Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
CS489/589: CS489/589: Access Control & Access Control & System SecuritySystem Security
A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency
System SecuritySystem Security
Lecture 6
: Digital Identity Federation and Privacy Management
Last Class
SPKI/SDSISimplified approach to using PK‐based services
Hierarchical CA → Decentralized and distributed CAs
Gl b l L lGlobal namespace → Local namespace
Focus is on access control, rather than authentication(name, key) → (authorization, key)
Mathematical framework for understanding TM systems
2
A Question…
How many (uid, pwd) you have in use?
So, single sign on will help?
3
, g g p
Any technology to support SSO that you know?
Federated Identity
A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency
Federated Identity
ID Avalanche
5
Problem in general
Tasks of managing user profiles are costly and complexEnterprises change their business operation paradigm from click‐and‐mortar to brick‐and mortar
Every new addition of applications is likely to bring in new
6
database for storing user profiles
Considering B‐2‐B environment, problems become worse
Identity management as a solutionUnderlying technologies and processes overarching tasks of
Creation, maintenance, and deletion of identities
2
Problem in specificHow about IM in cross‐domains
Federation of identityMapping of user identities at various service providers
AdvantagesSingle Sign‐On (SSO) and enhanced user convenience
7
g g ( )Decentralization of user management taskPrivacy and security of user information
Enabling technology should beCost‐effectiveInteroperable
Web Services as a candidate?Some concerns due to its open natureNeed for underpinning technologies for IA
Isolated IM ModelEach business maintains its own
IMD. Also known as silo model
ProsSimple to implement
f ’
8
Greater control of user’s identities and preferencesLimits security and privacy risks
ConsInconvenience to usersHardly interoperableExpensive to maintain
Centralized FIM ModelCentral Business entity (IDP)
defines and brokers trust to all members (SPs) within CoT
Pros
9
Easy access to members sitesDelegation of creation and administration of user identities
ConsLimited choice of companiesMost businesses don’t want to cede to central authoritySingle point of failure
Distributed FIM ModelEach partner maintains control
of identity and preference information of its own users, bound to trust user identity issued or authenticated by another
10
ProsAuthentication capabilities are distributed across domains of interest (CoT)Delegation of creation and administration of user identities
ConsBusinesses need to cooperate
Liberty Alliance
An alliance formed todeliver and support a federated network identity solution for the internetprovide an open standard that includes decentralized authentication and authorization from multiple vendors
11
authentication and authorization from multiple vendorsenable single sign‐on for consumers and businesses in an open, federated manner enable consumers to protect the privacy and security of their network identity aim at creating a network identity infrastructure that supports all current and emerging network access devices
Key Concepts
12
3
Key Concepts, cont
13
Architecture
14
.NET Passport
Launched in 1999, .NET PassportIs a web‐based authentication serviceProvides the users with single sign‐on (SSO) reducing the amountof information the user needs to remember or resubmit tovarious sites
15
various sitesfacilitates using business web site easier for visitors andcustomers and virtually eliminates the cost of resetting theforgotten usernames and passwords
Passport Logon Process
Login to identity provider
Token issued to client
Token sent to service providerToken sent to service provider
Token validated with identity provider
Output sent to client
CardSpace Logon Process
Service Provider Requests Identity
CardSpace Identity Selector pops up
Token is built by Identity SelectorToken is built by Identity Selector(with Identity Provider)
Token sent to client
Output sent to client
Criteria Passport Liberty
Approach to Identity Management
1.Combination of Silo and Close Community
1.Federated
Actors 1.Passport Server2.Participating Site3.Users (Passport Account holders)
1.Identity Provider2.Service Provider3.End-User
Liberty vs. Passport
18
Components 1.Passport Manager2.Passport Cookies3.Web Redirection
1.Web Service2.Metadata and Schemas3.Web Redirection
Authentication Type 1.Centralized 1.DistributedCredentials
CreatorMaintenanceNo. of Credentials
1.MS Passport Server2.MS Passport Server3.One email address
1.Provider (SP /IDP)2.Respective Provider3.Credential at each Provider
Determining Authenticator 1.Passport Server is the sole authenticator
1.Use of Common DomainCookies
Identifiers 1.PUID 1.Pseudonyms
4
A Brief Introduction To b i
A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency
Web Services
Web Services
Another hype in Info. Tech?Likely the next architecture for internet based business computing
Basic functionality?
20
yA web service communicates over a network to supply a specific set of operations (methods) that other applications can invokes
Why Need?
Need for applications to interactInternal systems – inventory, accounting, manufacturing and customer supportExternal systems – business partners and customers
21
Heterogeneous system environmentCoexists old systems with new ones in the enterpriseIntegration of these system derive them to talk to each other
Conventional approach leads toHigh cost, the risk and the complexityThe business disruption and the lost opportunity cost
WS and Screen Scrapping
Many early web services implementations are deployed to replace screen scrapping
Web servicesWeb Services is a technology that allows for applications to
22
Web Services is a technology that allows for applications to communicate with each other in a standard formatA Web Service exposes an interface that can be accessed through XML messagingA Web service uses XML based protocol to describe an operation or the data exchange with another web serviceA group of web services collaborating accomplish the tasks of an application. The architecture of such an application is called Service‐Oriented Architecture (SOA)
Current Web applications (for instance, servlets) are based on a client‐server architecture
When a servlet talks to another servlets, one is taking on the role of a client
Architectural Difference
23
Web services are equal, or peer to peer
Three‐tier model with key differencesLoosely coupled
Based on ubiquitous architecture
The promise of open standards
Web serverWeb application
serverBrowser
Multi‐tier Architecture
24
Data baseBusiness
object
Business
object
Business
object
Business
object
Business
object
Business
object
Web services
5
ServiceBroker Service
P id 1
Subscribe: service description
Brokering Architecture
25
Client
Provider 1
Service Provider 2
Subscribe: service description
ServiceBroker Service
P id 1
Subscribe: service description
Recommend: service d i ti
Brokering Architecture
26
Client
Provider 1
Service Provider 2
Subscribe: service description
description
Service Provider 2
ServiceBroker Service
P id 1
Brokering Architecture
27
Client
Provider 1
Service Provider 2
Request
Response
Service‐Oriented ArchitectureAll software components are modeled as services
Functional units that are visible for other entities to invoke or consume over the network
Design focus is the service’s interfaceSimilar to component‐based software engineering
28
Similar to component based software engineeringDifferent in that the focus is shifted to composing services over a network
Three Roles in SOA
ServiceRegistry
29
ServiceRequestorService
RequestorServiceProviderServiceProviderBind
Web Services and SOA
Service Description
XML-Based Messaging
N k
WSDL
SOAP
HTTP
ServiceRegistry
30
Web ServiceRequestor
Web ServiceRequestor
Web ServiceProvider
Web ServiceProviderSOAP(WSDL)
NetworkHTTP
6
SOAP defines XML based format for sending messagesEnvelopeData encodingRPC convention
SOAP
31
Unlike XML‐RPC, SOAP tries to be neutral to transportation protocol
HTTPSMTPJava Message Service
.Net also uses SOAP as the RPC mechanism
SOAP Structure
Application Application
SOAP Envelope
SOAP Header
Header Parts
32
SOAP
HTTP
TCP
IP
SOAP
HTTP
TCP
IP
SOAP Body
SOAP Fault
SOAP Body part(Payload)
HTTP
SMTP
A Schematic Architecture
33
SMTP
FTP
JMS
Others
SOAPEnvelope
SOAPServer
ServerApplication
SOAP: ExamplePOST /soap HTTP/1.0Content‐Type: text/xml; charset=utf‐8Accept: application/soap+xml, application/dime, multipart/related, text/*User‐Agent: Axis/1.4Host: s3.amazonaws.comContent‐Length: 562
<? ml ersion "1 0" encoding "ISO 8859 1"?><?xml version="1.0" encoding="ISO‐8859‐1"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema“ xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance">
<s:Body><CreateBucket xmlns="http://s3.amazonaws.com/doc/2006‐03‐01/">
<Bucket>my‐testbucket</Bucket><AWSAccessKeyId>154DZY31MD3BCYR2</AWSAccessKeyId><Timestamp xsi:type="xsd:dateTime">2006‐09‐26T01:52:07.278Z</Timestamp><Signature>B0D9wH2l7sVfCQdFSegrFHFw=</Signature>
</CreateBucket></s:Body></s:Envelope>
34
WSDL
Defines a web/network serviceEnd pointAccepts messages
Key elements (definitions is root element)
35
Documentation – English descriptionTypes – data type (e.g. structure)Message – message formatPortType – Java class and their operationsBinding – protocols for message or portTypeService – Specifies web addresses
WSDL description may be automatically generated based on Java class definitions
Example: WSDLLet’s look at the S3 WSDL
It has a “portType” called AmazonS3 which has a set of operations.In the AmazonS3 port type there are about 20 operations
Each operation has an input message and possibly an output message
<wsdl:definitions targetNamespace=“…” xmlns:tns=“..” >
<wsdl:types ><xsd:schema … > …. </xsd:schema>
<wsdl:message name=“GetObjectRequest”><wsdl:part element="tns:GetObject" name="parameter"/>
<wsdl:portType name="AmazonS3"><wsdl:operation name="GetObject">
<wsdl:input message="tns:GetObjectRequest" name="GetObjectRequest"/>
<wsdl:output message="tns:GetObjectResponse" name="GetObjectResponse"/>
</wsdl:operation>
36
7
Types<xsd:element name="GetObject">
<xsd:complexType><xsd:sequence><xsd:element name="Bucket" type="xsd:string"/><xsd:element name="Key" type="xsd:string"/>
d l "G M d " " d b l "/<xsd:element name="GetMetadata" type="xsd:boolean"/><xsd:element name="GetData" type="xsd:boolean"/><xsd:element name="InlineData" type="xsd:boolean"/><xsd:element name="AWSAccessKeyId" type="xsd:string" minOccurs="0"/><xsd:element name="Timestamp" type="xsd:dateTime" minOccurs="0"/><xsd:element name="Signature" type="xsd:string" minOccurs="0"/><xsd:element name="Credential" type="xsd:string" minOccurs="0"/>
</xsd:sequence></xsd:complexType></xsd:element>
37
PortType
Recall a portType is a collection of operations
An Operation is request message + response message<wsdl:portType name="AmazonS3">
<wsdl:operation name="GetObject">p j<wsdl:input message="tns:GetObjectRequest" name="GetObjectRequest"/><wsdl:output message="tns:GetObjectResponse" name="GetObjectResponse"/>
</wsdl:operation>
….
A Binding maps operations of a portType to protocols
38
Binding<wsdl:binding name="AmazonS3SoapBinding" type="tns:AmazonS3">
<wsdlsoap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetObject">
<wsdlsoap:operation soapAction=“"/>
<wsdl:input name="GetObjectRequest">
<wsdlsoap:body use="literal"/>
</wsdl:input>
<wsdl:output name="GetObjectResponse">
<wsdlsoap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
….
</wsdl:binding>
39
Service
So far this is an abstract serviceWe have defined its port types, operations and the details of the messages
And we have defined some a way this operations in this portType are to be bound to soap actions
To create a concrete service we need to say where it is<wsdl:service name="AmazonS3">
<wsdl:port binding="tns:AmazonS3SoapBinding" name="AmazonS3">
<wsdlsoap:address location="https://s3.amazonaws.com/soap"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
40
Directory for web services
XML formatted information forContact points “white page”
Industry classification “yellow pages”
UDDI
41
Industry classification yellow pages
Web service discovery “green page”, technical information
UDDI registry
WS Security ChallengesInformation espionage
Information gathering is easyDenial of service
Availability of UDDI repository is criticalI t it tt k
42
Integrity attacksIf one component’s integrity is compromised, then it will propagate through the operation of the rest of applications
Bypassing of firewallsThe complex query can be made through corporate firewalls to damage the system inside
8
CountermeasuresEnforce trust relationships
SAML, XACML, Federated IdentityEncrypt transport Links
SSL/TLS, SAMLU HTTP filt
43
Use HTTP proxy filtersIt will filter out any suspicious requests
Technology SolutionsSAML (Security Assertion Markup Language)
The definition of a format for transferring security assertions between components
XACML (eXtensible Access Control Markup Language)It will integrate access control policies into SAML messages
44
It will integrate access control policies into SAML messagesXML Signature
A format to digitally sign the content of web services messages, guaranteeing their authenticity
XKMS (XML Key Management System) Specifies protocols for the distribution and registration of public encryption keys
Security Assertion Markup ( )
A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency
Language (SAML)
19-Nov-2002: The Security Services (SAML) TC won the Protocols category of the 2002 edition of PC Magazine's Technology Excellence awards.
SAML
It’s an XML‐based framework for exchanging security information
XML‐encoded security assertionsXML‐encoded request/response protocol
46
Rules on using assertions with standard transport and messaging frameworks
It’s an emerging OASIS standardVendors and users are involvedCodifies current system outputs rather than inventing new technology
Standards are emerging for many facets of collaborative e‐commerce, such as:
Business transactions (e.g., ebXML)Software interactions (e.g., SOAP)
Motivations
47
But communicating security properties of these interactions isn’t well standardized
Low interoperability between PMI solutionsTight coupling within components
Web‐based commerce shows the need for federation, standardization, and a more cohesive user experience
Use Cases
SAML developed three “use cases” to drive its requirements and design:
1. Single sign‐on (SSO)
2. Distributed transaction
48
3. Authorization service
Each use case has one or more “scenarios” that provide a more detailed roadmap of interaction
9
SAML Assertions
Assertions are declarations of fact, according to someoneSAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program):
49
p g )AuthenticationAttributeAuthorization decision
You can extend SAML to make your own kinds of assertions and statementsAssertions can be digitally signed
Assertion Structure
50
Common InformationIssuer ID and issuance timestampAssertion IDSubject
Name plus the security domain
51
Optional subject confirmation, e.g. public key“Conditions” under which assertion is valid
SAML clients must reject assertions containing unsupported conditionsSpecial kind of condition: assertion validity period
Additional “advice”E.g., to explain how the assertion was made
Example: Common Info.<saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Smith Corporation“IssueInstant=“2009-12-03T10:02:00Z”><saml:Conditions
NotBefore=“2009-12-03T10:00:00Z”N tO O Aft “2009 12 03T10 05 00Z”>
52
NotOnOrAfter=“2009-12-03T10:05:00Z”><saml:AudienceRestrictionCondition>
<saml:Audience>…URI…</saml:Audience></saml:AudienceRestrictionCondition>
</saml:Conditions><saml:Advice>
…a variety of elements can go here…</saml:Advice>…statements go here…
</saml:Assertion>
Authentication Statement
An issuing authority asserts that subject S was authenticated by means M at time TTargeted towards SSO usesCaution: Actually checking or revoking of credentials is
53
y g gnot in scope for SAML!It merely lets you link back to acts of authentication that took place previously
Example: Authn Statement<saml:Assertion …><saml:AuthenticationStatement
AuthenticationMethod=“password”AuthenticationInstant=“2009-12-03T10:02:00Z”><saml:Subject>
<saml:NameIdentifierSecurityDomain=“smithco.com”N “j ” />
54
Name=“joeuser” /><saml:ConfirmationMethod>
http://…core-25/sender-vouches</saml:ConfirmationMethod>
</saml:Subject></saml:AuthenticationStatement></saml:Assertion>
10
Attribute StatementAn issuing authority asserts that subject S is associated with attributes A, B, … with values “a”, “b”, “c”…Useful for distributed transactions and authorization servicesTypically this would be gotten from an LDAP repository
55
Typically this would be gotten from an LDAP repository“john.doe” in “example.com”is associated with attribute “Department”with value “Human Resources”
Example: Attribute Statement<saml:Assertion …><saml:AttributeStatement>
<saml:Subject>…</saml:Subject><saml:Attribute
AttributeName=“PaidStatus”AttributeNamespace=“http://smithco.com”><saml:AttributeValue>
P idU
56
PaidUp</saml:AttributeValue>
</saml:Attribute><saml:Attribute
AttributeName=“CreditLimit”AttributeNamespace=“http://smithco.com”><saml:AttributeValue>
<my:amount currency=“USD”>500.00</my:amount>
</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement></saml:Assertion>
Authorization Statement
An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E
Useful for distributed transactions and authorization
57
Useful for distributed transactions and authorization services
The subject could be a human or a program
The resource could be a web page or a web service, for example
Example: Authorization Stmt.<saml:Assertion …><saml:AuthorizationStatement
Decision=“Permit”Resource=“http://jonesco.com/rpt_12345.htm”><saml:Subject>…</saml:Subject><saml:Actions
ActionNamespace=“http://…core-25/rwedc”>< l A ti >R d</ l A ti >
58
<saml:Action>Read</saml:Action></saml:Actions>
</saml:AuthorizationStatement></saml:Assertion>
Protocol for Getting Assertion
SAMLSAMLSAML
Asserting Party
59
Assertion
Response
Assertion
Request forAssertion ofCertain Type
Response
Assertion
Relying Party
SAML Requests
You can query for specific kinds of assertion/statementAuthentication query
Attribute query
Authorization decision query
60
q y
You can ask for an assertion with a particular IDBy providing an ID reference
By providing a SAML artifact
11
Example: Authn Query<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery>
<saml:Subject><saml:NameIdentifier
SecurityDomain=“smithco com”
61
SecurityDomain=“smithco.com”Name=“joeuser” />
</saml:Subject></samlp:AuthenticationQuery>
</samlp:Request>
Example: Attribute Query<samlp:Request … ><samlp:AttributeQuery>
<saml:Subject><saml:NameIdentifier
SecurityDomain=“smithco.com”Name=“joeuser” />
</saml:Subject>< l Att ib t D i t
62
<saml:AttributeDesignatorAttributeName=“PaidStatus”AttributeNamespace=“http://smithco.com”>
</saml:AttributeDesignator></samlp:AttributeQuery>
</samlp:Request>
Example: Authr. Query<samlp:Request …><samlp:AuthorizationQuery
Resource=“http://jonesco.com/rpt_12345.htm”><saml:Subject>
<saml:NameIdentifierSecurityDomain=“smithco.com”Name=“joeuser” />
</ l S bj t>
63
</saml:Subject><saml:Actions
ActionNamespace=“http://…core-25/rwedc”><saml:Action>Read</saml:Action>
</saml:Actions><saml:Evidence>
<saml:Assertion>…</saml:Assertion></saml:Evidence>
</samlp:AuthorizationQuery></samlp:Request>
SAML‐based SSO
64
Single Sign Out
65