PRISM Web Security System

Links to sections

Web System security is made up of the following components:

  1. Authentication - Proof of identity
  2. Authorisation - The user can only see information he is allowed to
  3. Confidentiality - Information transmitted is not read by third parties
  4. Non-disputable - The sender cannot deny that the message was sent
  5. Integrity - Data transmitted is not tampered with

Authentication can be made by:
  1. Intellectual property, something you know such as a password
  2. Physical property, something you have such as a certificate
  3. Biological property, something unique to you such as a fingerprint


The strength of security is normally determined by the factors involved, i.e. password is one factor, certificate a second. Combining the two raises the strength by magnitudes.

Authentication normally means that two computers can verify the identity of each other, not that the operators are who they claim.The combination of biometrics (fingerprints for example) together with physical property is a very strong authentication and could solve this problem. A different form of authentication is when you need to authenticate between two computers without any operator intervention. This situation arises frequently in a services oriented system when two services are dependent on each other or when new operations are instigated by a service requiring further authentication.

There are in principle the following security solutions in operation today:

  1. Password based - These solutions require an operator to supply the password. Various levels of sophistication involving rotation, time of validity and reuse of passwords can be found. One example is s/key system.
  2. Physical token based - These solutions require you to hold a certificate, smart card or similar. Various commercial and free offerings available building on X509 certificates or proprietary smart cards.
  3. Public key/Private key solutions. These solutions build on the public and private keys being able to encrypt and decrypt messages thus verifying the each other.Can be combined with password or physical tokens. Offers encryption of communication. Systems building on these are Secure Shell (SSH) and Kerberos

The chosen solution

The conclusion made by the PRISM project is that although no web services system is complete without a strong security system in practice it is very difficult to impose a system on an existing site. The solution is therefore a security system that is as easy as possible to decouple from existing systems but will not be a limitation on a new system.

The system is called CAS (Central Authentication Service) and is a ticketing system in the Kerberos tradition. A description of the system created for PRISM is available here as a pdf file.


Author Claes Larsson, latest change: Jan 5, 2005
Site Hits: