Dynamic Cross-Realm Authentication for Multi-Party Service Interactions

Modern distributed applications are embedding an increasing degree of dynamism, from dynamic supply-chain management, enterprise federations, and virtual collaborations to dynamic service interactions across organisations. Such dynamism leads to new security challenges. Collaborating services may belong to different security realms but often have to be engaged dynamically at run time. If their security realms do not have in place a direct cross-realm authentication relationship, it is technically difficult to enable any secure collaboration between the services. A typical solution to this is to locate at run time intermediate realms that serve as an authentication-path between the two separate realms. However, the process of generating an authentication path for two distributed services can be very complex. It could involve a large number of extra operations for credential conversion and require a long chain of invocations to intermediate services. In this paper, we address this problem by presenting a new cross-realm authentication protocol for dynamic service interactions, based on the notion of multi-party business sessions. Our protocol requires neither credential conversion nor establishment of any authentication path between session members. The correctness of the protocol is analysed, and a comprehensive empirical study is performed using two production quality grid systems, Globus 4 and CROWN. The experimental results indicate that our protocol and its implementation have a sound level of scalability and impose only a limited degree of performance overhead, which is comparable with those security-related overheads in Globus 4.