2194
Mobile Code and Security Issues
Language Support for Safety
The features of the language needed to ensure
that various code units do not interfere with each
other, and with the system are given next.
• Heavy address space protection mecha-
nisms
•
Type-safe feature to ensure that arrays stay in
bounds, pointers are always valid, and code
cannot violate variable typing (such as placing
code in a string and then executing it)
• Designing a modular system, separating in-
terfaces from implementations in programs,
and with appropriate layering of libraries and
module groups, with particular care being
taken at the interfaces between security
boundaries.
• Replace general library routines that could
FRPSURPLVH VHFXULW\ ZLWK PRUH VSHFL¿F
V D IHURQH V)RUH[DPSO H D JHQHU D O¿ OHDFFHVV
routine can be replaced with one that can
ZULWH¿OHVRQO\LQDWHPSRUDU\GLUHFWRU\
• Granting access to resources: Determin-
ing exactly which resources a particular
code unit is to be granted access to. That
is, there is a need for a security policy that
GHWHUPLQHVZKDWW\SHDFFHVVDQ\³PRELOH
code” unit has. This policy may be:
1. Fixed for all “mobile code” units: Ver y

restrictive but easy, and the approach cur-
rently is used to handle applet security in
Web browsers such as Netscape.
2.
8VHUYHU L¿HVHDFKVHFXULW \UHODWH GDFFH VV
requests: Relatively easy, but rapidly gets
annoying, and eventually is self-defeating
when users stop taking notice of the details
of the requests. Whilst there is a place for
querying the user, it should be used exceed-
ingly sparingly.
3. Negotiate for each “mobile code” unit:
Much harder, as some basis is needed for
negotiation, perhaps based on various pro-
¿OHVEXWXOWLPDWHO\WKLVLVOLNHO\WREHWKH
best approach.
OS Level Security
The types of events to be monitored in association
with the agent execution are very similar to those
audited for the system’s users. Moreover, the agents
can be easily grouped and differentiated within the
system. In addition to extensive authentication and
authorization mechanisms, accounting and auditing
mechanisms should be implemented.
,QDV\VWHPOLNH³GLVWULEXWHGDJHQWVRQWKHJR´
(DAGO) (Felmetsger & Vigna, 2005), a mobile
agent is viewed as an ordinary system’s user who
logs in to the host and uses some of the system’s
resources for its own needs. Every incoming
mobile agent is given an individual account and

DXQLTXHXVHULGHQWL¿HU8,'IRUWKHGXUDWLRQRI
its execution on a host. This approach allows the
hosting OS to apply to mobile agents the same
set of rules and policies that are applied by the
OS to all of its users.
In Unix, a number of logging, auditing, and
accounting mechanisms are available to
monitor
the action of its users and the status of its resources.
These tools can work at the system call level and can
EHFRQ ¿JXUHGEDVHGRQGLIIHUHQWW\SHVRIHYHQWVVXFK
DVRSHQLQJDQGFORVLQJRI¿OHVUHDGVDQGZULWHVSUR-
grams executed, and so on. They also can allow one
to specify groups of system objects to be monitored
for certain activities, and can track system usage by
recording the statistics about CPU and memory us-
age, I/O operations, running time, and other forms of
system resource usage, along with the user IDs of the
processes involved. These tools can be easily leveraged
and extended to a multiagent environment.
A variety of customizable tools, such as
SNARE — system intrusion analysis and report-
ing environment (SNARE, 2005), BSM — basic
security module provide a greater degree of secu-
rity assurance. SNARE is a dynamically loadable
2195
Mobile Code and Security Issues
kernel nodule that can be used as a stand-alone
auditing system or as a distributed tool. The tool
FDQEHFRQ¿JXUHGWRPRQLWRUHYHQWVDVVRFLDWHG

ZLWKFHUWDLQJURXSVRIXVHUV¿OWHUWKHPRQLWRUHG
HYHQWVZLWKVSHFL¿F³VHDUFKH[SUHVVLRQV´DQGVXE-
mit reports in different formats and time frames.
7 K H W \ S H RIHYHQW V P R Q L W R U H G F D Q E H H LW K H U G H ¿ Q H G 
by a category (for example, system calls) or by an
LGHQWL¿HUVXFKDV³GHQLHGDFFHVV´
Safety Policies for Mobile Code
Programs
A safety policy is a set of restrictions placed
upon locally run untrusted code to ensure that
the program does not behave in a manner that is
detrimental to the system or to the system security.
At the very least, a safety policy should guaran-
tee the following fundamental safety properties
(Muller, 2000):
• &RQWUROÀRZVDIHW\The program should
never jump to and start executing code that
lies outside of the program’s own code seg-
ment. All function calls should be to valid
function entry points, and function returns
should return to the location from where the
function was called.
• Memory safety: The program should never
be allowed to access random locations in
memory. The program should only access
memory in its own static data segment, live
s y s t e m h e a p m e m o r y t h a t h a s b e e n e x p l i c i t l y
allocated to it, and valid stack frames.
• Stack safety: The program should only be
allowed to access the top of the stack. Ac-

cess to other areas of the stack should be
completely restricted.
These three properties, combined, offer the
minimum nontrivial level of security for mobile
code. More complicated security policies are pos-
sible, depending on the application.
Trust
Security is based on the notion of trust. Basically,
software can be divided into two categories,
namely, software that is trusted and software that
is not, separated by an imaginary trust boundary.
All software on our side of the trust boundary is
trusted and is known as the trusted code base.
All security implementations rely on some
trusted code. As a result, a trust model of a particu-
lar implementation can be made. The trust model
EDVLFDOO\VSHFL¿HVZKLFKFRGHLVWREHLQFOXGHGLQ
the trusted-code base and which code lies outside
of the trust boundary.
At the very least, the trusted-code base should
include the local operating system kernel, but
can also include other items of trusted software,
like trusted compilers or trusted program run-
time environments (e.g., the Java interpreter). It
is desirable, however, to keep the trusted-code
base as small as possible to reduce the security
vulnerabilities.
Performance and Security
Unfortunately, as it is in most applications, per-
IRUPDQFHLVVDFUL¿FHGIRULQFUHDVHGVHFXULW\,W

ZRXOGKRZHYHUEHSUR¿WDEOHWRKDYHDSSOLFDWLRQV
that are both secure and perform well at the same
time. For this reason, there is much research con-
FHUQHGZLWKUHVROYLQJWKHFRQÀLFWEHWZHHQWKHVH
concepts in some way.
CONCLUSION
The purpose of this chapter is to raise readers’
awareness of mobile code and various approaches
to addressing security of mobile code and agents.
All of the techniques discussed in this chapter of-
fer different approaches to combating malicious
mobile code. However, the best approach is prob-
ably a combination of security mechanisms. The
2196
Mobile Code and Security Issues
sandbox and code signing approaches are already
K\EULGL]HG &RPELQLQJ WKHVH ZLWK ¿UHZDOOLQJ
techniques, such as the playground, gives an extra
layer of security. PCC is still very much in the
research and development phase at present.
In order to make the mobile code approach
practical, it is essential to develop advanced and
innovative solutions to restrict the operations that
mobile code can perform, but without unduly
restricting its functionality. It is also necessary
to develop formal, extremely easy–to-use safety
languages to specify safety policy.
Organizations relying on the Internet face
VLJ Q L ¿ F D Q W F K D O O H Q J H V W R H Q V X U H W K D W W K H L U Q H W ZRUN V 
operate safely, and that their systems continue to

provide critical services, even in the face of attack.
Even the strictest of security policies will not be
able to prevent security breaches. Educating us-
ers in social-engineering attacks based around
mobile code is also necessary.
REFERENCES
Alfalayleh, M., & Brankovic, L. (2004). An over-
view of security issues and techniques in mobile
agents. Retrieved from />FPV3URJUDP&06¿QDOSDSGI
Brown, L. (1996). Mobile code security [Electronic
version]. Retrieved from a.
edu.au/~lpb/papers/mcode96.html
Chan, H. W., & Anthony. (1999). Secure mobile
agents: Techniques, modeling and application.
Retrieved from />student/mphil/anthony/term3.ppt
Felmetsger, V., & Vigna, G. (2005). Exploiting
OS-level mechanisms to implement mobile code
security. Retrieved from />~vigna/pub/2005_felmetsger_vigna_ICECCS05.
pdf
Ghezzi, C., & Vigna, G. (1997). Mobile code
paradigms and technologies: A case study. In K.
Rothermet & R. Popescu-Zeletin (Eds.), Mobile
agents, First International Workshop, MA’97,
Proceedings (LNCS 1219, pp. 39-49) Berlin,
Germany: Springer.
Hefeeda, M., & Bharat, B. (n.d.) On mobile code
security. Center of Education and Research in
Information Assurance and Security, and Depart-
ment of Computer Science, Purdue University,
West Lafayette, IN. Retrieved from http://www.

cs.sfu.ca/~mhefeeda/Papers/OnMobileCodeSe-
curity.pdf
Hohl, F. (1997). An approach to solve the problem of
malicious hosts. Universität Stuttgart, Fakultät In-
formatik, Fakultätsbericht Nr. 1997/03. Retrieved
from />bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ncstrl.
XVWXWWJDUWB¿7575ELE
Hohl, F. (1998). Time limited blackbox security:
Protecting mobile agents from malicious hosts.
Retrieved from />98time.html
Hohl, F. (1998). Mobile agent security and reli-
ability. Proceedings of the Ninth International
Symposium on Software Reliability Engineering
(ISSRE ’98).
Hohl, F. (1998). Time limited blackbox security:
Protecting mobile agents from malicious hosts.
Mobile Agents and Security, 1419 of LNCS.
Springer-Verlag.
IBM Aglets. (2002). Retrieved from http://www.
trl.ibm.com/aglets/
Jansen, W., & Karygiannis, T. (n.d.). Mobile
agent security (NIST Special Publication 800-19)
Retrieved from />nistpubs/800-19/sp800-19.pdf
Java Agent Development Framework. (2005).
Retrieved from />Karjoth, G., Lange, D. B., & Oshima, M. (1997).
A security model for aglets. IEEE Internet
2197
Mobile Code and Security Issues
Computing, 1(4), 68-77. [Electronic version].
Retrieved from />tion/aglets/

Loureiro, S., Molva, R., & Roudier, Y. (2000,
February). Mobile code security. Proceedings
of ISYPAR 2000 (4ème Ecole d’Informatique
des Systems Parallèles et Répartis), Code Mo-
bile, France. Retrieved from www.eurecom.
fr/~nsteam/Papers/mcs5.pdf
Lucco, S., Sharp, O., & Wahbe, R. (1995). Om-
niware: A universal substrate for mobile code. In
Fourth International World Wide Web Confer-
ence, MIT. [Electronic version] Retrieved from
/>Papers/165/
McGraw, G., & Morrisett, G. (2000). Attacking
malicious code. Retrieved from http://www.
cs.cornell.edu/Info/People/jgm/lang-based-se-
curity/maliciouscode.pdf
Mobile Code and Mobile Code Security. (2005).
Retrieved from />privacy/0407/main.html
Mobile Code Security. (1996). [Electronic ver-
sion] Retrieved from .
au/~lpb/papers/mcode96.html
Mobile Code Security and Computing with En-
crypted Functions [Electronic version] Retrieved
from />bile
Motlekar, S. (2005). Code obfuscation. Retrieved
from />code-obfuscation/
Muller, A. (2000). Mobile code security: Taking
the Trojans out of the Trojan horse. Retrieved
from www.cs.uct.ac.za/courses/CS400W/NIS/
papers00/amuller/essay1.htm
Necula, G. C., & Lee, P. (1998). Safe, untrusted

agents using proof-carrying code. Lecture Notes
in Computer Science, (1419). Springer-Verlag.
Oppliger, R. (2000). Security technologies for
the World Wide Web. Computer Security Series.
Artech House Publishers.
Proof-Carrying Code. (2002). Retrieved from
/>Robust Obfuscation. (2005). Retrieved from
/>Obfuscation/
Roger, A. G. (2001). Malicious mobile code: Vi-
rus protection for Windows [Electronic version].
O’Reilly & Associates.
Rubin, A. D., & Geer, D. E. (1998). Mobile code
security. IEEE Internet Computing.
Sander, T., & Tschudin, C. (1998a). Towards
mobile cryptography. Proceedings of the IEEE
Symposium on Security and Privacy.
Sander, T., & Tschudin, C. (1998b). Protecting
mobile agents against malicious hosts. [Electronic
version] In G. Vigna (Ed.). Mobile agents and se-
curity, Lecture Notes in Computer Science, 1419
(pp. 44-60). Retrieved from .
edu/article/sander97protecting.html
SNARE — System iNtrusion Analysis and Re-
porting Environment (2005). [Electronic version]
Retrieved from ersectalliance.
com/projects/Snare
Telescript Language Reference. (1995). Retrieved
from />html
Tennenhouse, D. L., & Wetherall, D. J. (1996)
Towards an active network architecture. Computer

Communication Review. Retrieved from http://
www.tns.lcs.mit.edu/publications/ccr96.html
Vigna, G. (1997, June). Protecting mobile agents
through tracing. Proceedings of the 3rd ECOOP
Work shop on M obile Objec t Sy stems, Jyvälskylä,
Finland. Retrieved from b.
edu/~vigna/listpub.html
This work was previously published in Web Services Security and E-Business, edited by G. Radhamani and G. Rao, pp. 75-92,
copyright 2007 by IGI Publishing (an imprint of IGI Global).
2198
Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Chapter 7.15
Secure Authentication
Process for High Sensitive
Data E-Services:
A Roadmap
Claudio Agostino Ardagna
University of Milan, Italy
Ernesto Damiani
University of Milan, Italy
Fulvio Frati
University of Milan, Italy
Salvatore Reale
Siemens Mobile Communication S.p.A., Italy
EXECUTIVE SUMMARY
The widespread diffusion of online services pro-
YLGHGE\SXEOLFDQGSULYDWHRUJDQL]DWLRQV¿UVWO\
driven by e-commerce and more recently by e-
government applications, has stressed the need
of secure ways to authenticate users who need

to access online resources. The huge number of
resources accessible on the Web leads to differ-
ent authentication mechanisms implementations
that often require multiple log-on actions also in
intradomain multiservices scenario. In case of
high sensitive services, users’ authentication plays
a role of paramount importance. In this article
is presented a case study that gives a roadmap
of authentication mechanisms implemented at
different levels of services’ software structure.
The discussion starts by illustrating different
authentication solutions implemented at operating
system, application server or components level to
conclude with Single Sign-On approach. For each
solution, pros and cons are discussed. The SSO
system, called CAS++, developed as an extension
to Yale University’s CAS, is then presented.
2199
Secure Authentication Process for High Sensitive Data E-Services
ORGANIZATION BACKGROUND
Established in early July 2002, Siemens Mobile
Communications S.p.A. (SMC) is involved in
PRELOHQHWZRUNVIRU,WDO\DQG¿[HGDQGPRELOH
network access systems (for the international
market). It works in close collaboration with
the Siemens AG Information and Communica-
tion Mobile group. The company is among the
foremost research and development centers in
the telecommunications industry, with a large
percentage of its staff employed at the Cassina

dè Pecchi and Cinisello Balsamo (Milan) prem-
ises. Manufacturing mainly takes place at the
Marcianise plant (in the province of Caserta), as
well as in Cassina.
Turnover for 2003–2004 came in at 1,171 mil-
lion euros, with staff levels at 2,562.
Siemens Mobile Communications’ busi-
ness divisions are marked by their aggressively
market-oriented approach and a commitment to
excellence in partnerships with mobile operators
– regardless of whether they are new or existing
clients – in every area of telecommunications,
fully capitalizing on the synergies offered by
the Siemens Information and Communications
group in Italy and internationally. The company
comprises two business divisions:
•Mobile Networks: Siemens Mobile Com-
m u n i c a t i o n p r o p o s e s i t s e l f a s o n e o f t h e l e a d -
ing companies in the mobile communication
market. Its products are made to answer in
the better possible way to the requirements
of the costumers. The infrastructure range
includes technologies for GSM, GPRS e
3G systems. The processes of technological
innovation realized by the research centers
pose Siemens always at the highest level in
the development of new technologies for the
Mobile Network.
•Microwave Networks: Microwave Net-
works division has a lead-house role in

Siemens with the mission of developing,
manufacturing, promoting, selling, and sup-
porting microwave and WiMAX products.
Siemens offers innovative radio products and
solutions for the transmission and access to
WKHPRELOHDQG¿[HGQHWZRUNVWKDQ NVWRWKH
proven turn-key capability and world-wide
presence.
SETTING THE STAGE
The increasing usage of GSM mobile phones
and the upcoming of a new generation of mobile
systems (called third-generation or 3G) have led
to the development of applications that manage the
mobile network and provide new services to users.
In this scenario, every network technician, that
has to use multiple parallel services, must manage
several pairs username/password, raising a great
amount of security concerns (Bettini, Jajodia,
Sean Wang & Wijesekera, 2002). In particular,
when the organization manages very sensitive
data, the main problem that has to be addressed
LVWKHHI¿FLHQF\DQGVHFXULW\RIWKHDXWKHQWLFDWLRQ
SURFHVVWKH¿UVWSRLQWRIFRQWDFWEHWZHHQXVHUV
and systems. Hence, in this scenario, the major
challenges were to improve authentication pro-
cess in order to avoid malicious accesses, privacy
violations and data correlation. The importance of
security mechanisms, in fact, arose when a solu-
tion for remote management had been adopted for
simplifying and improving network management

performances. In this scenario, the high sensibility
of the information and the risks introduced by the
adoption of remote services imposed to provide
a strong solution to security issues.
7KH SUHVHQWHG FDVH VWXG\ QDPHG ³3LWDJRUD
Project”, is managed in the context of a joint
research project that involved Siemens Mobile
Communication S.p.A. and the Software Engi-
neering and Advanced Architectures Group of
the Department of Information Technology of
Crema (DTI), University of Milan. This project,
started in January 2004, is focused on security
2200
Secure Authentication Process for High Sensitive Data E-Services
and authentication issues applied to real-life ex-
periences of Information Technology (IT) in an
important organization.
Project Pitagora gave a solution that allowed
the implementation of security architecture, also
in an e-services scenario, that integrated and
protected all the services, components, and ap-
plications composing the studied environment.
More in detail, this environment included the
IROORZLQJLQQRYDWLYHDSSOLFDWLRQVLQWKH¿HOGRI
mobile communication:
•IMW
was the application tool, developed
from March 2004 to November 2004, which
provided and controlled the access, request-
ed by users/technicians, to the Operation

and Maintenance Center system (OMC), the
system used to manage the network elements
that composed the real mobile network. In
particular, users were able to manage, con-
¿JXUHDQGFKHFNWKH20&PRELOHQHWZRUN
using different technologies and devices,
such as traditional PCs/laptops, PDAs, and
mobile phones. Hence, IMW managed all
the communication processes between us-
ers and the OMC system, through different
technologies such as Web browsers and the
HTTP/HTTPS protocol, WAP browsers, and
SMS. IMW kept the technicians informed
on the supervised network state, notifying
alarms and warnings, at which the users were
previously registered. To conclude, the users
FRXOGFRQ¿JXUHDQGGHWHFWWKHFRPSRQHQWV
V W D W H  U H F H L Y L Q J D O D U PQRW L ¿F D W LRQ V L Q F D V H RI
hardware or software failures, and could try
to solve the problems running actions and
tests over the damaged components. To sum-
PDUL]H,0:IXO¿OOHGDOOWKHUHTXLUHPHQWV
for the remote management environment for
mobile networks.
• i-Geo (intelligent Geo-Location)
was the
application involved in the geo-location
of customers mobiles (Anisetti, Bellandi,
Damiani & Reale, 2005). In particular, i-Geo
WRRODOORZHGWKHGH¿QLWLRQRIWKHQXPEHUDQG

position of mobile antennas, the calculation
RISURGXFHGHOHFWURPDJQHWLF¿HOGWKHFDOFX-
lation of sensibility map, the geo-location of
DPRELOHSKRQHDQG¿QDOO\WKHFRPSXWDWLRQ
of the path of a mobile phone during a time
interval. Future enhancements could be pro-
vided to compute the best antennas positions
to optimize the mobile signal covering. The
i-Geo application implementation, started in
September 2004 is still under development.
,WV¿UVWYHUVLRQKDVEHHQFRPSOHWHGLQ$SULO
2005;
•GEMFIS
was an open source application,
developed in 2004, used to monitor the
network usage focusing on maximizing
performance and guaranteeing a healthy
environment, with respect to the current laws
(Damiani & Montel, 2005; Montel, 2004).
GEMFIS provided features for memoriza-
tion, visualization, and management of the
environmental data. In particular, it provided
LQIRUPDWLRQDERXWHOHFWURPDJQHWLF¿HOGDQG
acoustic level compared with environmental
rules. It also managed an historical database
related to the installed facilities, disposal of
waste material, and variation of electromag-
QHWLF¿HOG
Both of the proposed applications hold and
manage a huge amount of sensible data or ser-

vices that must be protected from unauthorized
accesses. The risks of malicious actions improve
in case of remote requests and interactions. In this
scenario, as said before, the need for a stable and
strong mechanism to authenticate the users arises.
Before Pitagora Project, Siemens managed several
parallel applications as stand alone services, with
their own authentication mechanism based on
username-password pairs. In particular, all the
user/technicians that had to use these applications
were faced with different types of authentication
processes and different sets of authentication
information, thus increasing the probability of
2201
Secure Authentication Process for High Sensitive Data E-Services
errors or intrusions that Siemens wanted to solve
to be able to expose the services to the Net.
CASE DESCRIPTION
Accessing information on the global Net has be-
come a fundamental requirement of the modern
economy. Recently, focus has shifted from access
to traditional information stored in WWW sites
to e-services such as e-government services,
remote banking, or airline reservation systems
(Corallo, Cremonini, Damiani, De Capitani di
Vimercati, Elia & Samarati, 2005; Damiani,
Khosla & Grosky, 2003; Feldman, 2000). In
particular, the perceived importance of e-services
is growing and, consequently, many works try to
develop methods and models to make uniform

the e-services development process. Today, it is
widely acknowledged that e-services should fol-
low a layered software structure as outlined in
)LJXUH7KHVWUXFWXUHGHSLFWHG¿WVDOVRWKHUHDO
case described in this article and it is composed
RIWKUHHOD\HUVZKHUHWKH¿UVWFRPSULVHVDFRP-
munity of e-services components, managed by an
application server (second layer) in turn running
on an Operating System platform (third layer).
More in detail:
•
E-services components layer. All software
components that implement an e-Service.
•
Application server layer. Middleware over
which the applications will be deployed. It
provides some additional functionalities
such as management of security and per-
sistence. In this manner, the developer can
focus on the implementation of application
components.
•
Operating System platform layer. The
Operating System platform over which the
applications will be distributed.
In this scenario, where data represent one of
the major critical assets for the enterprises and
are shared among strangers, the need for secu-
rity arises becoming the most critical issue in
e-services implementations. The fact that users

are potentially strangers, during a negotiation,
Figure 1. E-services three-layered structure
2202
Secure Authentication Process for High Sensitive Data E-Services
makes security a research issue involving and
DIIHFWLQJ VHYHUDO ¿HOGV DV DFFHVV FRQWURO WUXVW
and reputation and several technologies as bio-
metric systems. This article, however, focuses on
the major authentication solutions for e-services
discussing their pro and cons, in an e-services
three-layered structure. Then, it presents and
discusses single sign-on and federation approaches
that are the emergent technologies providing an
infrastructure to integrate and coordinate authen-
tication processes.
The discussion starts from the experience
gathered in a real case study involving Siemens
Mobile Communication S.p.A. and the University
of Milan. In particular, Siemens Mobile Commu-
nication S.p.A. had perceived the needs to open
its applications to the technicians also through
the Net and not only in a closed network. The
exposition of the application interface had intro-
duced the need of redesigning and strengthening
the authentication process due to the high sensi-
bility of the exchanged data, whose corruption
or unauthorized release could cause enormous
economic losses. This sensibility, in fact, had in
the past defected any tentative to expose Siemens
services to the technicians through the Net and

KDGLPSRVHGWKHGH¿QLWLRQRIVHYHUDOUHVWULFWLYH
requirements that the security architecture must
IXO¿OOWRUHGXFHLQWUXVLRQULVNFORVHGWR]HUR
CURRENT CHALLENGES/
PROBLEMS FACING THE
ORGANIZATION
Before describing the solution for the case study,
the roadmap, which brought to its adoption, is pre-
sented explaining pro and cons of all the analyzed
authentication practices. The following solutions
represent the most important methodologies in
current e-services implementations.
Looking at the picture in Figure 1, the three
levels structure of e-services could implicitly sug-
gest the application of an authentication mecha-
nism at one of its layers. In formalizing Pitagora’s
components, each level was examined and studied
to implement an authentication mechanism.
In the following sections, the resulting three
scenarios together with emergent solutions are
presented and each approach is described focus-
ing on the advantages and disadvantages that it
provided.
Operating System Level
Authentication
7KH¿UVWFRQVLGHUHGVROXWLRQZDVWRUHO\RQWKH
authentication features provided directly by the
operating system platforms. Each user (in this
case a technician) that tried to enter the system
had to provide her credentials (username and

password) at system start up. Operating systems
internally manage a user repository that grants
access only to registered users, associated with
simple authorization roles (e.g., administrator
and guest).
If login process succeeded, applications based
on operating system repository retrieved and
FROOHFWHGXVHUQDPHDQGUROHWKURXJKSUHGH¿QHG
s y s t e m c a l l s , a n d u s e d t h e m t o g i v e s e r v i c e s a c c e s s
whenever possible based on their authorization
rules.
This solution, also if reduced the effort in
user and authentication process management and
avoided any code customization, raised a set of
crucial issues. First of all, operating system ac-
count repository (composed only by username and
role) is not fully satisfactory for what concerns
the management of access control in e-services
and, therefore, applications had to maintain its
own user accounts repository, reducing all the
EHQH¿WVJLYHQE\WKLVVROXWLRQ
Usually, roles managed by applications was
more than two (administrator and guest) and more
additional credentials were needed to determine
which actions the user could perform. Further-
more, the user that gained the access could not
be the one that made use of the application, since
2203
Secure Authentication Process for High Sensitive Data E-Services
system and application start-up could happen at

different time instants, without the sureness of
the identity of the user that was accessing the
application.
Finally, operating systems do not provide stan-
dard methods to obtain logon information requir-
ing system-dependent authentication process.
Due to the concerns above mentioned, operat-
ing system level authentication was not applicable
to Pitagora Project and alternative solutions were
explored.
Application Server Level
Authentication
Going up in the pyramid structure depicted in
Figure 1, the focus switched from operating sys-
tem to application server layer that is responsible
for the lifecycle management of the applications
and provides additional horizontal functionalities
such as management of security and persistence.
The authentication process, then, could be easily
delegated to Application Server, taking advantage
of horizontal functionalities and libraries that ap-
plication servers provide. In particular, Pitagora’s
applications were based on JBoss (JBoss, 2005;
Scott, 2003), a widely accepted Open Source
J2EE
1
compatible Application Server, kept up
WRGDWHZLWKWKH-((VSHFL¿FDWLRQVDQGZKRVH
proposals are often taken into account in its
formalization.

JBoss allows a complete security environment
implementation without custom programming
inside business components (Ardagna, Damiani,
Frati & Montel, 2005; Damiani & Montel, 2005).
&XUUHQW-((VSHFL¿FDWLRQVGH¿QHDVLPSOHUROH
based security model for Enterprise Java Beans
2
(EJBs) and Web components. JBoss provides
a component framework that handles security.
The JBoss security extension provides support
for both the role-based security model as well as
integration of custom security through a security
proxy layer.
The default implementation of the security
model is based on Java Authentication and Au-
thorization Service (JAAS) login modules and
subjects that are the package enabling services
to authenticate and enforce access controls upon
users. The security model advocated by the J2EE
VSHFL¿FDWLRQVLVDGHFODUDWLYHPRGHODQGVHFX-
rity roles and permissions are described using a
standard XML descriptor rather than embedding
security into business components.
%\FRQ¿JXULQJWKH-$$6ORJLQPRGXOHV
bundled with JBoss the integration of security
without custom programming can be completed
and supported. JAAS includes a set of standard
PRGXOHVIRUWKHXVHRI¿OHGDWDEDVHDQG/LJKW-
weight Directory Access Protocol (LDAP)-based
security information. Every user is able to write

RZQ VHFXULW\ PRGXOHV WKDWIXO¿O PRUHVSHFL¿F
requirements.
In particular, the development of a security
environment is composed by three main parts:
FRQ¿JXUDWLRQRIDGDWDEDVHVHFXULW\GRPDLQ
GH¿QLWLRQRIDXWKHQWLFDWLRQDQGVSHFL¿FD-
tion of authorization process. All these phases are
entirely accomplished through the customization
RI$SSOLFDWLRQ6HUYHU-%RVVDQG7RPFDWVSHFL¿F
deployment descriptors. Tomcat is a Web server
and servlet container, bundled with JBoss applica-
tion server, responsible for the management of Web
applications; it provides several functionalities
E\PHDQVRIGHSOR\PHQWGHVFULSWRUV;0/¿OH
customization, such as security functionalities.
7RDGGWKHFKRVHQGDWDEDVHFRQ¿JXUDWLRQWR
WKH DSSOLFDWLRQ WKH M%RVV ORJLQFRQ¿J[PO ¿OH
LVFRQ¿JXUHGGH¿QLQJWKHIROORZLQJPRGXOHV
(see Figure 2): (1) dsJndiName: JNDI
3
name
of the database containing user and role tables;
(2) principalsQuery: SQL statement to retrieve
WKHSDVVZRUGIRUDVSHFL¿FXVHUUROHV4XHU\
SQL statement to retrieve a user’s role; (4) ha-
shAlgorithm: hashing algorithm used to encrypt
passwords; (5) hashEncoding: statement to select
the encoding algorithm to convert the binary hash
value to a string.