ASSC Military Information Assurance and Security Symposium 2009
Security and information assurance
Transcript of Security and information assurance
![Page 1: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/1.jpg)
Security and
Information Assurance
UC San DiegoCSE 294
Winter Quarter 2008Barry Demchak
![Page 2: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/2.jpg)
Roadmap
Challenges and Context Basic Web Authentication and
Authorization SAML Signon sequence
Shibboleth OpenID Compare and Contrast
![Page 3: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/3.jpg)
Information Assurance Challenges
Managing information-related risks [Wikipedia] How can we assure that information is being
used in the way intended and by the people intended? Information: Which information? What quality
of information? What are its characteristics? Way: Viewed? Changed? Reconveyed? Intended: By whom? With what degree of
certainty? People: Browsers? Other user agents?
Computer programs?
![Page 4: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/4.jpg)
Information Assurance Problems (cont’d)
Subproblems Security Policy Governance Data Quality Digital Rights Management …
Parties User agents Data sources Data intermediaries
Applications e-Commerce All commerce HIPAA SOX DOD
![Page 5: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/5.jpg)
Consequence of Mishandling Information
“Thousands of Brits fall victim to data theft” -- October 10, 2006 New York Times
“Medicare and Medicaid Security Gaps Are Found” -- October 8, 2006 New York Times
“U.S. and Europe Agree on Passenger Data” -- October 6, 2006 New York Times
Is AJAX secure? -- October, 2006 SQL Magazine
![Page 6: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/6.jpg)
Web Server Database Server
Web Browser
An Immediate Challenge Securing a web site – 3 tier architecture
Line-level protocols Trusted authorities AuthenticationAuthentication Authorization Policy Governance Failure Detection/
Mitigation Process Separation Validation/Verification
Privacy Correctness Safety Availability Integrity (Scalability)
Privacy Correctness Safety Availability Integrity
Eavesdropping Impersonation (MiM)
![Page 7: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/7.jpg)
Authentication (Single Signon)
Preserve Privacy Hint: Federations
N
S
EW Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
![Page 8: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/8.jpg)
Identity Federation
N
S
EW Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
Identification Provider
Identification Provider
Trust Relationship
Authenticated on one server trusted on others Standards-based information exchange (SSL, HTTP, SAML, …) Result: portable identity
![Page 9: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/9.jpg)
SSO Example – UCSD
![Page 10: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/10.jpg)
Identity at UCSD
UCSD Identity Providers (IdP)
UCLA IdP
UCB IdP
LBL IdP
UCSD Service Providers (SP)
TritonLink Registrar TritonLink Cashier Blink Facilities WebMail
PID/PAC KerberosActive Directory
Research XXX
![Page 11: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/11.jpg)
Basic Web Authentication/Authorization
1. User surfs to site and supplies credentials2. Web site validates credentials and determines
capabilities3. Web site doles out resources per capabilities
Separate authentication and authorization mechanisms from web site loose coupling and separation of concerns
Mechanism reuse Minimal impact on web site No impact on browser
![Page 12: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/12.jpg)
Web Commerce Use Case
Carol’s store is part of the Business Exchange (BusEx)
Alice is signed up with the BusEx Alice wants to buy from Carol, and the BusEx
provides authentication/authorization support
![Page 13: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/13.jpg)
Web Browser Password Access Mission
Convert Alice’s identity into capabilities Deliver resource from Carol to Alice Store identity on Alice’s PC as cookies for later
Cast of Characters (roles) P = Principal CC = Credentials Collector AuA.v = Authentication Authority (verifier) AuA.a = Authentication Authority (assertions) PDP = Policy Decision Point PEP = Policy Enforcement Point
![Page 14: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/14.jpg)
Security Attribute Markup Language
XML framework for marshaling security and identity information Wraps existing security technologies (e.g.,
XACML) Describes assertions about subjects
Bindings for SOAP, HTTP redirect, HTTP POST, HTTP artifact, URI
Is not a crypto technology, assertion maintenance protocol, data format, etc.
![Page 15: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/15.jpg)
SAML Assertion
Example: Alice can read finance database
![Page 16: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/16.jpg)
SAML Assertion (Query Response)<SAMLQueryResponse> <RequestID>urn:random:32q4schaw983y5982q35yh98q324== <Assertion>
<AssertionID>http://www.bizexchange.test/assertion/AE0221 <Issuer>URN:dns-date:www.bizexchange.test:2001-01-03:19283 <ValidityInterval> <NotBefore> <NotOnOrAfter> <Conditions> <Audience>http://www.bizexchange.test/rule_book.html <Claims> <Subject> <NameID>mailto:[email protected] <Object> <Authority> <Permission>Read <Resource>http://store.carol.test/finance <Role>URN:dns-date:www.bizexchange.test:2001-01-04:right:finance
![Page 17: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/17.jpg)
SAML Assertion (XACML embedded)
<TBS-POLICY-QueryResponse> <RequestID>urn:random:zwos43i55098w4tawo3i5j09q== <Assertion> <AssertionID>http://policy.carol.test/assertion/ <Issuer>URN:dns-date:policy.carol.test:2001-03-03:1204 <ValidityInterval> <NotBefore> <NotOnOrAfter> <Claim> <Policy> <Resources> <string>http://store.carol.test/finance <ACL> <ACE> <Subject> <Role>URN:dns-date:www.bizexchange.test:2001-01-04:right:finance <Permit>RWED <ACE> <Deny>ED <Subject> <Right>URN:dns-date:www.bizexchange.test:2001-01-04:right:ops <Permit>R <ACE>
![Page 18: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/18.jpg)
Web Browser Password Access
PrincipalP
Credentials Collector
CC
Authentication Authority (Verifier)
AuA.v
Authentication Authority
(Assertions)AuA.a
Authorization Authority
AtA
Policy Decision PointPDP
Policy Enforcement
PointPEP
Alice Alice BizEx BizEx StoreSite StoreSite
get()
credentials
authenticate(c:credentials)
Assertion Storedt:ticket, r:redirect
get(t:ticket, x:resource)
queryAssertion(t.i:assertionID)
assertion
check(a:assertion, x:resource)
decision
resource
ED
ED
redirect
��
��
��
pull
Bind Roles {
Encrypt {
} Establish Identity
Enforce Policy {
![Page 19: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/19.jpg)
Web Browser Password Access
Choose an Identification Provider (IdP) Data Flow
User Agent (UA) to IdP IdP to Service Provider (SP) – redirect through UA SP to IdP – verify credential based on ticket SP to UA – deliver resource
Redirect method vs Post method HTTP 302 <form> and Javascript
![Page 20: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/20.jpg)
Decisions and Policy Store
Retrieve Policy Retrieve Assertion
Compare Policy and Assertion
Render result of decision
![Page 21: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/21.jpg)
Shibboleth Context
![Page 22: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/22.jpg)
About Shibboleth Open source project sponsored by MACE
(Middleware Architecture Committee for Education) of Interent2
Allows Single Signon and Identity Federations Enables policy-driven authorization Small integration effort for existing web applications Built on standards
HTTP XML XML Schema XML Signature SOAP SAML (Security Assertion Markup Language)
![Page 23: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/23.jpg)
Shibboleth Framework User Agents (UAs)
Access SPs oblivious to Shib and SSO Shibboleth (Shib)
Orchestrates access to identity providers (IPs) and attribute providers (APs)
Provides SP with only attributes or identities needed to make decision
Service Providers (SPs) Use and enforce their own authentication mechanisms Decide whether a user can access a resource
User Agent (Browser)
Service Provider
(Web Site)
Service Provider
(Web Site)
Shibboleth
resource
resource
identity
attributes
attributes
![Page 24: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/24.jpg)
Shibboleth Workflow (POST method)
Principal SSO Service Authentication Authority
Assertion Consumer
Service(Shire)
Access ControlPolicy Decision
PointPDP
Policy Enforcement
PointPEP
User Agent Identity Provider
Identity Provider
Service Provider
Service Provider
Service Provider
get(idEntryPage)
IdP cookie, a:assertion, redirect
get(a:assertion, x:resource)
check(a:assertion, x:resource)
decision
resource
ED
get(x:resource)
redirect
ieEntryPage HTML
credentials
Service Provider
a:assertion, x:resource, redirect
get(a:assertion, x:resource)
redi
rect
redi
rect
redi
rect
forward if IdP cookie
![Page 25: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/25.jpg)
Shibboleth Application
PolicyDecision/
EnforcementPoint
Existing Kerberos, AD, etc
Java on Tomcat/Apache
C++ on Apache or IIS
HTTP headers
![Page 26: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/26.jpg)
Shibboleth Attribute Transfer
SP configuration file identifies attributes to be retrieved from credential
IdP configuration file identifies attributes to the provided in the credential
IdP can identify SP through Shire address End result: least privileges is enforced
![Page 27: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/27.jpg)
OpenID Federated SSO service Open and standards-based (HTTP, et al, but
not SAML) Participants: Google, IBM, Microsoft,
VeriSign, Yahoo!, AOL, Symantec, Sun, and many others
As of February 2008: 250M openIDs, 10K Websites
Objective: Prove that an end user controls an identifier (e.g., bdemchak.myopenid.com) authentication
![Page 28: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/28.jpg)
OpenID Workflow
PrincipalOP Endpoint Credentials
Collector
OP Endpoint Authenticator
Policy Decision PointPDP
Policy Enforcement
PointPEP
User Agent OpenID OpenID Relying Party Relying Party
get(idEntryPage)
redirect, result, nonce, signature
result, nonce, signature
check(a:assertion, x:resource)
decision
resource
ED
get(i:OpenIdIdentifier, x:resource)
Redirect, i:OpenIdIdentifier
ieEntryPage HTML
credentials
redi
rect
redi
rect
![Page 29: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/29.jpg)
OpenID Application
PolicyDecision/
EnforcementPoint
Attribute Parsing
Acc
ess
Con
trol
![Page 30: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/30.jpg)
OpenID Capabilities
Personas associated with ID User-control of persona and attributes
released to a particular web site Requires explicit web site programming
![Page 31: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/31.jpg)
Shibboleth vs OpenID
Shibboleth is academic; OpenID is commercial
Shibboleth uses SAML; OpenID uses attribute list
Shibboleth federation is more flexible Shibboleth attempts to ease application
coding OpenID leverages validations in the cloud
… this list is only the beginning …
![Page 32: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/32.jpg)
Original Goals
1. User surfs to site and supplies credentials2. Web site validates credentials and determines
capabilities3. Web site doles out resources per capabilities
Separate authentication and authorization mechanisms from web site loose coupling and separation of concerns
Mechanism reuse Minimal impact on web site No impact on browser
![Page 33: Security and information assurance](https://reader035.fdocuments.net/reader035/viewer/2022062412/588657b11a28ab26598b53f3/html5/thumbnails/33.jpg)
References http://syswiki.ucsd.edu/index.php/Single_Sign-On http://www.openid.net http://shibboleth.internet2.net
http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-tech-overview-latest.pdf
http://www.oasis-open.org http://www.oasis-open.org/committees/security/docs/draft-
sstc-saml-reqs-00.doc http://www.oasis-open.org/committees/download.php/
13525/sstc-saml-exec-overview-2.0-cd-01-2col.pdf http://www.oasis-open.org/committees/security/docs/draft-
sstc-core-phill-07.doc