Kerberos for the Web Current State and Leverage Points

Similar documents
Kerberos on the Web Thomas Hardjono

Warm Up to Identity Protocol Soup

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Identity as a Platform Service

SAML-Based SSO Solution

Network Security Essentials

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

SAML-Based SSO Solution

U.S. E-Authentication Interoperability Lab Engineer

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Identity Provider for SAP Single Sign-On and SAP Identity Management

Authentication. Katarina

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

2010 Kerberos Conference

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Canadian Access Federation: Trust Assertion Document (TAD)

Identity-Enabled Web Services

Canadian Access Federation: Trust Assertion Document (TAD)

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Security Assertions Markup Language (SAML)

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Identity Systems and Liberty Specification Version 1.1 Interoperability

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

5 OAuth EssEntiAls for APi AccEss control layer7.com

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

SAP Security in a Hybrid World. Kiran Kola

Sentinet for BizTalk Server SENTINET

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

THE SECURITY LEADER S GUIDE TO SSO

Project Moonshot. IETF 77, Anaheim. Sam Hartman, Painless Security LLC Josh Howlett, JANET(UK) Image Viatour Luc (

Federated Identity Management and Network Virtualization

Auto-Connect via Dynamic Federation

Sentinet for Windows Azure VERSION 2.2

5 OAuth Essentials for API Access Control

National Identity Exchange Federation. Terminology Reference. Version 1.0

AARC Blueprint Architecture

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Canadian Access Federation: Trust Assertion Document (TAD)

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

1. Federation Participant Information DRAFT

Dissecting NIST Digital Identity Guidelines

Canadian Access Federation: Trust Assertion Document (TAD)

Access Management Handbook

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

OPENID CONNECT 101 WHITE PAPER

Liferay Security Features Overview. How Liferay Approaches Security

Sentinet for Microsoft Azure SENTINET

Lesson 13 Securing Web Services (WS-Security, SAML)

Kerberos and Single Sign On with HTTP

The Kerberos Authentication Service

SAP Single Sign-On 2.0 Overview Presentation

KEY DISTRIBUTION AND USER AUTHENTICATION

Trusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity

Integrated Access Management Solutions. Access Televentures

Oracle Fusion Middleware

Spotfire Security. Peter McKinnis July 2017

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

OATH : An Initiative for Open AuTHentication

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Canadian Access Federation: Trust Assertion Document (TAD)

CA SiteMinder. Federation in Your Enterprise 12.51

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Canadian Access Federation: Trust Assertion Document (TAD)

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Introduction to application management

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

Challenges in Authenticationand Identity Management

Oracle Communications Services Gatekeeper

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

Thebes, WS SAML, and Federation

Identity Management (IdM) is a crosscutting focus area for DHS

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards

05/31/2010. Smart OpenID

Interoperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1)

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

Canadian Access Federation: Trust Assertion Document (TAD)

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

SAS Viya 3.3 Administration: Authentication

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Strong Security Elements for IoT Manufacturing

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Identity and Access Management Infrastructure for Oxford University

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

A RESTful Approach to Identity-based Web Services

Kerberos Revisited Quantum-Safe Authentication

Security of Web Level User Identity Management

Transcription:

Kerberos for the Web Current State and Leverage Points Executive Advisory Board Meeting and Financial Services Security Summit New York, 3-4 November 2008.

Towards Kerberizing Web Identity and Services 1. To explain The identity landscape and where Kerberos might fit in. Our recommendations to the Kerberos Consortium. 2. To listen Your business cases Your user stories Your requirements

Scope Towards Help MIT KC understand the web identity landscape, and Kerberos' place in it. Find the right problems to solve. Kerberizing Mature & highly successful intra-enterprise technology. Largely irrelevant in the Web space. Web Identity Human wielding a web browser, talking to a machine. Web Services Machine wielding web technologies, talking to a machine.

A Short History of Web Identity

The Primordial Identity Soup End-user (browser) Service provider Typically HTTP+HTML Formbased authentication

Birth of Web Single Sign-On and Identity End-user Identity Provider Service provider Typically HTTP+HTML Formbased authentication Service provider requests IdP to perform enduser authentication

Evolution Towards Federated Identity End-user Identity Provider domain A Another Service provider domain B Typically HTTP+HTML Formbased authentication Service provider from another domain relies on IdP to perform end-user authentication

Emergence of Web Services Front channel Back channel End-user End-user Identity Provider Service provider Another service Web services interactions

Stakeholders

Stakeholders End Users Consumers Employees Service Providers Internal-facing services consuming Employees' identities External-facing services consuming Consumers identities Enterprises Federated Partners

Stakeholder Requirements Stakeholders Type Code Description Simplicity U1 End users want to reduce the number of sign-on technologies and credentials that they are required to use to access web-based service providers. End users Transparency Flexibility U2 U3 U4 End users want to reduce the number of authentication steps taken when using service providers. End users want to use mobile devices when authenticating to service providers. End users want to assert different identity information in different contexts, e.g. to be able to "don" different roles when interacting with either the same or different service providers (e.g. to be able to interact with a given bank in the role of either an individual consumer, or an officer of a company which is also the same bank's customer). U5 End users want to use untrusted devices (e.g. an airport Internet kiosk or a borrowed device) to access service providers without compromising their credentials.

Stakeholder Requirements Stakeholders Type Code Description Service Providers Simplicity S1 Risk management S2 Service providers that consume identities from third-party identity providers want to reduce and/or minimize the number of sign-on technologies that they are required to support. This applies to both Internet-based and enterprisebased SPs. Service providers want to be able to manage and minimize the risks they assume in providing their service, particularly with respect to phishing in Financial services and similarly sensitive applications.

Stakeholder Requirements Stakeholders Type Code Description Enterprise Risk management Simplicity N-Tier E1 E2 E3 E4 E5 E6 Enterprise security officers want secure authentication for SOA. Enterprise SOA architects want flexible life-cycle management for identities used for SOA. Enterprise administrators want to reuse existing Kerberos infrastructure when deploying web applications and web services in order to reduce the cost of security administration. Enterprise system integrators want interoperability between web service implementations from major vendors. Enterprise identity architects want SSO-support in popular browsers with credential delegation capabilities turned on by default. Enterprise identity architects want to be able to extend existing cookie-based SSO systems with support for Kerberos backchannel authentication and credentials delegation.

Stakeholder Requirements Stakeholders Type Code Description Federated Partners N-tier Level of Authentication Identity Provider Discovery Technical trust establishment Governance F1 F2 F3 F4 F5 Deployers of web-based portal services with kerberized backendservices need to be able to use federated identity with N-tier authentication. Grid services (in environments where PK-INIT is used) in the US Federal sector need to fulfill policy requirements that authentication be done using smartcards. Service providers with a large number of affiliated Identity Providers requires a way to determine which Identity Provider a user is affiliated with, so that it knows where to request assertions for the user'. Federated partners want to reduce the complexity and effort incurred in establishing technical trust between their systems. The IT management at two or more federated partners need to define conventions, or an agreement, governing the use of a federated business process that is secured using Kerberos.

Use cases

Back channel Web service client Web service Shared secrets often stored insecurely and poorly managed Enterprise infrastructure (KDC, etc) Web services not integrated into Enterprise infrastructure

Front channel Employee or consumer Identity Provider Internal or third-party service provider Secure and single sign on, but selective. Increasing demand for mobile or untrusted devices Discovery of identity provider in multi-party federations Ability to converse with a diverse range of identity providers

Technology

Aspects & Technology Front-channel Authentication Message Authentication/Message Security Credentials Delegation Level-of-Assurance Transport Identity Federations

Aspects & Technology Front-channel Authentication Negotiate Information Card Message Authentication/Message Security Credentials Delegation Level-of-Assurance Transport Identity Federations

Aspects & Technology Front-channel Authentication Message Authentication/Message Security WS-Security Kerberos Token Profile Credentials Delegation Level-of-Assurance Transport Identity Federations

Aspects & Technology Front-channel Authentication Message Authentication/Message Security Credentials Delegation Kerberos and the Enterprise Web SSO Constrained Delegation (s4u2self) Level-of-Assurance Transport Identity Federations

Aspects & Technology Front-channel Authentication Message Authentication/Message Security Credentials Delegation Level-of-Assurance Transport SAML Authentication Context Identity Federations

Aspects & Technology Front-channel Authentication Message Authentication/Message Security Credentials Delegation Level-of-Assurance Transport Federated Identity SAML OAuth OpenID

Opportunities

Opportunities Front channel Back channel End-user End-user Identity Provider and/or KDC Service provider Another service Authentication using TLS+KRB (O1); Negotiate (O2); Kerberos-augmented Information Card (O3+O5) or OpenID (O8); also document and promote (O12). Trust established using OpenID +KRB bootstrap (O9); SAML metadata (O11). Trust established using OAuth+KRB bootstrap (O7); SAML metadata (O11). Delegation using OAuth augmented with SAML or Kerberos (O6). Authentication using TLS+KRB (O1), Negotiate (O2), Kerberos-augmented InfoCard (O4+O5) or OpenID (O8) or SAML; SAML-in-KRB (O14) or KRB-in-SAML (O13) or SAML-in-GSSAPI (O16). Authentication using Negotiate (O2); Kerberos Token Profile (O10); SAML-in- KRB (O14) or KRB-in-SAML (O13) or SAML-in-GSSAPI (O16) Discovery using asserted realm (O15)

Analysis and Recommendations

SOAP Back channel use cases Update WS Security Kerberos Token Profile REST & Plain XML SAML in Kerberos (over Negotiate or TLS handshake). Federated use cases require improved crossrealm operation.

Front channel use cases Complementary Kerberos or King Kerberos Both directions require improved cross realm operation and improved client support for multiple concurrent identities.

Complementary Kerberos Primary features Strong authentication using Kerberos to a identity provider. Supplements a SAML assertion s semantics by providing Kerberos based attestation for a user s identity. A Web SSO profile (SAML,InfoCard, OpenID, etc) encapsulates and transports the attestation.

Primary features King Kerberos Kerberos is used directly between the client and the service provider. SAML assertion is used to decorate a Kerberos ticket, or otherwise supplement it. Scope for use outside of the Web context (e.g. federated NFSv4). Similar to how Kerberos is used conventionally. Requires significant client updates anonymous tickets; possibly changes to TLS / GSS providers.

Analysis Back channel use cases are more soluble and more likely to yield results sooner than the Front channel use cases. Therefore, focus on common dependencies with initial emphasis on Back channel use cases. Front channel strategy requires a decision between "King Kerberos" or "Complementary Kerberos". Our analysis suggests that overall risk and effort is similar for both approaches, but "Complementary Kerberos" is likely to yield results sooner.

Recommendations Recommendation 1 Determine the overall strategic approach in consultation with relevant stakeholders Recommendation 2 Initiate activities to address those opportunities whose applicability is independent of strategic direction Recommendation 3 Plan and prioritize the most critical subsequent activities Recommendation 4 Develop an overall architecture

Conclusions Thank you for your attention. Possible discussion points Have we covered the relevant technologies? Did we capture the requirements and use-cases? What are the business cases?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback