2005; •GEMFIS was an open source application, developed in 2004, used to monitor the network usage focusing on maximizing performance and guaranteeing a healthy environment, with respect to the current laws (Damiani & Montel, 2005; Montel, 2004). GEMFIS provided features for memoriza- tion, visualization, and management of the environmental data. In particular, it provided LQIRUPDWLRQDERXWHOHFWURPDJQHWLF¿HOGDQG acoustic level compared with environmental rules. It also managed an historical database related to the installed facilities, disposal of waste material, and variation of electromag- QHWLF¿HOG Both of the proposed applications hold and manage a huge amount of sensible data or ser- vices that must be protected from unauthorized accesses. The risks of malicious actions improve in case of remote requests and interactions. In this scenario, as said before, the need for a stable and strong mechanism to authenticate the users arises. Before Pitagora Project, Siemens managed several parallel applications as stand alone services, with their own authentication mechanism based on username-password pairs. In particular, all the user/technicians that had to use these applications were faced with different types of authentication processes and different sets of authentication information, thus increasing the probability of 2201 Secure Authentication Process for High Sensitive Data E-Services errors or intrusions that Siemens wanted to solve to be able to expose the services to the Net. CASE DESCRIPTION Accessing information on the global Net has be- come a fundamental requirement of the modern economy. Recently, focus has shifted from access to traditional information stored in WWW sites to e-services such as e-government services, remote banking, or airline reservation systems (Corallo, Cremonini, Damiani, De Capitani di Vimercati, Elia & Samarati, 2005; Damiani, Khosla & Grosky, 2003; Feldman, 2000). In particular, the perceived importance of e-services is growing and, consequently, many works try to develop methods and models to make uniform the e-services development process. Today, it is widely acknowledged that e-services should fol- low a layered software structure as outlined in )LJXUH7KHVWUXFWXUHGHSLFWHG¿WVDOVRWKHUHDO case described in this article and it is composed RIWKUHHOD\HUVZKHUHWKH¿UVWFRPSULVHVDFRP- munity of e-services components, managed by an application server (second layer) in turn running on an Operating System platform (third layer). More in detail: • E-services components layer. All software components that implement an e-Service. • Application server layer. Middleware over which the applications will be deployed. It provides some additional functionalities such as management of security and per- sistence. In this manner, the developer can focus on the implementation of application components. • Operating System platform layer. The Operating System platform over which the applications will be distributed. In this scenario, where data represent one of the major critical assets for the enterprises and are shared among strangers, the need for secu- rity arises becoming the most critical issue in e-services implementations. The fact that users are potentially strangers, during a negotiation, Figure 1. E-services three-layered structure 2202 Secure Authentication Process for High Sensitive Data E-Services makes security a research issue involving and DIIHFWLQJ VHYHUDO ¿HOGV DV DFFHVV FRQWURO WUXVW and reputation and several technologies as bio- metric systems. This article, however, focuses on the major authentication solutions for e-services discussing their pro and cons, in an e-services three-layered structure. Then, it presents and discusses single sign-on and federation approaches that are the emergent technologies providing an infrastructure to integrate and coordinate authen- tication processes. The discussion starts from the experience gathered in a real case study involving Siemens Mobile Communication S.p.A. and the University of Milan. In particular, Siemens Mobile Commu- nication S.p.A. had perceived the needs to open its applications to the technicians also through the Net and not only in a closed network. The exposition of the application interface had intro- duced the need of redesigning and strengthening the authentication process due to the high sensi- bility of the exchanged data, whose corruption or unauthorized release could cause enormous economic losses. This sensibility, in fact, had in the past defected any tentative to expose Siemens services to the technicians through the Net and KDGLPSRVHGWKHGH¿QLWLRQRIVHYHUDOUHVWULFWLYH requirements that the security architecture must IXO¿OOWRUHGXFHLQWUXVLRQULVNFORVHGWR]HUR CURRENT CHALLENGES/ PROBLEMS FACING THE ORGANIZATION Before describing the solution for the case study, the roadmap, which brought to its adoption, is pre- sented explaining pro and cons of all the analyzed authentication practices. The following solutions represent the most important methodologies in current e-services implementations. Looking at the picture in Figure 1, the three levels structure of e-services could implicitly sug- gest the application of an authentication mecha- nism at one of its layers. In formalizing Pitagora’s components, each level was examined and studied to implement an authentication mechanism. In the following sections, the resulting three scenarios together with emergent solutions are presented and each approach is described focus- ing on the advantages and disadvantages that it provided. Operating System Level Authentication 7KH¿UVWFRQVLGHUHGVROXWLRQZDVWRUHO\RQWKH authentication features provided directly by the operating system platforms. Each user (in this case a technician) that tried to enter the system had to provide her credentials (username and password) at system start up. Operating systems internally manage a user repository that grants access only to registered users, associated with simple authorization roles (e.g., administrator and guest). If login process succeeded, applications based on operating system repository retrieved and FROOHFWHGXVHUQDPHDQGUROHWKURXJKSUHGH¿QHG s y s t e m c a l l s , a n d u s e d t h e m t o g i v e s e r v i c e s a c c e s s whenever possible based on their authorization rules. This solution, also if reduced the effort in user and authentication process management and avoided any code customization, raised a set of crucial issues. First of all, operating system ac- count repository (composed only by username and role) is not fully satisfactory for what concerns the management of access control in e-services and, therefore, applications had to maintain its own user accounts repository, reducing all the EHQH¿WVJLYHQE\WKLVVROXWLRQ Usually, roles managed by applications was more than two (administrator and guest) and more additional credentials were needed to determine which actions the user could perform. Further- more, the user that gained the access could not be the one that made use of the application, since 2203 Secure Authentication Process for High Sensitive Data E-Services system and application start-up could happen at different time instants, without the sureness of the identity of the user that was accessing the application. Finally, operating systems do not provide stan- dard methods to obtain logon information requir- ing system-dependent authentication process. Due to the concerns above mentioned, operat- ing system level authentication was not applicable to Pitagora Project and alternative solutions were explored. Application Server Level Authentication Going up in the pyramid structure depicted in Figure 1, the focus switched from operating sys- tem to application server layer that is responsible for the lifecycle management of the applications and provides additional horizontal functionalities such as management of security and persistence. The authentication process, then, could be easily delegated to Application Server, taking advantage of horizontal functionalities and libraries that ap- plication servers provide. In particular, Pitagora’s applications were based on JBoss (JBoss, 2005; Scott, 2003), a widely accepted Open Source J2EE 1 compatible Application Server, kept up WRGDWHZLWKWKH-((VSHFL¿FDWLRQVDQGZKRVH proposals are often taken into account in its formalization. JBoss allows a complete security environment implementation without custom programming inside business components (Ardagna, Damiani, Frati & Montel, 2005; Damiani & Montel, 2005). &XUUHQW-((VSHFL¿FDWLRQVGH¿QHDVLPSOHUROH based security model for Enterprise Java Beans 2 (EJBs) and Web components. JBoss provides a component framework that handles security. The JBoss security extension provides support for both the role-based security model as well as integration of custom security through a security proxy layer. The default implementation of the security model is based on Java Authentication and Au- thorization Service (JAAS) login modules and subjects that are the package enabling services to authenticate and enforce access controls upon users. The security model advocated by the J2EE VSHFL¿FDWLRQVLVDGHFODUDWLYHPRGHODQGVHFX- rity roles and permissions are described using a standard XML descriptor rather than embedding security into business components. %\FRQ¿JXULQJWKH-$$6ORJLQPRGXOHV bundled with JBoss the integration of security without custom programming can be completed and supported. JAAS includes a set of standard PRGXOHVIRUWKHXVHRI¿OHGDWDEDVHDQG/LJKW- weight Directory Access Protocol (LDAP)-based security information. Every user is able to write RZQ VHFXULW\ PRGXOHV WKDWIXO¿O PRUHVSHFL¿F requirements. In particular, the development of a security environment is composed by three main parts: FRQ¿JXUDWLRQRIDGDWDEDVHVHFXULW\GRPDLQ GH¿QLWLRQRIDXWKHQWLFDWLRQDQGVSHFL¿FD- tion of authorization process. All these phases are entirely accomplished through the customization RI$SSOLFDWLRQ6HUYHU-%RVVDQG7RPFDWVSHFL¿F deployment descriptors. Tomcat is a Web server and servlet container, bundled with JBoss applica- tion server, responsible for the management of Web applications; it provides several functionalities E\PHDQVRIGHSOR\PHQWGHVFULSWRUV;0/¿OH customization, such as security functionalities. 7RDGGWKHFKRVHQGDWDEDVHFRQ¿JXUDWLRQWR WKH DSSOLFDWLRQ WKH M%RVV ORJLQFRQ¿J[PO ¿OH LVFRQ¿JXUHGGH¿QLQJWKHIROORZLQJPRGXOHV (see Figure 2): (1) dsJndiName: JNDI 3 name of the database containing user and role tables; (2) principalsQuery: SQL statement to retrieve WKHSDVVZRUGIRUDVSHFL¿FXVHUUROHV4XHU\ SQL statement to retrieve a user’s role; (4) ha- shAlgorithm: hashing algorithm used to encrypt passwords; (5) hashEncoding: statement to select the encoding algorithm to convert the binary hash value to a string. . Symposium on Security and Privacy. Sander, T., & Tschudin, C. (1998b). Protecting mobile agents against malicious hosts. [Electronic version] In G. Vigna (Ed.). Mobile agents and se- curity,. manufacturing, promoting, selling, and sup- porting microwave and WiMAX products. Siemens offers innovative radio products and solutions for the transmission and access to WKHPRELOHDQG¿[HGQHWZRUNVWKDQ. rules and policies that are applied by the OS to all of its users. In Unix, a number of logging, auditing, and accounting mechanisms are available to monitor the action of its users and the