Lecture on Federated Security Can delegated trust work? Walter Kriha Overview • Why we need federated trust? Direct trust does not scale in distributed systems •
Download ReportTranscript Lecture on Federated Security Can delegated trust work? Walter Kriha Overview • Why we need federated trust? Direct trust does not scale in distributed systems •
Lecture on Federated Security Can delegated trust work? Walter Kriha Overview • Why we need federated trust? Direct trust does not scale in distributed systems • What makes federated trust secure? Leveraging high quality direct trust relations and delegation of authority • Cross-Domain Trust between infrastructures • Web-SSO Architectures • Identity and Federation in Social Networks (Facebook etc.) Super-Hub Architecture Direct trust does not scale! Ways to combine registries Meta Directory Virtual Directory Federated Identities Service Interface META Registry copy and replicate dynamically pull User User User User Registry Registry Registry Registry Consistency? Name clashes? Privacy? Politics and Economics? Performance? Name clashes? Privacy? Politics and Economics? User User Registry Registry exchange metadata on users. Allow aliases to protect users. Do not expose login credentials Trust? Control? QoS? Federated Visa Card System Dealer Present card Customer Request payment Issue card clearing Card Issuing Bank Dealers Bank Visa „Outsourcing“ of Trust Establishment Present request and Proof of Identity Token Present token to establish remote, authenticated session Identity Provider Return signed token containing authentication statement Trust relation to IP Service Provider Third Party Identity Assertion and Authorization Log-in to SSO System Request token for supplier Company Token Employee Return signed token containing authentication statement and optionally autorisation to order stuff from supplier Present token to prove work-relation and optional authority. Trust relation secured by certificates Supplier Check signature of company. Knows now a) employee really works for company b) Employee is authorized to order (optional) Why Third Party Trust is OK • Does receiver really have a trust relation to employee of the company? • What does it mean for the receiver to give the foreign employee a login name and credential? • What happens if the employee – – – – – Changes job function? Leaves the company? Uses credentials a year later? Starts buying non-authorized things? Hands-over login credentials? • How many login credentials does the employee need? • How many times does she use them? Federated Identity Management Across Domains Token Token User Customer alias Authent Author. Identity Credent. Server Server Server Vault. App. CSIv2 client Registry Token Reverse Internet Proxy CSIv 2 External WS-S WS-S Internet Server Internet Point of contact TTP Token Domain Bridge (TTP) Authentication provider Host Token Token App. Token Server Server Token CSIv2 App. Customer alias App. Server Other Company Infrastructure converter GEN0190n.ppt 9 WS-Trust Server checking foreign Token WS-Trust Server Token Token Web-based SSO Scenarios • • • • Redirect Mechanism Background communication Where are you from Privacy issues Redirect of unauthenticated request to identity provider: Pull Szenario 2. Service Provider 1 Identity Provider 1. 3. User Re-redirect back to Service Provider Service Provider 1 4. 5. User Identity Provider Functional Extensions to simple Web-SSO • WAYF (Where are you from): How can the service provider know which STI the customer is using? • Account Linking (SP and Customer are members of several STIs/IPs) • Size and content of token • Different user agents and transport protocols (e.g. webservices) Federative Extensions to simple Web-SSO • Both Service Provider and IP run their own identity management with separate user registries • The customer is using several IPs • The SP has several contract relations with other SPs Redirect of authenticated user to selected SP (Push Model) Dynamic Menue: „Clicked“ by user -Link to SP1 - Link to SP2 - Link to SP3 Service Provider 1 Identity Provider User Front-Channel vs. Back-Channel Back channel communication for extended user information Service Provider 1 Identity Provider push mechanism Pull mechanism Random number or extended user information (SAML) User Front channel Account linking with User Alias User_X, PW_X, IP_Alias 123 X_User, PW_Z, IP_Alias 123 Back channel communication for automatic provisioning Service Provider 1 Identity Provider Allows mapping between IP Alias and own UserID for user Front channel mapping User At IP: User_X, PW_X At SP1: X_User, PW_Z Secure Messages with „Active Profile“ – Web Service enabled communication 2. Service Provider 1 Identity Provider, WSTrust Server 3. 1. 4. 5. Web Service Client Application Secure Association Markup Language (SAML) • • • • • • • Policy Expression Language XML based language for secure statements (Assertions) Elements like user, attributes, validity constraints, QoS etc. Authentication Assertion Attribute Assertion Authority Assertion Binding information about transport protocols, get/post methods etc. • Object/Message based security instead of only channel based security SAML Assertion (example) <saml:Assertion Version="2.0„ ID="_34234se72„ IssueInstant="2005-04-01T16:58:33.173Z"> <saml:Issuer>http://authority.example.com/</saml:Issuer> <ds:Signature>...</ds:Signature> <!– issuer signature <saml:Subject> <saml:NameID format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> jygH5F90l </saml:NameID> </saml:Subject> <saml:AuthnStatement AuthnInstant="2005-04-01T16:57:30.000Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> From: [ANTON06] SAML embedded in SOAP Header <SOAP-ENV:Envelope> <!– SOAP Spec. <SOAP-ENV:Header> <wsse:Security> <!– Web Services Security Spec. <saml:Assertion>user, authentication, issuer etc. </saml:Assertion> </wsse:Security> </SOAP-ENV:Header> <SOAP-ENV:Body>... </SOAP-ENV:Body> </SOAP-ENV:Envelope> From: [ANTON06] WS-Federation Active Profile Example CompanyXYZ SSO login Portal TelCo Provider Link with Forms Post to TelCo Internal STI Conference System Own Token SPNEGO TOKEN User: XYZ_guest CN: foo Email: [email protected] employee Company: XYZ User: foo Email: [email protected] Mapping of all employees to ONE guest account for XYZ at access manager of TelCo SAML Assertion in Token ID and time of issued assertion, namespaces galore <saml:Assertion AssertionID="…„ IssueInstant="2007-03-20T12:30:50Z" Issuer="https://www.xyz.com/wsf" MajorVersion="1„ MinorVersion="1„ xmlns:ds=http://www.w3.org/2000/09/xmldsig# xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2005-07-16T15:14:29Z„ NotOnOrAfter="2005-07-16T15:34:29Z"> <saml:AudienceRestrictionCondition> <saml:Audience>https://www.telco.com/wsf </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> When is this statement valid? Who is the <saml:AuthenticationStatement AuthenticationInstant="2005-07-16T15:24:29Z" receiver? AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> emp1@<xyz.com </saml:NameIdentifier> Who is </saml:Subject> authenticated? </saml:AuthenticationStatement> (subject) <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameIdentifier> What attributes </saml:Subject> does subject have? <saml:Attribute AttributeName="cn„ AttributeNamespace="http://www.xyz.com/cn"> <saml:AttributeValue>Employee One </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> federation part of assertion – defines conditions, authentication, subject and subject attributes <ds:Signature Id="uuid203f1582-0105-efbb-6039-8ce3efd72411„ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> How signature <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> was created <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Assertion-uuid203f1557-0105-f23c-5b82-8ce3efd72411"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <xc14n:InclusiveNamespaces PrefixList="saml ds„ xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue> sWS4qUyQXSgMRHM62ADxLHGfFD4= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> signature over assertion (according to XMLDsig Spec.)... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> XYZ Corp. Certificate,...... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml:Assertion> Signature value to Check against Who did it: Signers certificate so receiver (telco) can check signature Non-federation part of assertion – deals only with message security of assertion statement Identity and Federation in Social Networks • The Tripartite Identity Pattern • OpenID (Technology and the Nascar Problem) • OAuth (Granular access delegation) • XRD/JRD Randy Farmer developed the above pattern which separates functions of IDs along the dimensions of uniqueness and memorizablity. Account IDs are uniq and can be of arbitrary complexity as they are used only for internal linking and bookkeeping and are never exposed. Login IDs are critical because they need to be both unique and easy to remember. Public IDs are not unique but should be easy to remember. They need additional criteria for disambiguation (pictures, friends, actions). The diagram is taken from „ Super Social Everybody – how to survive in the social web“, Thomas Fankhauser, Stuttgart Media University 2010 OpenID/OAuth • The Password Anti-Pattern • The Nascar Problem • Acceptance and Problems • Service Providers as Identity Provider The Nascar Problem Too many big labels/icons of identity providers (from: http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/) OAuth/WRAP • Granular Token Generation for Mashups • Message/API Signatures • Simple Bearer Tokens • The Question of Channel Security Spec. At http://oauth.net/core/1.0a/, http://hueniverse.com/2010/05/introducing-oauth-2-0/ http://hueniverse.com/2010/01/open-questions-about-oauth-2-0-authentication/ http://hueniverse.com/2010/05/jrd-the-other-resource-descriptor/#comments http://hueniverse.com/oauth/ OAuth Sequence Diagram From: http://d.hatena.ne.jp/ZIGOROu/20090811/1250006392 Facebook Authorization Example From: http://www.uml-diagrams.org/sequence-diagrams-examples.html Security Analysis • • • • • • • • • Token Integrity and Confidentiality Token Verification Phising with bad redirect to phony IP Customer confusion about credentials if both SP and IP support their own identity management mechanisms Privacy problems with Identity Provider Log-out problem: Guarantees for customer? Token abuse by SP? Attack on tokens at client? Session to IP? Resources [Anton] E. Anton, Web Services in realen Business-Anwendungen – Sicherheit, Transaktionalität, Geschäftsprozess-Modellierung, Diplomarbeit HdM 2006, http://www.kriha.de/krihaorg/dload/uni/anton.pdf [EBR] J. Eisenmann, A. Rauber, S. Simon, Single Sin On, Software-Projekt HdM 2003, http://www.kriha.de/krihaorg/dload/uni/ eisenmann_rauber_simon.zip [Bueck] A. Buecker, W.Filip, H.Hinton, H.Hippenstiel, M.Hollin, R.Neucom, S.Weeden, J.Westman, Federated Identity Management and Web Services Security, IBM Redbook 2005 [End] D. Endler, SessionID Hacking, http://www.idefense.com [SAML] Security Assertion Markup Language(SAML) 2.0: Technical Overview. 2006, http://www.oasis-open.org/committees/download.php/20645/ sstc-saml-tech-overview-2%200-draft-10.pdf [Wind] P. J. Windley, Digital Identity – unmasking Identity Management Architecture (IMA), O’Reilly 2005 [WS-FED] H. Lockhart et al., Web Services Federation Language Version 1.1 (2006), http://www.ibm.com/developerworks/library/specification/ws-fed/ [WS-SEC] B. Atkinson et al.: Web Services Security (WS – Security), http://www.ibm.com/developerworks/library/ws-secure