1 / 56

Single Sign-on Authentication and Pubcookie

Single Sign-on Authentication and Pubcookie. By Archie E. Huerto CSUN – COMP 529. Roadmap. Taxonomy of SSO Systems Using SSO on Trusted Platforms Structured Assertion Markup Language Pubcookie. Password Explosion. Multiple passwords to access different systems weakens security

warrick
Télécharger la présentation

Single Sign-on Authentication and Pubcookie

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-on Authentication and Pubcookie By Archie E. Huerto CSUN – COMP 529 COMP 529 - Advanced Computer Networks

  2. Roadmap • Taxonomy of SSO Systems • Using SSO on Trusted Platforms • Structured Assertion Markup Language • Pubcookie COMP 529 - Advanced Computer Networks

  3. Password Explosion • Multiple passwords to access different systems weakens security • Users will tend to pick easy to remember and therefore easy to guess passwords • They may write down passwords in obvious places COMP 529 - Advanced Computer Networks

  4. What is Single Sign-on? • Lets users authenticate themselves once and access different applications without re-authentication • Increases the usability of the network • Centralizes the management of relevant system parameters • Two main type of SSO Systems: Pseudo-SSO and True-SSO COMP 529 - Advanced Computer Networks

  5. Pseudo-SSO • Primary Authentication - A user is authenticated through the pseudo-SSO component • Secondary Authentication - A separate authentication occurs every time the user logged into a service provider • The pseudo-SSO component manages service provider specific credentials, which constitute the SSO identities. COMP 529 - Advanced Computer Networks

  6. Pseudo-SSO COMP 529 - Advanced Computer Networks

  7. True SSO • A user is authenticated through an Authentication Service Provider (ASP) • The ASP needs to have an established relationship with all SPs to which SSO is to be established • The authentication process that involves the user occurs between the user and ASP • Service providers are notified via authentication assertions which contains the user’s SSO identity and the authentication status with the ASP COMP 529 - Advanced Computer Networks

  8. True SSO COMP 529 - Advanced Computer Networks

  9. Generic SSO System COMP 529 - Advanced Computer Networks

  10. Categories of SSO Systems • SSO architectures can be further categorized based on the location of the ASP/pseudo-SSO component • It can be local to the user platform or offered as a service by an external entity (SSO proxy) • Four Main Categories of SSO Systems • Local Pseudo-SSO • Proxy-Based Pseudo-SSO • Local True SSO • Proxy-Based True SSO COMP 529 - Advanced Computer Networks

  11. Examples of True SSO Kerberos • A network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography • A Kerberos server is comprised of an authentication server and a ticket granting server which acts as the ASP • Every user and SP shares a long-term secret key with the ASP COMP 529 - Advanced Computer Networks

  12. Examples of True SSO Granting Kerberos Tickets • Client  ASP: c • ASP  Client: {Ks1}Kc, {Tgt}Ks1 • Client  ASP: {Ac}Ks1, {Tgt}Ks1, SPID • ASP  Client: {Ks2}Ks1, {Tsg}Ks • Client  SP: {Ac}Ks2, {Tsg}Ks COMP 529 - Advanced Computer Networks

  13. Examples of True SSO Microsoft .Net Passport • A web-based SSO service offered by Microsoft since 1999 and is one of the widely deployed services of its kind. • Passport accounts can store address, date of birth, and credit card details • A unique 64-bit numeric identifier called “Passport User ID” (PUID) is assigned to user during account creation • Users can register at the Passport home page (www.passport.com), Windows XP registration wizard, or any participating sites COMP 529 - Advanced Computer Networks

  14. Examples of True SSO COMP 529 - Advanced Computer Networks

  15. Examples of True SSO The Liberty Alliance • A set of open specifications for web-based SSO developed by a consortium of over 140 companies • Based on “trust circles” formed by trusted ASPs and relying SPs • Uses the Security Assertions Markup Language (SAML) COMP 529 - Advanced Computer Networks

  16. Roadmap • Taxonomy of SSO Systems • Using SSO on Trusted Platforms • Structured Assertion Markup Language • Pubcookie COMP 529 - Advanced Computer Networks

  17. Trusted Platforms • The Trusted Computing Group (TCG) is a not-for-profit industry-standard organization with the the following goal: “Through the collaboration of platform, software, and technology vendors develop a specification that delivers an enhanced HW and OS based trusted computing platform that enhances customer’s domains.” • TCG was formed in Spring 2003 and has adopted the specifications developed by the Trusted Computing Platform Alliance (TCPA) COMP 529 - Advanced Computer Networks

  18. What is TCG Technology • Trusted Platform (TP) – a computing platform that conforms to the TCG specifications • Trusted Platform Module (TPM) – a crypto co-processor with special functionality that every TP has • TPM is attached to the platform and cannot be removed • Information stored in the TPM is resistant to any direct software attack, as the information can only be accessed through well-defined commands known as “TPM capabilities” COMP 529 - Advanced Computer Networks

  19. TPM Identity Endorsement Key • A unique RSA key pair that every TPM has imprinted in it • The private key (EKpr) never leaves the TPM • The public key (EKpu) can only be retrieved from the TPM under certain conditions • The EK is used to decrypt information sent to a TPM from a Privacy Certification Authority (CA) COMP 529 - Advanced Computer Networks

  20. Attestation • The process of vouching for the accuracy of information • Attestation Identity Key (AIK) • A special purpose asymmetric signature key created by the TPM from its EK and used for signature generation and verification • Every TP can have more than one AIK • The private portion of the AIK is non-migratable and protected by the TPM • The public portion of the AIK is part of the AIK Credential, issued by a Privacy CA • Allows a user to signify to third parties that he/she is using a genuine TP without revealing its identity COMP 529 - Advanced Computer Networks

  21. AIK Certification Process • TP  Privacy CA: AIKpu, EKpuThe trusted platform creates an new AIK, sends the public key of a new AIK and its public EK to a certifying authority • Privacy CA  TP: {AIK Credential(AIKpu)}EKpubThe certifying authority after receiving it creates a certificate for the public portion of the AIK, encrypts it with the public endorsement key, and send it back to the TP • TP  Privacy CA: AIK Credential(AIKpu)The TP then decrypt the new AIK credential and proves to the certifying authority that it was able to do so because it has the private EK COMP 529 - Advanced Computer Networks

  22. Integrity Measurement (Metrics) • The process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform • Platform Configuration Registers (PCRs) – a shielded location where the metrics and its digests are stored • Measured Values – a representation of embedded data or program code • Measurement Digest – SHA-1 cryptographic hash of measurement values • PCR[n]  SHA-1(PCR[n] + measured values) COMP 529 - Advanced Computer Networks

  23. Integrity Challenge/Response • Integrity Challenged – issued by third party to assess the software state of a TP, includes a nonce to protect for replay • Integrity Response • Current PCR values • Digital signature over the PCR values and the nonce using one of the AIK • AIK Credential for the AIK used to produce the signature COMP 529 - Advanced Computer Networks

  24. Using Trusted Platforms for SSO • User authentication can be delegated to the user’s TP and carried out by an Authentication Service (AS) within that TP • AIK Credentials are unique because they carry a unique serial number assigned by the issuing Privacy CA (e.g [Privacy CA, Serial Number]) • SPs can use AIK Credentials as SSO Identities for users COMP 529 - Advanced Computer Networks

  25. SSO Entities User System • SSO Identities needs to be generated and activated for each user of a given TP • For TPs with multiple users, the AS should allow TPM owners to create a set of distinct SSO Identities for each user of the platform • AS will be tightly integrated into the TP’s operating system or part of the OS login mechanism • SPs can asses the integrity of the AS in the user’s system since it is measured in the TPM’s PCR COMP 529 - Advanced Computer Networks

  26. SSO Entities Service Providers • Need to verify the AS using an Integrity Challenge/Response session which also provides user identification • Must have a well-known, human-readable unique identifier (e.g. URI) for users to authenticate SPs before releasing Integrity Response COMP 529 - Advanced Computer Networks

  27. Trust Relationship • End users needs to trust the Privacy CA chosen to certify their AIK Credentials that corresponds to SSO Identities • SP needs to trust the Privacy CA chosen by the user to certify the AIK Credentials of their SSO Identities • SP needs to trust the AS installed on the user TP and any software executed before the AS • Trusting the Privacy CA means trusting TP and TPM manufacturers vouched for by the Privacy CA COMP 529 - Advanced Computer Networks

  28. Roadmap • Taxonomy of SSO Systems • Using SSO on Trusted Platforms • Structured Assertion Markup Language • Pubcookie COMP 529 - Advanced Computer Networks

  29. What is SAML? • The Security Assertion Markup Language is an XML-based framework fro communicating user-authentication, entitlement, and attribute information • It is developed by the Security Services Technical Committee (SSTC) of the Organization for the Advancement of Structured Information Standards (OASIS) • SAML V1.0 became OASIS standard in November 2002, SAML V1.1 followed in September 2003, and SAML V2.0 in March 2005 COMP 529 - Advanced Computer Networks

  30. SAML Parties • Identity Provider (IdP) – The system that asserts information about a subject, also known as SAML authorities and Asserting Parties • Service Provider (SP) – The system that relies on the information supplied to it by the IdP, also known as Relying Parties, local access policy defines whether the subject may access local resources COMP 529 - Advanced Computer Networks

  31. Drivers for the Creation of SAML • Limitation of Browser cookies – Most SSO system using cookies to maintain state cannot transfer authentication between DNS domains • SSO Interoperability – How products implement SSO and Cross-Domain SSO (CDSSO) are completely proprietary and organization must use the same SSO product in all domains COMP 529 - Advanced Computer Networks

  32. Drivers for the Creation of SAML • Web Services – Security within Web Services is still being defined. The SAML provides the means by which authentication and authorization assertions can be exchanged between communicating parties. • Federation – The need to simplify identity management across organizational boundaries, allowing users to consolidate many local identities into a single Federated Identity. COMP 529 - Advanced Computer Networks

  33. SAML Components • Assertions – defined by an XML schema, it carries statements about a Principal as asserted by an Asserting Party. It could be requested or “pushed” out to the SP. • Protocols – defined by an XML schema, it specifies how and which assertions are requested. • Bindings – defines the lower-level communications or messaging protocols (HTTP or SOAP) that the SAML protocols can be transported over. • Profile – contains the Assertions, Protocol, and Bindings to support a defined use case COMP 529 - Advanced Computer Networks

  34. SAML Components Profiles (Supports a defined use case) Binding (Defines how SAML protocols map onto standard messaging or communication protocols) Protocol (Request/Response pairs for obtaining Assertions and Federation Management) Assertions (Authentication, Attribute and Authorization Information) COMP 529 - Advanced Computer Networks

  35. SAML Assertions SAML defines three kinds of statements that can be carried within an assertions: • Authentication statements – issued by the party that successfully authenticated the user. It specifies who issued the assertion, the authenticated subject, validity period, and other related authentication information. • Attribute statements – contain specific details about the user (e.g. “Gold” status) • Authorization decision statements – identifies what the user is entitled to do (e.g. what item he is permitted to buy) COMP 529 - Advanced Computer Networks

  36. SAML Protocols SAML defines a number of request/response protocols encoded in an XML schema as a set of request/response pair: • Assertion Query and Request Protocol – defines a set of queries to obtain SAML assertions. • Authentication Request Protocol – defines an <AuthRequest> message (from SP) that causes a <Response> message to be returned (by IdP). • Artifact Protocol – provides a way to obtain previously created assertions by a reference (i.e. artifact) COMP 529 - Advanced Computer Networks

  37. SAML Protocols • Name Identifier Management Protocol – provides a way to change the value or format of the name of the Principal. Can be issued by either the IdP or SP. Can be used to terminate an association of a name between an IdP and SP. • Single Logout Protocol – provides a way for near-simultaneous logout of all sessions associated to a Principal, can be initiated by the Principal or a session timeout. • Name Identifier Mapping Protocol – provides a way to enable “account linking” or Federation. COMP 529 - Advanced Computer Networks

  38. Overview of SOAP SOAP (Simple Object Access Protocol) is a protocol that specifies an enveloping mechanism for sending data via XML. It specifies three major XML elements: • <Envelope> – required root document element • <Header> – an optional element that may define some attribute about a message • <Body> – contains the data intended for the final message recipient. COMP 529 - Advanced Computer Networks

  39. SOAP Message POST /InStock HTTP/1.1 Host: www.stock.org Content-Type: application/soap+xml; charset=utf-8 Content-Length: nnn <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap-envelope" soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding"> <soap:Body xmlns:m="http://www.stock.org/stock"> <m:GetStockPrice> <m:StockName>IBM</m:StockName> </m:GetStockPrice> </soap:Body> </soap:Envelope> COMP 529 - Advanced Computer Networks

  40. SAML Assertions Structure SOAP Body SAML Response Response Header SAML Assertion Authentication Statement Other Statements COMP 529 - Advanced Computer Networks

  41. SAML Assertion <?xml version="1.0" encoding="UTF-8"?> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2005-01-31T12:00:00Z"> <saml:Issuer>www.acompany.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> j.doe@company.com </saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2005-01-31T12:00:00Z" NotOnOrAfter="2005-01-31T12:00:00Z"> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="67775277772"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> COMP 529 - Advanced Computer Networks

  42. SOAP Over HTTP Binding HTTP SOAP Message SOAP Header SOAP Body SAML Request Or Response COMP 529 - Advanced Computer Networks

  43. SAML AuthnRequest <env:Envelope xmlns:env=”http://www.w3.org/2003/05/soap/envelope/”> <env:Body> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" AssertionConsumerServiceURL="http://www.example.com/" AttributeConsumingServiceIndex="0" ProviderName="string" ID="abe567de6" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/" > <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> j.doe@company.com </saml:NameID> </saml:Subject> </samlp:AuthnRequest> </env:Body> </env:Envelope> COMP 529 - Advanced Computer Networks

  44. SAML Response within SOAP Message <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Body> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="abe567de6" InResponseTo="example-ncname" Version="2.0" IssueInstant="2005-01-31T12:00:00Z“ Destination="http://www.example.com/" Consent="http://www.example.com/"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> <samlp:StatusMessage>Success</samlp:StatusMessage> <samlp:StatusDetail/> </samlp:Status> …… SAML ASSERTION AND STATEMENTS </samlp:Response> </env:Body> </env:Envelope> COMP 529 - Advanced Computer Networks

  45. Generic SP-Site-First Scenario COMP 529 - Advanced Computer Networks

  46. Generic IdP-Site-First Scenario COMP 529 - Advanced Computer Networks

  47. Generic SSO Portal Scenario • The unauthenticated user accesses the unprotected portal. • User selects IdP-1 and SP-1 from portal. Portal redirects user to SP-1 with Idp-1 as URL parameter. • SP-1 gets the IdP ID from the URL and generates a SAML <AuthnRequest> to IdP-1 via HTTP redirect. • After a successful authentication, IdP-1 returns a SAML <Response> to SP-1. • User is granted access to resources in SP-1. After a while, user again returns to the portal but this time to access SP-2. • Portal determines user had authenticated with IdP-1 and redirects user to SP-2 with IdP-1 as URL parameter. • SP-2 gets the IdP ID from the URL and generates a SAML <AuthnRequest> to IdP-1 via HTTP redirect. • IdP-1 determines that the user is already authenticated and immediately returns a SAML <Response> to SP-2. • User is granted access to resources in SP-2. COMP 529 - Advanced Computer Networks

  48. Security in SAML • The relying party and the asserting party must have a pre-existing trust relationship, typically involving PKI • For message integrity and confidentiality it is recommended to use HTTP over SSL 3.0 or TLS 1.0 • When an SP requests an assertion from an IdP then a bilateral-authentication is required using SSL or TLS and client-server authentication is recommended • When pushing an assertions and request to an SP then it is mandated that the response message be digitally signed using the XML digital signature standard COMP 529 - Advanced Computer Networks

  49. Roadmap • Taxonomy of SSO Systems • Using SSO on Trusted Platforms • Structured Assertion Markup Language • Pubcookie COMP 529 - Advanced Computer Networks

  50. What is Pubcookie? • Open-source package for intra-institutional SSO web authentication • Reuses existing authentication services such as Kerberos, Microsoft’s Lightweight Directory Access Protocol (LDAP), or Sun’s Network Information Service (NIS) • Supports Apache and Microsoft IIS • Originally developed at the University of Washington in 1998 • Made available to others in 2001 to make better web-based SSO systems • Became an open-source project in late 2001 COMP 529 - Advanced Computer Networks

More Related