Towards Secure and Dependable Authentication and Authorization Infrastructures Diego Kreutz, Alysson Bessani Faculdade de Ciências, Universidade de Lisboa, Portugal kreutz@lasige.di.fc.ul.pt, bessani@di.fc.ul.pt Eduardo Feitosa, Hugo Cunha Computing Institute, Federal University of Amazonas {efeitosa,hugo.cunha}@icomp.ufam.edu.br Abstract—We propose a resilience architecture for improving the security and dependability of authentication and au- thorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion- tolerant replication, trusted components and untrusted gate- ways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environ- ments, such as IT infrastructures with more than 400k users. Keywords-authentication and authorization services, security, dependability, intrusion tolerance, RADIUS, OpenID. I. I NTRODUCTION Despite their widespread use, Authentication and Au- thorization Infrastructures (AAIs) such as RADIUS-based network access controllers does not implement security mechanisms able to tolerate advanced persistent threads [1], [2], large scale distributed denial of service [3], [4] or even to protect authentication information confidentiality in case of intrusions. Beyond that, current available and widely de- ployed services such as RADIUS and OpenID have several vulnerabilities regarding their security and dependability [5]. Given the importance AAIs in modern networked systems, these limitations can be considered as one of top threats in future network environments [5]. In this work we tackle the problem of increasing the resilience of AAIs, which represent key services for ensuring the security and reliability of most networked environ- ments. More specifically, we describe a novel architecture and baseline building blocks for designing and deploying more secure and dependable authentication and authorization infrastructures without sacrificing the system scalability. This architecture is based on the use of intrusion-tolerant replication [6], [7] (for ensuring correct operation even if some of the system components are compromised), well- defined Trusted Components (TCs – for protecting the confidentiality of key material even in case of intrusions) and untrusted gateways (for maintaining compatibility with current clients and protocols). The proposed architecture can be applied in services such as RADIUS, OpenID, Diameter, TACACS+, and so forth, since all of them have a conceptually similar architecture. In fact, the essential elements are basically the same, changing mostly the stack of protocols and other specific properties and functions. In this paper we instantiate the architec- ture for two authentication services, RADIUS and OpenID. Their design and implementation is depicted and evaluated, showing that it is possible to significantly improve the resilience and security of AAIs, without imposing significant penalties on its scalability. Furthermore, our results indicate that more secure and dependable AAIs can be developed and deployed to support the demand of IT infrastructures with more than 400k users. Lastly, but not less important, the system design also keeps backward compatibility with corresponding existing technologies and protocols. The main contributions of this paper are: (a) a step- by-step design and discussion of a resilient architecture for authentication and authorization infrastructures using as reference two use cases, RADIUS and OpenID; (b) a novel trusted component for ensuring the confidentiality of sensitive data stored in replicated systems subject to mali- cious faults; (c) experimental evaluation in three different environments, showing that it is feasible to take advantage of different physical infrastructure (e.g., data centers, clouds) for deploying and increasing the robustness of systems against first class attacks such as large scale DDoS attacks. II. PROBLEM STATEMENT A. Weaknesses of Current Authentication Systems Figures 1 and 2 illustrate the traditional architecture of the RADIUS and OpenID services, respectively. As can be seen in the figures, the architectures are quite similar since in both cases there are clients/supplicants, services (NAS and SP/Relying Party), authentication servers and backends. In a typical RADIUS architecture, the network access server (NAS) and authentication, authorization and account- ing (AAA) servers share a secret that is used to ensure communication confidentiality and integrity. On receiving the supplicant’s credentials, the AAA server can send it to a distinguished back-end to be validated, which can be also another AAA server on a federation, as it is the case of eduroam [8]. In an OpenID infrastructure, relying parties act as a bridge