1

CS489/589: CS489/589: Access Control & Access Control & System SecuritySystem Security

A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency

System SecuritySystem Security

Lecture 6

: Digital Identity Federation and Privacy Management

Last Class

SPKI/SDSISimplified approach to using PK‐based services

Hierarchical CA → Decentralized and distributed CAs

Gl b l L lGlobal namespace → Local namespace

Focus is on access control, rather than authentication(name, key) → (authorization, key)

Mathematical framework for understanding TM systems

2

A Question…

How many (uid, pwd) you have in use?

So, single sign on will help?

3

, g g p

Any technology to support SSO that you know?

Federated Identity

A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency

Federated Identity

ID Avalanche

5

Problem in general

Tasks of managing user profiles are costly and complexEnterprises change their business operation paradigm from click‐and‐mortar to brick‐and mortar

Every new addition of applications is likely to bring in new

6

database for storing user profiles

Considering B‐2‐B environment, problems become worse

Identity management as a solutionUnderlying technologies and processes overarching tasks of

Creation, maintenance, and deletion of identities

2

Problem in specificHow about IM in cross‐domains

Federation of identityMapping of user identities at various service providers

AdvantagesSingle Sign‐On (SSO) and enhanced user convenience

7

g g ( )Decentralization of user management taskPrivacy and security of user information

Enabling technology should beCost‐effectiveInteroperable

Web Services as a candidate?Some concerns due to its open natureNeed for underpinning technologies for IA

Isolated IM ModelEach business maintains its own

IMD. Also known as silo model

ProsSimple to implement

f ’

8

Greater control of user’s identities and preferencesLimits security and privacy risks

ConsInconvenience to usersHardly interoperableExpensive to maintain

Centralized FIM ModelCentral Business entity (IDP)

defines and brokers trust to all members (SPs) within CoT

Pros

9

Easy access to members sitesDelegation of creation and administration of user identities

ConsLimited choice of companiesMost businesses don’t want to cede to central authoritySingle point of failure

Distributed FIM ModelEach partner maintains control

of identity and preference information of its own users, bound to trust user identity issued or authenticated by another

10

ProsAuthentication capabilities are distributed across domains of interest (CoT)Delegation of creation and administration of user identities

ConsBusinesses need to cooperate

Liberty Alliance

An alliance formed todeliver and support a federated network identity solution for the internetprovide an open standard that includes decentralized authentication and authorization from multiple vendors

11

authentication and authorization from multiple vendorsenable single sign‐on for consumers and businesses in an open, federated manner enable consumers to protect the privacy and security of their network identity aim at creating a network identity infrastructure that supports all current and emerging network access devices

Key Concepts

12

3

Key Concepts, cont

13

Architecture

14

.NET Passport

Launched in 1999, .NET PassportIs a web‐based authentication serviceProvides the users with single sign‐on (SSO) reducing the amountof information the user needs to remember or resubmit tovarious sites

15

various sitesfacilitates using business web site easier for visitors andcustomers and virtually eliminates the cost of resetting theforgotten usernames and passwords

Passport Logon Process

Login to identity provider

Token issued to client

Token sent to service providerToken sent to service provider

Token validated with identity provider

Output sent to client

CardSpace Logon Process

Service Provider Requests Identity

CardSpace Identity Selector pops up

Token is built by Identity SelectorToken is built by Identity Selector(with Identity Provider)

Token sent to client

Output sent to client

Criteria Passport Liberty

Approach to Identity Management

1.Combination of Silo and Close Community

1.Federated

Actors 1.Passport Server2.Participating Site3.Users (Passport Account holders)

1.Identity Provider2.Service Provider3.End-User

Liberty vs. Passport

18

Components 1.Passport Manager2.Passport Cookies3.Web Redirection

1.Web Service2.Metadata and Schemas3.Web Redirection

Authentication Type 1.Centralized 1.DistributedCredentials

CreatorMaintenanceNo. of Credentials

1.MS Passport Server2.MS Passport Server3.One email address

1.Provider (SP /IDP)2.Respective Provider3.Credential at each Provider

Determining Authenticator 1.Passport Server is the sole authenticator

1.Use of Common DomainCookies

Identifiers 1.PUID 1.Pseudonyms

4

A Brief Introduction To b i

A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency

Web Services

Web Services

Another hype in Info. Tech?Likely the next architecture for internet based business computing

Basic functionality?

20

yA web service communicates over a network to supply a specific set of operations (methods) that other applications can invokes

Why Need?

Need for applications to interactInternal systems – inventory, accounting, manufacturing and customer supportExternal systems – business partners and customers

21

Heterogeneous system environmentCoexists old systems with new ones in the enterpriseIntegration of these system derive them to talk to each other

Conventional approach leads toHigh cost, the risk and the complexityThe business disruption and the lost opportunity cost

WS and Screen Scrapping

Many early web services implementations are deployed to replace screen scrapping

Web servicesWeb Services is a technology that allows for applications to

22

Web Services is a technology that allows for applications to communicate with each other in a standard formatA Web Service exposes an interface that can be accessed through XML messagingA Web service uses XML based protocol to describe an operation or the data exchange with another web serviceA group of web services collaborating accomplish the tasks of an application. The architecture of such an application is called Service‐Oriented Architecture (SOA)

Current Web applications (for instance, servlets) are based on a client‐server architecture

When a servlet talks to another servlets, one is taking on the role of a client

Architectural Difference

23

Web services are equal, or peer to peer

Three‐tier model with key differencesLoosely coupled

Based on ubiquitous architecture

The promise of open standards

Web serverWeb application

serverBrowser

Multi‐tier Architecture

24

Data baseBusiness

object

Business

object

Business

object

Business

object

Business

object

Business

object

Web services

5

ServiceBroker Service

P id 1

Subscribe: service description

Brokering Architecture

25

Client

Provider 1

Service Provider 2

Subscribe: service description

ServiceBroker Service

P id 1

Subscribe: service description

Recommend: service d i ti

Brokering Architecture

26

Client

Provider 1

Service Provider 2

Subscribe: service description

description

Service Provider 2

ServiceBroker Service

P id 1

Brokering Architecture

27

Client

Provider 1

Service Provider 2

Request

Response

Service‐Oriented ArchitectureAll software components are modeled as services

Functional units that are visible for other entities to invoke or consume over the network

Design focus is the service’s interfaceSimilar to component‐based software engineering

28

Similar to component based software engineeringDifferent in that the focus is shifted to composing services over a network

Three Roles in SOA

ServiceRegistry

29

ServiceRequestorService

RequestorServiceProviderServiceProviderBind

Web Services and SOA

Service Description

XML-Based Messaging

N k

WSDL

SOAP

HTTP

ServiceRegistry

30

Web ServiceRequestor

Web ServiceRequestor

Web ServiceProvider

Web ServiceProviderSOAP(WSDL)

NetworkHTTP

6

SOAP defines XML based format for sending messagesEnvelopeData encodingRPC convention

SOAP

31

Unlike XML‐RPC, SOAP tries to be neutral to transportation protocol

HTTPSMTPJava Message Service

.Net also uses SOAP as the RPC mechanism

SOAP Structure

Application Application

SOAP Envelope

SOAP Header

Header Parts

32

SOAP

HTTP

TCP

IP

SOAP

HTTP

TCP

IP

SOAP Body

SOAP Fault

SOAP Body part(Payload)

HTTP

SMTP

A Schematic Architecture

33

SMTP

FTP

JMS

Others

SOAPEnvelope

SOAPServer

ServerApplication

SOAP: ExamplePOST /soap HTTP/1.0Content‐Type: text/xml; charset=utf‐8Accept: application/soap+xml, application/dime, multipart/related, text/*User‐Agent: Axis/1.4Host: s3.amazonaws.comContent‐Length: 562

<? ml ersion "1 0" encoding "ISO 8859 1"?><?xml version="1.0" encoding="ISO‐8859‐1"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema“ xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance">

<s:Body><CreateBucket xmlns="http://s3.amazonaws.com/doc/2006‐03‐01/">

<Bucket>my‐testbucket</Bucket><AWSAccessKeyId>154DZY31MD3BCYR2</AWSAccessKeyId><Timestamp xsi:type="xsd:dateTime">2006‐09‐26T01:52:07.278Z</Timestamp><Signature>B0D9wH2l7sVfCQdFSegrFHFw=</Signature>

</CreateBucket></s:Body></s:Envelope>

34

WSDL

Defines a web/network serviceEnd pointAccepts messages

Key elements (definitions is root element)

35

Documentation – English descriptionTypes – data type (e.g. structure)Message – message formatPortType – Java class and their operationsBinding – protocols for message or portTypeService – Specifies web addresses

WSDL description may be automatically generated based on Java class definitions

Example: WSDLLet’s look at the S3 WSDL

It has a “portType” called AmazonS3 which has a set of operations.In the AmazonS3 port type there are about 20 operations

Each operation has an input message and possibly an output message

<wsdl:definitions targetNamespace=“…” xmlns:tns=“..” >

<wsdl:types ><xsd:schema … > …. </xsd:schema>

<wsdl:message name=“GetObjectRequest”><wsdl:part element="tns:GetObject" name="parameter"/>

<wsdl:portType name="AmazonS3"><wsdl:operation name="GetObject">

<wsdl:input message="tns:GetObjectRequest" name="GetObjectRequest"/>

<wsdl:output message="tns:GetObjectResponse" name="GetObjectResponse"/>

</wsdl:operation>

36

7

Types<xsd:element name="GetObject">

<xsd:complexType><xsd:sequence><xsd:element name="Bucket" type="xsd:string"/><xsd:element name="Key" type="xsd:string"/>

d l "G M d " " d b l "/<xsd:element name="GetMetadata" type="xsd:boolean"/><xsd:element name="GetData" type="xsd:boolean"/><xsd:element name="InlineData" type="xsd:boolean"/><xsd:element name="AWSAccessKeyId" type="xsd:string" minOccurs="0"/><xsd:element name="Timestamp" type="xsd:dateTime" minOccurs="0"/><xsd:element name="Signature" type="xsd:string" minOccurs="0"/><xsd:element name="Credential" type="xsd:string" minOccurs="0"/>

</xsd:sequence></xsd:complexType></xsd:element>

37

PortType

Recall a portType is a collection of operations

An Operation is request message + response message<wsdl:portType name="AmazonS3">

<wsdl:operation name="GetObject">p j<wsdl:input message="tns:GetObjectRequest" name="GetObjectRequest"/><wsdl:output message="tns:GetObjectResponse" name="GetObjectResponse"/>

</wsdl:operation>

….

A Binding maps operations of a portType to protocols

38

Binding<wsdl:binding name="AmazonS3SoapBinding" type="tns:AmazonS3">

<wsdlsoap:binding style="document"

transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="GetObject">

<wsdlsoap:operation soapAction=“"/>

<wsdl:input name="GetObjectRequest">

<wsdlsoap:body use="literal"/>

</wsdl:input>

<wsdl:output name="GetObjectResponse">

<wsdlsoap:body use="literal"/>

</wsdl:output>

</wsdl:operation>

….

</wsdl:binding>

39

Service

So far this is an abstract serviceWe have defined its port types, operations and the details of the messages

And we have defined some a way this operations in this portType are to be bound to soap actions

To create a concrete service we need to say where it is<wsdl:service name="AmazonS3">

<wsdl:port binding="tns:AmazonS3SoapBinding" name="AmazonS3">

<wsdlsoap:address location="https://s3.amazonaws.com/soap"/>

</wsdl:port>

</wsdl:service>

</wsdl:definitions>

40

Directory for web services

XML formatted information forContact points “white page”

Industry classification “yellow pages”

UDDI

41

Industry classification yellow pages

Web service discovery “green page”, technical information

UDDI registry

WS Security ChallengesInformation espionage

Information gathering is easyDenial of service

Availability of UDDI repository is criticalI t it tt k

42

Integrity attacksIf one component’s integrity is compromised, then it will propagate through the operation of the rest of applications

Bypassing of firewallsThe complex query can be made through corporate firewalls to damage the system inside

8

CountermeasuresEnforce trust relationships

SAML, XACML, Federated IdentityEncrypt transport Links

SSL/TLS, SAMLU HTTP filt

43

Use HTTP proxy filtersIt will filter out any suspicious requests

Technology SolutionsSAML (Security Assertion Markup Language)

The definition of a format for transferring security assertions between components

XACML (eXtensible Access Control Markup Language)It will integrate access control policies into SAML messages

44

It will integrate access control policies into SAML messagesXML Signature

A format to digitally sign the content of web services messages, guaranteeing their authenticity

XKMS (XML Key Management System) Specifies protocols for the distribution and registration of public encryption keys

Security Assertion Markup ( )

A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency

Language (SAML)

19-Nov-2002: The Security Services (SAML) TC won the Protocols category of the 2002 edition of PC Magazine's Technology Excellence awards.

SAML

It’s an XML‐based framework for exchanging security information

XML‐encoded security assertionsXML‐encoded request/response protocol

46

Rules on using assertions with standard transport and messaging frameworks

It’s an emerging OASIS standardVendors and users are involvedCodifies current system outputs rather than inventing new technology

Standards are emerging for many facets of collaborative e‐commerce, such as:

Business transactions (e.g., ebXML)Software interactions (e.g., SOAP)

Motivations

47

But communicating security properties of these interactions isn’t well standardized

Low interoperability between PMI solutionsTight coupling within components

Web‐based commerce shows the need for federation, standardization, and a more cohesive user experience

Use Cases

SAML developed three “use cases” to drive its requirements and design:

1. Single sign‐on (SSO)

2. Distributed transaction

48

3. Authorization service

Each use case has one or more “scenarios” that provide a more detailed roadmap of interaction

9

SAML Assertions

Assertions are declarations of fact, according to someoneSAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program):

49

p g )AuthenticationAttributeAuthorization decision

You can extend SAML to make your own kinds of assertions and statementsAssertions can be digitally signed

Assertion Structure

50

Common InformationIssuer ID and issuance timestampAssertion IDSubject

Name plus the security domain

51

Optional subject confirmation, e.g. public key“Conditions” under which assertion is valid

SAML clients must reject assertions containing unsupported conditionsSpecial kind of condition: assertion validity period

Additional “advice”E.g., to explain how the assertion was made

Example: Common Info.<saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Smith Corporation“IssueInstant=“2009-12-03T10:02:00Z”><saml:Conditions

NotBefore=“2009-12-03T10:00:00Z”N tO O Aft “2009 12 03T10 05 00Z”>

52

NotOnOrAfter=“2009-12-03T10:05:00Z”><saml:AudienceRestrictionCondition>

<saml:Audience>…URI…</saml:Audience></saml:AudienceRestrictionCondition>

</saml:Conditions><saml:Advice>

…a variety of elements can go here…</saml:Advice>…statements go here…

</saml:Assertion>

Authentication Statement

An issuing authority asserts that subject S was authenticated by means M at time TTargeted towards SSO usesCaution: Actually checking or revoking of credentials is

53

y g gnot in scope for SAML!It merely lets you link back to acts of authentication that took place previously

Example: Authn Statement<saml:Assertion …><saml:AuthenticationStatement

AuthenticationMethod=“password”AuthenticationInstant=“2009-12-03T10:02:00Z”><saml:Subject>

<saml:NameIdentifierSecurityDomain=“smithco.com”N “j ” />

54

Name=“joeuser” /><saml:ConfirmationMethod>

http://…core-25/sender-vouches</saml:ConfirmationMethod>

</saml:Subject></saml:AuthenticationStatement></saml:Assertion>

10

Attribute StatementAn issuing authority asserts that subject S is associated with attributes A, B, … with values “a”, “b”, “c”…Useful for distributed transactions and authorization servicesTypically this would be gotten from an LDAP repository

55

Typically this would be gotten from an LDAP repository“john.doe” in “example.com”is associated with attribute “Department”with value “Human Resources”

Example: Attribute Statement<saml:Assertion …><saml:AttributeStatement>

<saml:Subject>…</saml:Subject><saml:Attribute

AttributeName=“PaidStatus”AttributeNamespace=“http://smithco.com”><saml:AttributeValue>

P idU

56

PaidUp</saml:AttributeValue>

</saml:Attribute><saml:Attribute

AttributeName=“CreditLimit”AttributeNamespace=“http://smithco.com”><saml:AttributeValue>

<my:amount currency=“USD”>500.00</my:amount>

</saml:AttributeValue></saml:Attribute>

</saml:AttributeStatement></saml:Assertion>

Authorization Statement

An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E

Useful for distributed transactions and authorization

57

Useful for distributed transactions and authorization services

The subject could be a human or a program

The resource could be a web page or a web service, for example

Example: Authorization Stmt.<saml:Assertion …><saml:AuthorizationStatement

Decision=“Permit”Resource=“http://jonesco.com/rpt_12345.htm”><saml:Subject>…</saml:Subject><saml:Actions

ActionNamespace=“http://…core-25/rwedc”>< l A ti >R d</ l A ti >

58

<saml:Action>Read</saml:Action></saml:Actions>

</saml:AuthorizationStatement></saml:Assertion>

Protocol for Getting Assertion

SAMLSAMLSAML

Asserting Party

59

Assertion

Response

Assertion

Request forAssertion ofCertain Type

Response

Assertion

Relying Party

SAML Requests

You can query for specific kinds of assertion/statementAuthentication query

Attribute query

Authorization decision query

60

q y

You can ask for an assertion with a particular IDBy providing an ID reference

By providing a SAML artifact

11

Example: Authn Query<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery>

<saml:Subject><saml:NameIdentifier

SecurityDomain=“smithco com”

61

SecurityDomain=“smithco.com”Name=“joeuser” />

</saml:Subject></samlp:AuthenticationQuery>

</samlp:Request>

Example: Attribute Query<samlp:Request … ><samlp:AttributeQuery>

<saml:Subject><saml:NameIdentifier

SecurityDomain=“smithco.com”Name=“joeuser” />

</saml:Subject>< l Att ib t D i t

62

<saml:AttributeDesignatorAttributeName=“PaidStatus”AttributeNamespace=“http://smithco.com”>

</saml:AttributeDesignator></samlp:AttributeQuery>

</samlp:Request>

Example: Authr. Query<samlp:Request …><samlp:AuthorizationQuery

Resource=“http://jonesco.com/rpt_12345.htm”><saml:Subject>

<saml:NameIdentifierSecurityDomain=“smithco.com”Name=“joeuser” />

</ l S bj t>

63

</saml:Subject><saml:Actions

ActionNamespace=“http://…core-25/rwedc”><saml:Action>Read</saml:Action>

</saml:Actions><saml:Evidence>

<saml:Assertion>…</saml:Assertion></saml:Evidence>

</samlp:AuthorizationQuery></samlp:Request>

SAML‐based SSO

64

Single Sign Out

65