Category: Computer System Security

Computer System Security – SAML

Computer System Security – SAML

SAML is a policy-based standard that uses XML syntax, developed by OASIS, used to make and require assertions about objects. It is normally used in a distributed multi-domain environment to simplify interactions, in order to grant or request access to some resource.


SAML has several versions:

  • 1.0 (2002)
  • 1.1 (2003)
  • 2.0 (2005)

The version 1.1 provides:
– the message protection with digital signature XML (XML-dsig),
– the browser /artifact profile (token SAML by reference),
– the browser /POST profile (token SAML by value).

The version 2.0 provides:
– no backward compatibility
– maintained message protection with digital signature XML (XML-dsig),
– message encryption (XML-enc): encrypt identifiers, attributes, assertions,
– new transport protocols
– new bindings protocols
– new profiles


Let us see this scenario:

1- A user wants to use a service, provided by a certain Service Provider (SP).
2- Before to access the service an authentication is required and the user decides to authenticate on behalf of a third-party web-site, which represent the Identity Provider (IdP).
3- The user authenticates himself/herself at the IdP, and the IdP releases an assertion for the SP, using a token, saying that the user authenticated successfully.

+ SAML is used to authenticate the user
+ SAML is used to transport the assertion


Let us see this scenario:

1- A user wants to access a resources.
2- A Policy Enforcement Point (PEP) protects this resource and asks the Policy Decision Point (PDP) to grant or negate the access.
3- The PDP response, which is the authorization assertion, is transported using a SAML assertion, with message protection through digital signature (XML-dsig).


Let us see this scenario:

1- A user wants to purchase an item, at a certain vendor web-site.
2- The user asks to an authority, which is known at both parties, to perform authentication and authorization for the purchase, but not always (see 3-)
3- The authority has the purpose to release SAML assertions, and it works not much to perform authentication (the user can be anonymous for the purchase) but better than to perform authorization.


The assertion is:

  • what? a declaration,
  • about what? a fact/resource,
  • for who? a subject.

The types of an assertion are:

  • authentication
  • attributes
  • authorization decision


  1. The SAML assertion is extensible because inherit this capacity from XML.
  2. The SAML assertion contains:
    1. the issuer identifier
    2. the timestamp of the creation (data and time)
    3. the assertion identifier
    4. the subject (name and domain)
    5. some condition under which it is valid
    6. the validity period
    7. some additional information


// To-Do


Tipically, to transport an assertion a protocol element of SAML is used. Let us focus on two types of assertions to distinguish the different role of the protocol element.

If the assertion is of of type response, then the protocol element contains the assertion itself.

If the assertion is of type request, the Relying Party (the consumer) asks for a request to the Asserting Party (the producer). This last one finally releases and send back the assertion for the Relying Party.

Relying Party -> Asserting Party: send the request,
Asserting Party -> Replying Party: reply with response.


To establish a trust relationship it is possible to:

1- adopt direct trust, using push or pull ticket, and a SSL/TLS secure channel;
2- adopt trust through public or shared key, for indirect ticket.


SAML Binding is the set of rules that defines what to transport and how.

In the version 1.0 there was SAML/SOAP-over-HTTP.
In the version 2.0 there is:

  • SAML SOAP binding, for backward compatibility.
  • Reverse SOAP (PAOS) binding.
  • HTTP redirect (GET) binding.
  • HTTP artifact biding.
  • SAML URI binding.

The most used are those HTTP-driven.


A profile defines specifically what exactly has to be done. Possible values are:

  • web browser profile
  • soap profile


Computer System Security – PKI

Computer System Security – PKI

In a world dominated by individuals who claim to be others, the PKI puts clearness, especially in the interactions between parties, declaring itself as a trusted third party.


The Public-Key Infrastructure is composed by:

  • Certification Authority, that emits public key certificates.
  • Registration Auhority, that verifies identities for who asks for a certificate.


The emission of a certificate goes through a process that requires the user to present individual identity cards to the registration authorities and send a formal request to the certification authority sending his/her public key.


There are two cases in which the certificate can be revoked before the validity ends:

  • the user recognize that someone else is using the certificate
  • the certification authority recognize that the certificate has been used for something which is not release for.


The major and common format for the PKI nowadays spread, is the X.509v3.

Computer System Security – Symmetric Criptography

Computer System Security – Symmetric Criptography

With the symmetric cryptography, the key K is used for both encryption and decryption, and the key is known as a shared secret between the two parties: sender and receiver.


The plain-text P is encrypted with the key K, obtaining, as a result, the ciphered C.

C = enc(K, P) = {P}K


The cyphered C is decrypted with the same key K, obtaining back the plain-text P.

P = dec(K, C) = enc-1(K, C)


Eventually, the algorithms for symmetric cryptography can be divided by class:

  • block-based: operate over a block of fixed size at a time
    • DES: 56-bit key , 64-bit base block,
    • IDEA: 128-bit key, 64-bit base block,
    • RC2: 8/1024-bit key, 64-bit base block,
    • RC5: 0/2048-bit key, 1/256-bit base block,
    • AES: 128,192,256-bit key, 128-bit base block
  • stream-based: operate over a stream of bits or bytes
    • RC4: variable length key, 1-bit base “block”
    • SEAL
Computer System Security – Security Properties

Computer System Security – Security Properties

Whether you are sending an e-mail, a file, a document, a message, an IP packet over the network or you are designing a security product a predefined set of security properties can be applied to it.


The list of security properties are:

  • authentication
  • non-repudiation
  • authorization
  • integrity
  • confidentiality
  • accessibility
  • traceabilty