Last Class. A Question. Federated Identity. ID Avalanche. Problem in general SPKI/SDSI. Lecture 6 : Digital Identity Federation and Privacy Management

Transcription

1 CS489/589: Access Control & System Security Lecture 6 : Digital Identity Federation and Privacy Management Last Class SPKI/SDSI Simplified approach to using PK based services Hierarchical CA Decentralized and distributed CAs Global l namespace Local namespace Focus is on access control, rather than authentication (name, key) (authorization, key) Mathematical framework for understanding TM systems A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency 2 A Question How many (uid, pwd) you have in use? So, single sign on will help? Federated Identity Any technology to support SSO that you know? 3 A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency ID Avalanche Problem in general Tasks of managing user profiles are costly and complex Enterprises change their business operation paradigm from clickand mortar to brick and mortar Every new addition of applications is likely to bring in new database for storing user profiles Considering B 2 B environment, problems become worse Identity management as a solution Underlying technologies and processes overarching tasks of Creation, maintenance, and deletion of identities 5 6

2 Problem in specific How about IM in cross domains Federation of identity Mapping of user identities at various service providers Advantages Single Sign On (SSO) and enhanced user convenience Decentralization of user management task Privacy and security of user information Enabling technology should be Cost effective Interoperable Web s as a candidate? Some concerns due to its open nature Need for underpinning technologies for IA Isolated IM Model Each business maintains its own IMD. Also known as silo model Pros Simple to implement Greater control of user s identities and preferences Limits security and privacy risks Cons Inconvenience to users Hardly interoperable Expensive to maintain 7 8 Centralized FIM Model Central Business entity (IDP) defines and brokers trust to all members (SPs) within CoT Pros Easy access to members sites Delegation of creation and administration of user identities Cons Limited choice of companies Most businesses don t want to cede to central authority Single point of failure Distributed FIM Model Each partner maintains control of identity and preference information of its own users, bound to trust user identity issued or authenticated by another Pros Authentication capabilities are distributed across domains of interest (CoT) Delegation of creation and administration of user identities Cons Businesses need to cooperate 9 10 Liberty Alliance Key Concepts An alliance formed to deliver and support a federated network identity solution for the internet provide an open standard that includes decentralized authentication and authorization from multiple vendors enable single sign on for consumers and businesses in an open, federated manner enable consumers to protect the privacy and security of their network identity aim at creating a network identity infrastructure that supports all current and emerging network access devices 11 12

3 Key Concepts, cont Architecture NET Passport Launched in 1999,.NET Passport Is a web based authentication service Provides the users with single sign on (SSO) reducing the amount of information the user needs to remember or resubmit to various sites facilitates using business web site easier for visitors and customers and virtually eliminates the cost of resetting the forgotten usernames and passwords Passport Logon Process Login to identity provider Token issued to client Token sent to service provider Token validated with identity provider Output sent to client 15 CardSpace Logon Process Provider Requests Identity CardSpace Identity Selector pops up Token is built by Identity Selector (with Identity Provider) Token sent to client Output sent to client Liberty vs. Passport Approach to Identity Management Actors Components Criteria Passport Liberty 1.Combination of Silo and Close Community 1.Passport Server 2.Participating Site 3.Users (Passport Account holders) 1.Passport Manager 2.Passport Cookies 3.Web Redirection 1.Federated 1.Identity Provider 2. Provider 3.End-User Authentication Type 1.Centralized 1.Distributed Credentials Creator Maintenance No. of Credentials Determining Authenticator 1.MS Passport Server 2.MS Passport Server 3.One address 1.Passport Server is the sole authenticator 1.Web 2.Metadata and Schemas 3.Web Redirection 1.Provider (SP /IDP) 2.Respective Provider 3.Credential at each Provider Identifiers 1.PUID 1.Pseudonyms 1.Use of Common Domain Cookies 18

4 Web s A Brief Introduction To Web s Another hype in Info. Tech? Likely the next architecture for internet based business computing Basic functionality? A web service communicates over a network to supply a specific set of operations (methods) that other applications can invokes A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency 20 Why Need? Need for applications to interact Internal systems inventory, accounting, manufacturing and customer support External systems business partners and customers Heterogeneous system environment Coexists old systems with new ones in the enterprise Integration of these system derive them to talk to each other Conventional approach leads to High cost, the risk and the complexity The business disruption and the lost opportunity cost WS and Screen Scrapping Many early web services implementations are deployed to replace screen scrapping Web services Web s is a technology that allows for applications to communicate with each other in a standard format A Web exposes an interface that can be accessed through XML messaging A Web service uses XML based protocol to describe an operation or the data exchange with another web service A group of web services collaborating accomplish the tasks of an application. The architecture of such an application is called Oriented Architecture (SOA) Architectural Difference Multi tier Architecture Current Web applications (for instance, servlets) are based on a client server architecture When a servlet talks to another servlets, one is taking on the role of a client Web services are equal, or peer to peer Three tier model with key differences Loosely coupled Based on ubiquitous architecture The promise of open standards Browser Web services Business object Business Business object object Web server Web application server Business object Business object Business object Data base 23 24

5 Brokering Architecture Brokering Architecture Broker Subscribe: service description Provider 1 Recommend: service description Broker Subscribe: service description Provider 1 Client Subscribe: service description Provider 2 Client Provider 2 Subscribe: service description Provider Brokering Architecture Oriented Architecture Client Request Response Broker Provider 1 Provider 2 All software components are modeled as services Functional units that are visible for other entities to invoke or consume over the network Design focus is the service s interface Similar to component based software engineering Different in that the focus is shifted to composing services over a network Three Roles in SOA Web s and SOA Registry Registry WSDL SOAP Description XML-Based Messaging HTTP Network Requestor Bind Provider Web Requestor SOAP(WSDL) Web Provider 29 30

6 SOAP SOAP Structure SOAP defines XML based format for sending messages Envelope Data encoding RPC convention Unlike XML RPC, SOAP tries to be neutral to transportation protocol HTTP SMTP Java Message.Net also uses SOAP as the RPC mechanism Application SOAP HTTP TCP IP Application SOAP HTTP TCP IP SOAP Envelope SOAP Header Header Parts SOAP Body SOAP Body part(payload) SOAP Fault A Schematic Architecture HTTP SOAP: Example POST /soap HTTP/1.0 Content Type: text/xml; charset=utf 8 Accept: application/soap+xml, application/dime, multipart/related, text/* User Agent: Axis/1.4 Host: s3.amazonaws.com Content Length: 562 SMTP FTP JMS Others SOAP Envelope SOAP Server Server Application <?xml version="1.0" encoding="iso "?> <s:envelope xmlns:s=" xmlns:xsd=" xmlns:xsi=" <s:body> <CreateBucket xmlns=" /"> <Bucket>my testbucket</bucket> <AWSAccessKeyId>154DZY31MD3BCYR2</AWSAccessKeyId> <Timestamp xsi:type="xsd:datetime"> T01:52:07.278Z</Timestamp> <Signature>B0D9wH2l7sVfCQdFSegrFHFw=</Signature> </CreateBucket> </s:body> </s:envelope> WSDL Defines a web/network service End point Accepts messages Key elements (definitions is root element) Documentation English description Types data type (e.g. structure) Message message format PortType Java class and their operations Binding protocols for message or porttype Specifies web addresses WSDL description may be automatically generated based on Java class definitions 35 Example: WSDL Let s look at the S3 WSDL It has a porttype called AmazonS3 which has a set of operations. In the AmazonS3 port type there are about 20 operations Each operation has an input message and possibly an output message <wsdl:definitions targetnamespace= xmlns:tns=.. > <wsdl:types > <xsd:schema >. </xsd:schema> <wsdl:message name= GetObjectRequest > <wsdl:part element="tns:getobject" name="parameter"/> <wsdl:porttype name="amazons3"> <wsdl:operation name="getobject"> <wsdl:input message="tns:getobjectrequest" name="getobjectrequest"/> <wsdl:output message="tns:getobjectresponse" name="getobjectresponse"/> </wsdl:operation> 36

7 Types <xsd:element name="getobject"> <xsd:complextype> <xsd:sequence> <xsd:element name="bucket" type="xsd:string"/> <xsd:element name="key" type="xsd:string"/> <xsd:element name="getmetadata" " type="xsd:boolean"/> "/ <xsd:element name="getdata" type="xsd:boolean"/> <xsd:element name="inlinedata" type="xsd:boolean"/> <xsd:element name="awsaccesskeyid" type="xsd:string" minoccurs="0"/> <xsd:element name="timestamp" type="xsd:datetime" minoccurs="0"/> <xsd:element name="signature" type="xsd:string" minoccurs="0"/> <xsd:element name="credential" type="xsd:string" minoccurs="0"/> </xsd:sequence></xsd:complextype></xsd:element> PortType Recall a porttype is a collection of operations An Operation is request message + response message <wsdl:porttype name="amazons3"> <wsdl:operation name="getobject"> <wsdl:input message="tns:getobjectrequest" name="getobjectrequest"/> <wsdl:output message="tns:getobjectresponse" name="getobjectresponse"/> </wsdl:operation>. A Binding maps operations of a porttype to protocols Binding <wsdl:binding name="amazons3soapbinding" type="tns:amazons3"> <wsdlsoap:binding style="document" transport=" <wsdl:operation name="getobject"> <wsdlsoap:operation soapaction= "/> <wsdl:input name="getobjectrequest"> <wsdlsoap:body use="literal"/> </wsdl:input> <wsdl:output name="getobjectresponse"> <wsdlsoap:body use="literal"/> </wsdl:output> </wsdl:operation>. </wsdl:binding> So far this is an abstract service We have defined its port types, operations and the details of the messages And we have defined some a way this operations in this porttype are to be bound to soap actions To create a concrete service we need to say where it is <wsdl:service name="amazons3"> <wsdl:port binding="tns:amazons3soapbinding" name="amazons3"> <wsdlsoap:address location=" </wsdl:port> </wsdl:service> </wsdl:definitions> UDDI Directory for web services XML formatted information for Contact points white page Industry classification yellow pages Web service discovery green page, technical information UDDI registry WS Security Challenges Information espionage Information gathering is easy Denial of service Availability of UDDI repository is critical Integrity attacks If one component s integrity is compromised, then it will propagate through the operation of the rest of applications Bypassing of firewalls The complex query can be made through corporate firewalls to damage the system inside 41 42

8 Countermeasures Enforce trust relationships SAML, XACML, Federated Identity Encrypt transport Links SSL/TLS, SAML Use HTTP proxy filters It will filter out any suspicious requests Technology Solutions SAML (Security Assertion Markup Language) The definition of a format for transferring security assertions between components XACML (extensible Access Control Markup Language) It will integrate access control policies into SAML messages XML Signature A format to digitally sign the content of web services messages, guaranteeing their authenticity XKMS (XML Key Management System) Specifies protocols for the distribution and registration of public encryption keys SAML Security Assertion Markup Language (SAML) 19-Nov-2002: The Security s (SAML) TC won the Protocols category of the 2002 edition of PC Magazine's Technology Excellence awards. It s an XML based framework for exchanging security information XML encoded security assertions XML encoded request/response protocol Rules on using assertions with standard transport and messaging frameworks It s an emerging OASIS standard Vendors and users are involved Codifies current system outputs rather than inventing new technology A Designated Center of Academic Excellence in Information Assurance Education by the National Security Agency 46 Motivations Use Cases Standards are emerging for many facets of collaborative e commerce, such as: Business transactions (e.g., ebxml) Software interactions (e.g., SOAP) But communicating security properties of these interactions isn t well standardized Low interoperability between PMI solutions Tight coupling within components Web based commerce shows the need for federation, standardization, and a more cohesive user experience SAML developed three use cases to drive its requirements and design: 1. Single sign on (SSO) 2. Distributed transaction 3. Authorization service Each use case has one or more scenarios that provide a more detailed roadmap of interaction 47 48

9 SAML Assertions Assertion Structure Assertions are declarations of fact, according to someone SAML assertions are compounds of one or more of three kinds of statement about subject (human or program): Authentication Attribute Authorization decision You can extend SAML to make your own kinds of assertions and statements Assertions can be digitally signed Common Information Issuer ID and issuance timestamp Assertion ID Subject Name plus the security domain Optional subject confirmation, e.g. public key Conditions under which assertion is valid SAML clients must reject assertions containing unsupported conditions Special kind of condition: assertion validity period Additional advice E.g., to explain how the assertion was made Example: Common Info. <saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= Issuer= Smith Corporation IssueInstant= T10:02:00Z > <saml:conditions NotBefore= T10:00:00Z NotOnOrAfter= T10:05:00Z > <saml:audiencerestrictioncondition> <saml:audience> URI </saml:audience> </saml:audiencerestrictioncondition> </saml:conditions> <saml:advice> a variety of elements can go here </saml:advice> statements go here </saml:assertion> Authentication Statement An issuing authority asserts that subject S was authenticated by means M at time T Targeted towards SSO uses Caution: Actually checking or revoking of credentials is not in scope for SAML! It merely lets you link back to acts of authentication that took place previously Example: Authn Statement <saml:assertion > <saml:authenticationstatement AuthenticationMethod= password AuthenticationInstant= T10:02:00Z > <saml:subject> <saml:nameidentifier SecurityDomain= smithco.com Name= joeuser /> <saml:confirmationmethod> core-25/sender-vouches </saml:confirmationmethod> </saml:subject> </saml:authenticationstatement> </saml:assertion> 53 54

10 Attribute Statement An issuing authority asserts that subject S is associated with attributes A, B, with values a, b, c Useful for distributed transactions and authorization services Typically this would be gotten from an LDAP repository john.doe in example.com is associated with attribute Department with value Human Resources Example: Attribute Statement <saml:assertion > <saml:attributestatement> <saml:subject> </saml:subject> <saml:attribute AttributeName= PaidStatus AttributeNamespace= > <saml:attributevalue> PaidUp </saml:attributevalue> </saml:attribute> <saml:attribute AttributeName= CreditLimit AttributeNamespace= > <saml:attributevalue> <my:amount currency= USD > </my:amount> </saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion> Authorization Statement An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E Useful for distributed transactions and authorization services The subject could be a human or a program The resource could be a web page or a web service, for example Example: Authorization Stmt. <saml:assertion > <saml:authorizationstatement Decision= Permit Resource= > <saml:subject> </saml:subject> <saml:actions ActionNamespace= core-25/rwedc > <saml:action>read</saml:action> </saml:actions> </saml:authorizationstatement> </saml:assertion> Protocol for Getting Assertion SAML Requests SAML Request for Assertion of Certain Type Asserting Party Response Assertion You can query for specific kinds of assertion/statement Authentication query Attribute query Authorization decision query You can ask for an assertion with a particular ID By providing an ID reference By providing a SAML artifact Relying Party 59 60

11 Example: Authn Query <samlp:request MajorVersion= 1 MinorVersion= 0 RequestID= > <samlp:authenticationquery> <saml:subject> <saml:nameidentifier SecurityDomain= smithco.com com Name= joeuser /> </saml:subject> </samlp:authenticationquery> </samlp:request> Example: Attribute Query <samlp:request > <samlp:attributequery> <saml:subject> <saml:nameidentifier SecurityDomain= smithco.com Name= joeuser /> </saml:subject> <saml:attributedesignator AttributeName= PaidStatus AttributeNamespace= > </saml:attributedesignator> </samlp:attributequery> </samlp:request> Example: Authr. Query SAML based SSO <samlp:request > <samlp:authorizationquery Resource= > <saml:subject> <saml:nameidentifier SecurityDomain= smithco.com Name= joeuser /> </saml:subject> <saml:actions ActionNamespace= core-25/rwedc > <saml:action>read</saml:action> </saml:actions> <saml:evidence> <saml:assertion> </saml:assertion> </saml:evidence> </samlp:authorizationquery> </samlp:request> Single Sign Out 65