Skip to main content
SpringerLink
Log in

Authentication Scheme for REST

  • Conference paper
  • First Online:
Future Network Systems and Security (FNSS 2015)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 523))

Included in the following conference series:

Abstract

REST has been established as an architectural style for designing distributed hypermedia systems. With an increased adoption in Cloud and Service-oriented Computing, REST is confronted with requirements not having been central to it so far. Most often the protection of REST-based service systems is, e.g., solely ensured by transport-oriented security. For mission-critical enterprise applications securing data in transit only, is, however, not a sufficient safeguard. This introduces a vital demand for REST Security, which is currently an active research and development topic, focusing on one specific instantiation of REST merely, though, namely on HTTP.

This paper augments REST by an authentication scheme, while remaining on the same level of abstraction as the architectural style itself. The introduced authentication scheme for REST is then mapped to HTTP. Based on this concrete instantiation, an empirical study is conducted in order to analyse the current state of the art in authentication techniques for REST-ful HTTP. The developed scheme and its HTTP instantiation in particular offer a methodical framework for assessing and comparing the available work, which shows to be incompatible and incomplete in terms of the provided protection. Moreover, this generic authentication scheme can be used to deduce other concrete means related to existing and upcoming technologies for implementing REST-based systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Authentication for the Azure Storage Services (2014). http://msdn.microsoft.com/en-us/library/dd179428.aspx

  2. HP Helion Public Cloud Object Storage API Specification (2014). https://docs.hpcloud.com/publiccloud/api/object-storage/

  3. Migrating from Amazon S3 to Google Cloud Storage (2014). https://cloud.google.com/storage/docs/migrating

  4. Signing AWS Requests By Using Signature Version 4 (2014). https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

  5. The Heartbleed Bug (2014). http://heartbleed.com/

  6. Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifier (URI): Generic Syntax. RFC 3986, IETF (2005). http://www.ietf.org/rfc/rfc3986.txt

  7. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: 35th IEEE Symposium on Security and Privacy (S&P) (2014)

    Google Scholar 

  8. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0, 5th edn. Recommendation, W3C (2008). http://www.w3.org/TR/2008/REC-xml-20081126

  9. Cavage, M., Sporny, M.: Signing HTTP Messages. Internet-draft, IETF (2014). http://tools.ietf.org/html/draft-cavage-http-signatures-03

  10. Crockford, D.: The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627, IETF (2006). http://www.ietf.org/rfc/rfc4627.txt

  11. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (2008). http://tools.ietf.org/html/rfc5246

  12. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616, IETF (1999). http://www.ietf.org/rfc/rfc2616.txt

  13. Fielding, R.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000). https://www.ics.uci.edu/ fielding/pubs/dissertation/top.htm

  14. Fielding, R.: REST APIs must be hypertext-driven (2008). http://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypertext-driven

  15. Gorski, P., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)

    Google Scholar 

  16. Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework, 2nd edn. W3C Recommendation, W3C (2007). http://www.w3.org/TR/soap12-part1/

  17. Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC 5849, IETF (2010). https://tools.ietf.org/html/rfc5849

  18. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, IETF (2012). https://tools.ietf.org/html/rfc6749

  19. Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - A vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014). http://www.w3.org/TR/html5/

  20. IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2014). http://datatracker.ietf.org/wg/jose/

  21. Jones, M.: JSON Web Algorithms (JWA). Internet-draft, IETF (2015). https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40

  22. Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). Internet-draft, IETF (2015). https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-40

  23. Josefsson, S.: The Base16, Base32, and Base64 Data Encodings. RFC 4648, IETF (2006). https://tools.ietf.org/html/rfc4648

  24. Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting SSL/TLS implementations: new bleichenbacher side channels and attacks. In: 23rd USENIX Security Symposium (USENIX Security) (2014)

    Google Scholar 

  25. Richer, J., Bradley, J., Tschofenig, H.: A Method for Signing an HTTP Requests for OAuth. Internet-Draft, IETF (2014). https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01

  26. Richer, J., Mills, W., Tschofenig, H.: OAuth 2.0 Message Authentication Code (MAC) Tokens. Internet-Draft, IETF (2014). http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05

  27. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014). http://openid.net/specs/openid-connect-core-1_0.html

  28. Serme, G., De Oliveira, A.S., Massiera, Julien, R.Y.: Enabling message security for RESTful services. In: 19th IEEE International Conference on Web Services (ICWS) (2012)

    Google Scholar 

  29. Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014). https://tools.ietf.org/html/rfc7252

  30. W3C: XML Security Working Group (2013). http://www.w3.org/standards/xml/security

Download references

Author information

Authors and Affiliations

  1. Cologne University of Applied Sciences, Cologne, Germany

    Luigi Lo Iacono & Hoai Viet Nguyen

Authors
  1. Luigi Lo Iacono
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hoai Viet Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hoai Viet Nguyen .

Editor information

Editors and Affiliations

  1. Deakin University, Burwood, Victoria, Australia

    Robin Doss

  2. Department of Information Systems and Operations Management, University of Florida, Gainesville, Florida, USA

    Selwyn Piramuthu

  3. ESCP Europe, Paris, France

    Wei ZHOU

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Lo Iacono, L., Nguyen, H.V. (2015). Authentication Scheme for REST. In: Doss, R., Piramuthu, S., ZHOU, W. (eds) Future Network Systems and Security. FNSS 2015. Communications in Computer and Information Science, vol 523. Springer, Cham. https://doi.org/10.1007/978-3-319-19210-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-19210-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-19209-3

  • Online ISBN: 978-3-319-19210-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation