Master´s Thesis ”Secure Authentication and Authorization Portal Based on Single Sign-on” Jukka Collan Supervisor Professor Jörg Ott Networking Laboratory Agenda • • • • • • • • Research problem Thesis structure Enterprise Single Sign-On Defined Literature research Case study: Software used Risk and threat analysis Results Conclusions - Benefits Research problem • Present approach of enterprise single sign-on – – – – – – Why should user have only one user id and password? Why enterprises are interested in single sign-on? What kind of architecture single sign-on solution does have? What are the risks of using single sign-on? What are the benefits of enterprise single sign-on solution What is the ROI of enterprise single sign-on solution Research problem Thesis structure Secure Authentication and Authorization Portal Based on Single Sign-On Introduction Theory Market demand for single sign-on Authentication technologies and directories Case study of Single Sign-on Risk and Threat Analysis Single sign-on standartation Conclusions Enterprise Single Sign-On Defined • Users need only one password for access to all applications and systems • Users can access the corporate network at the start of their workday • Users have immediately have access to all necessary passwordprotected applications • Users don't need to remember multiple passwords • Users don’t have to write down their passwords • Users don't have use easy to guess passwords, which potentially expose applications to unauthorized users Literature research: authentication technologies • SECURE USER IDENTITY TECHNOLOGIES – PKI • X.509 – Smart card – Electronic Identification Card (HST) – One-time password • Biometrics – Fingerprints – Iris codes • USER AUTHENTICATION IN COMPUTER NETWORKS – Unix • Kerberos – Windows • Windows NT LAN Manager (NTLM) – Web-based authentication • HTTP • SSL and HTTPS Literature research: authentication • USER AUTHENTICATION IN TELECOMMUNICATION NETWORKS – Mobile Terminals – PDA – Authentication, Authorization and Accounting (AAA) • Radius • Diameter – GSM – WAP • WTLS (Wireless Transport Layer Security) • WPKI • POLICY BASED NETWORKS • DIRECTORIES – LDAP – Windows 2000 Active Directory – Metadirectory Literature study: single sign-on tech: SAML • SAML – Security Assertion Markup Language SAML is an XML based security standard for exchanging authentication and authorization information by Oasis • SAML is an XML-based security framework for exchanging security information • Security information is expressed in the form of assertions about subject – subject is an entity, which can be either human or computer – Each entity has identity in some security domain – A typical example of subject is person, identified by his email address in a particular Internet DNS domain • Assertions are represented as XML constructors • SAML defines binding, which is Simple Object Access Protocol (SOAP) over HTTP Literature study: single sign-on tech: SAML • In the SAML identifiers are defined as Uniform Resource Identifiers (UNI) for the following authentication methods – – – – – – – – – – – Password Kerberos Secure Remote Password (SRP) Hardware Token SSL/TSL Certificate Based Client Authentication X.509 Public Key PGP Public Key SPKI Public Key XKMS Public Key XML Digital Signature Unspecified SAML: Application chain 1. 2. 3. 4. 5. 6. 7. 8. Web user authenticates with enterprise security system (authentication can be through Web server) Enterprise security system provides an authentication reference to Web user Web user requests a dynamic resource from Web server, providing authentication reference Web server requests application function from application on behalf of Web user, providing Web user’s authentication reference Application requests authentication document from enterprise security system, corresponding to Web user’s authentication reference Enterprise security system provides authentication document, including authorization attributes for the Web user, and authn event description Application performs application function for Web server Web server generates dynamic resource for Web user Literature study: Project Liberty • Project Liberty or Liberty Alliance is the codes name for an initiative announced to address open standards development in the network identity and end user privacy as an alternative for the Microsoft’s Passport • Goals of the Project: – Enable consumers protect the privacy and security of their network identity information – Enable businesses to maintain and manage their customer relationships without third-party participation – Provide open single sing-on standard that includes decentralized authentication and authorization from multiple providers – Create network identity infrastructure that supports all current and emerging network access devices NET Passport authentication process • • • • • • The .NET Passport authentication is based on the link from the participating site to Microsoft passport site When user tries to access a protected Web page within participating site page that requires authentication before allowing access, redirect is made to Passport site NET passport compares the user’s credentials to the credentials saved in the Passport Database If the credentials match, user is authenticated and PUID and .NET Passport profile are extracted from the Database. After that .NET Passport server creates three cookies: – – – The Ticket cookie, which includes the PUID and a time stamp The profile cookie, which store the user profile The participating site cookie, which stores a list of the sites to which the user has signed in Literature study: Microsoft .NET passport • • • • • • • The goal of the .NET passport is to make online purchasing easier and faster via Internet .NET Passport provides user the Single Sing-In (SSI) service using large user base and powerful encryption technologies such as Secure Socket Layer (SSL) and Triple Data Encryption Standard (3DES) algorithm for data protection Single Sing-In (SSI) is the key service of the .NET Passport SSI provides a common Internet authentication mechanism across participating Web sites Users can create a single sing-in name and password for use across participating .NET Passport sites .Net Passport reduces the need for consumers to remember multiple sing-on names and passwords. .NET Passport can provide a unique Passport ID (PUID) for every user NET Passport authentication process .NET Passport SSI process 1.Initial page request 2.Redirect for authentication 3.Authentication request 4.Authentication response and cookies (ticket and profile) 5.Authentication request and cookies (ticket and profile) 6.Web page, authentication and cookies (profile) Commercial authentication and authorization portals • • • • • Centralizing the user management is an effective way to reduce the number of usernames One reason why there is no universal standard for single sing-on is that user’s digital identity is not standardized Corporate authentication systems must support multiple means of identity: user ID and password, certificates, wireless authentication, third party (SecureID, smart cards, PKI), and also enable new mechanisms to be added easily Authentication and authorization portal provides simple, secure access to critical information Centralized authentication and authorization portal can support multiple authentication mechanisms: – – – – – – – – Basic authentication Basic authentication over SSL Smart Card (HST) Forms-based authentication PKI/X.509 certificates Combination of passwords and certificates Custom or third-party schemes Biometric authentication Federated identity management • • Federated identity management provides a standardized mechanism for simplifying identity transformation and identity management across enterprise boundaries Federation services – • Trust services – • provide single-sign on accross federations Authorization services – • Provide the functionality required to evaluate and validate user-provided credentials. Evaluate credentials such as a username and password, or secure ID token passphrases. Invoke some back end data store such as a LDAP registry, or a secure ID token server, to validate these credentials. Single sign-on services – • manage a user's session life cycle, from session creation, to session access, to session deletion Authentication services – • Provide access to key stores used by a Trust service and allows a Trust Service to plug in/access different key stores as required Session management services – • Federation relationships require a trust relationship-based federation between business partners Key services – • engage in trust relationships and share identity information Authorization services are responsible for providing access decision point functionality Identity services – Provide the interface to local data stores, including user registries and databases an identity service is able to add, delete, and look up information Tivoli FIM architecture Tivoli FIM architecture • (HTTP) browser – • Non-HTTP browser – • – located in the DMZ It is typically an HTTP reverse proxy, a plug-in to a Web server capable of authenticating a user and managing a session for that user The HTTP PoC will invoke (when required) single sign-on services Tivoli Federated Identity Manager functionality – – – • Non-HTML browsers, such as WAP browsers, are used by agents such as mobile devices. HTTP Point of Contact – – • A browser provides an interface between the end user and the infrastructure A FIM component must communicate with the HTTP PoC for the purposes of completing single sign-on and single sign-off functionality It also integrates with a data store (such as a user registry) for management of the user attributes and user aliases Implements the single sign-on (SSO) services User registry/data store – user registry/data store are used for two distinct purposes: • Alias management and attribute management Case study: Goal The goal of this case study was to design a solution for the company, which partly enables single sign-on and also makes the management of users easier in the company than it is today Drawbacks of Passwords • • • • • Too many passwords. Assume each user has a unique password for each appli-cation he uses In an enterprise with 10,000 employees using two dozen applica-tions each, that’s 240,000 different passwords for IT to manage, creating enormous administrative complexity and burden. Weak passwords. Users choose easy-to-remember passwords, the simplicity and obvious nature of which provide a lower level of security Lazy users. Do you use your birthday, social security number, name, or some combination for any of your passwords? Reliance on human memory. There are two types of users: those who write down their passwords, and those who don’t. The latter rely on memory for password recall, the performance of which declines in direct proportion to both the´ complexity and number of passwords. If each user in a company of 10,000 employees makes one password reset call to the IT help desk per month, and the cost is 25 euros per call the annual password reset bill comes to 3 million euros a year Easily obtained. As for those users who write down passwords, they naturally do it in easily remembered places Drawbacks of Passwords • • • Easy to steal. Many desktops allow Windows to automatically fill in the password data. If the individual application passwords are stored on the desktop in unsecured cookies, then spy ware, worms, and other malicious codes can easily steal the passwords and other account information. Easy to hack. Cyber-thieves have easy access to a wide range of “password crack-ers”software specifically designed to decipher passwords Phishing. The user is sent an e-mail asking him for his password Software of the case : AM IBM Tivoli Access Manager (AM) for e-business • • • • Policy-based access control solution for e-business and enterprise applications AM lets organizations control both wired and wireless access to applications and data; keeping unauthorized users out AM integrates with e-business applications to deliver a secure personalized e-business experience for authorized users AM integrates security for key CRM, ERP, and SCM e-business solutions, as well as enhancements for securing J2EE-conforming applications running on WebSphere Application Server or BEA WebLogic Server Software of the case : TIM • IBM Tivoli Identity Manager provides policy-based identity management across legacy and e-business environments • Intuitive Web administrative and self-service interfaces integrate with existing business processes to help simplify and automate managing identities • improving administrator productivity • It incorporates a workflow engine and leverages identity data for activities such as audit and reporting Three key benefits of IBM Tivoli Identity Manager are: • Reduces costs through centralized user management • Increases productivity through automated workflow and delegated administration • Quickly realize ROI by bringing users, systems and applications online faster IBM Tivoli Identity Manager provides a single point for managing users, and a consistent access control policy that integrates with existing environment Software of the case : TAMESSO The Tivoli Access Manager for Enterprise Single Sign-On(TAMESSO) solution supports different types of user authentication: • passwords • smart cards • Biometrics Benefits of TAMESSO • It can store user credentials and its own system settings and policies in any LDAP directory or one of several databases • The administrative console simplifies administrative tasks by automatically recognizing and configuring applications for sign-on with minimal effort by the administrator • Users experience simple enterprise single sign-on while connected or disconnected to the corporate network, while roaming between computers Software of the case : TAMESSO • TAMESSO helps you: – Automate sign-on and eliminate users' need to manage passwords – Enhance security with automatic password management – Extend audit and reporting capabilities to include user sign-on data – Generate a quick payback and high return on investment (ROI) with a solution that is quick and simple to deploy and reduces help desk costs – securing enterprise single sign-on for end users – helps organizations enhance productivity by simplifying user experiences – reduce help-desk costs related to passwords and optimize security by eliminating poor password management by end users. Software of the case : TAMESSO • TAMESSO is designed to help organizations in their security – Any form of user authentication — Microsoft® Windows® login, smart card, biometric, token and more – Any enterprise application — client/server, Java™, Web, legacy or homegrown – Any enterprise infrastructure directory, database, network file share and so on – Any work mode — desktop, offline, kiosk and shared workstation – TAMESSO Provisioning Adapter provides a high level of administrative control. For example, when application passwords are reset in TIM, TAMESSO is simultaneously updated so that it always has the correct password – TAMESSO synchronizes with the database or directory – it reads and processes the instructions and updates the entries as needed in its local credential cache – it may add,modify or delete credentials in the appropriate user’s local credential cache – it synchronizes the credentials back to the database directory object for that user. Software of the case : TAMESSO Software of the case : TAMESSO TAMESSO provisioning Adapter includes the following components: • Server — accepts account credential provisioning information • It also communicates that information to TAMESSO clients by placing provisioning instructions into the directory or data store they use • Console — provides a Web-based administration GUI for communicating with the server • Command line interface (CLI) — enables applications and administrators to communicate with the server • Connector-Java-based class library— integrates the server and Tivoli Identity Manager through the CLI The operational architecture The operational architecture • Internet: Global network which connects millions computers. • Internet DMZ: Controlled zone that contains components which uncontrolled clients may directly communicate. • Production zone: Restricted are which means that all the connections are strictly controlled and direct access from uncontrolled networks is not permitted. • Management zone: One or more network zones may be designated as secured zone. Access is only available to a small group of authorized stuff. • Intranet: Like the Internet DMZ, the corporate intranet Is generally a controlled zone that contains components with which clients may directly communicate Case study-integration of two-factor authentication • Advanced authentication typically requires two forms of authentication – – One is something the user knows, such as a password or PIN. The second form of authentication is something the user either has - an authentication device, like a token or smart card ñ or something the user is: a biometric like a retinal scan, voice print, or fingerprint. With two-factor authentication, for example, security for the network is essentially doubled by requiring users to present not one but two forms of identification:a password and an authentication device. Without both the password and the hardware, a user cannot access all of her applications (in graded two-factor authentication, a user who has lost her smart card but remembers her password can get limited access to some usability on the network until she receives a new card). The company’s advanced authentication system requires two identification factors to gain network access: (1) a smart card and (2) a personal identification number (PIN). Case study-integration of two-factor authentication Here’s how the system works: 1. Each employee receives a smart card. The user’s identity information is embedded in two of the card’s three chips. 2. The smart card is integrated with the SSO system. 3. Digital certificates for logon, encryption, and digital signatures for all authorized users are stored in the SSO database. 4. The system handles both building and network access with a single solution. Employees must insert their smart card at the door to gain entry into their building. 5. Once at their desktop, employees insert their smart card into a card reader on their PC or laptop and enter a one-time password to activate the card-management system. 6. The card management system asks a series of questions. By answering correctly, employees prove they are authorized users. 7. The v-GO SSO system binds the card to the end user. It downloads to the card’s third chip a set of digital certificates for logon, encryption, and digital signatures. 8. For added security, SSO also binds the end user’s identity certificates stored on the smart card to v-GO SSO’s list of applications passwords. 9. After activation, the card logs users onto the network and their desktops. 10. With the desktop logon now downloaded onto the card, the smart card is the only credential needed for end users to access network resources. Case study-integration of two-factor authentication • Importantly, user application passwords are stored in an encrypted database in the SSO Platform, and not on the smart card. Therefore, if a smart card is lost or stolen, the person coming into possession of the badge does not possess any of the userís application passwords. • Cost of system implementation was 50 euros per user for the cards, card readers, and software. • According to the company’s IT department, ROI was immediate, and included a 70% reduction in the nearly 4,000 password resets the business was performing each month. Risk and threat analysis The most common security risks are on the enterprise are: • Virus threats • Unauthorized access to Web servers • Denial of service threats • Unauthorized access to services • Hacking of passwords Possible security threats are: • Unauthorized access by an external attacker • Unauthorized access by internal hacker • Eavesdropping on confidential data or personally identifiable data on the network • Misuse by users from internal network • Misuse by customers from the Internet Possible vulnerabilities are: • Insecure systems or applications • Lost or stolen passwords • Application failures Risk and threat analysis • Based of the risk assessment the next security of the portal can be improved as follows: Improve security to control to access to servers – – – – – – – Use complex safe passwords Use security zones to control access to sensitive servers and applications Use firewalls or other gateways to control communication between different security zones. Block unwanted traffic and monitor authorized traffic. Use reverse proxy at the edge of the network with authentication and authorization capabilities to control access the information Place critical service and support servers in separate networks and block access using routers of firewalls Use security communication protocol like SSL whenever possible Risk and threat analysis Improve system security to control activity on systems: – – – – – – Remove unneeded components, for example, insecure programs like ftp, telnet if possible Manage very closely accounts on systems, for example, delete accounts that are no longer be used Install security components, for example, system auditing tools and integrity checking tools Check and update all default settings, for example, password rules or impersonal accounts Enable system and application logging and send event information to a remote logging server Monitor usage of all interfaces for users and administrations in order to detect misuse "Hacking of passwords" Attacker breaks the system's user name-password pairs by means of special programs designed for this purpose. Modern programs are very sophisticated, including many other breaking techniques than just the dictionary attacks. This is very critical for the portal because if attacker breaks the one-password he has access to all client to server based applications. Single sing-on; single point of attack Single Sign-On enables the user to authenticate once in order to access many resources. Does this single point of authentication also introduce a single point of attack and thereby reduce all network security? Single sing-on; single point of attack • Does SSO reduce network security? Let us take a hypothetical scenario of an end-user with a Windows logon and 9 password-protected applications – a total of 10 passwords. Let us assume the following: – minimum password length is 8 characters – each password character can be one of 76 characters: upper or lower case alphabetic (52), numeric (10) or special characters (14) – each password is randomized and unique from every other password – A hacker who would like to compromise all of these systems using a brute force attack would be faced with the following task: • 1 password x (76 characters ^ 8 characters) = 1,113 trillion combinations • 10 passwords = 11,113 trillion combinations Single sing-on; single point of attack Single sing-on; single point of attack • Now, with SSO the end-user doesn’t need to remember 10 passwords, only one that password, however, becomes the most obvious point of attack – Let us assume that the Windows password is chosen as the single sign-on password, and that therefore, the password file is easily available. – Even if the password length is not changed at all, it will still take a hacker 2,147 days to crack it and obtain all other passwords – If users didn’t change their Windows password in over 5 years, it still wouldn’t be cracked – A dictionary attack using the 30,000 most common words could conceivably crack the Windows password in a few seconds – if the Windows password policy is con-strained such that the password must include at least one numeric or special character in the middle of the password, a dictionary attack no longer works – The hacker approach is reduced back to a brute force attack – 5 years to crack the Windows password and thereby obtain all other application passwords. Single sing-on; single point of attack • • Can SSO actually raise network security? – A user who has 10 passwords will seek to make his or her life as simple as possible by: • making them all similar • making them memorable words • stored in the clear on post-it notes, notepad files, etc. By using SSO, the following is possible: – all passwords are randomized – none are memorable – none are written down, but rather stored encrypted Results • • • • • • • • • • Technology is ready for single sign-on in the enterprise SSO brings benefits to the security of the enterprises Softwares can be easily integrated –but still more standardation required- for the SSO thourgh the boundaries SSO solution reduces user authentication and authorization costs SSO solution reduces user management costs SSO solution increases user satisfaction SSO helps auditing the enterprise security SSO makes strong authentication possible in the enterprice network Works with popular authentication devices Secures and protects applications and credentials all times Conclusions - Benefits of SSO • BENEFITS OF SSO; ESSO offers a number of important advantages to the enterprise: – – – – – Users gain quick and easy access – from any location – to maximize productivity Eliminates lost or forgotten passwords – users have just one password to remember Lowers user support costs – by virtually eliminating password-related support calls Securely stores and manages all passwords – no more searching for lost passwords. Improves network security – prevents unauthorized users from accessing enterprise appli-cations. – Simplifies administration – you can control password policies from a single console. – Integrates with your IDM solution and scales to any enterprise Maximizes user productivity For instance, if you have 10,000 users who spend 1 hour a month looking for passwords, ask-ing for new passwords, or with other authentication problems that prevent them from logging on and you estimate the value of their time at 60 euros an hour … the cost in lost productivity to your organization is 7,200,000 euros Lowers support costs The ROI from ESSO is generated by reducing password-related calls from users to IT support. For an enterprise with 10,000 users, let’s assume that the average user makes two password-related calls to IT support per month. Each call costs 25 euros. The total cost of all password support calls for the thousand users is 500,000 euros a year. Network security Implementing ESSO in an Identity Management System Improves network security Conventional password protection systems entail several security risk factors for the enterprise: • Passwords users choose for themselves are usually short, simple, obvious, and easy to hack. • Users are often cavalier about protecting passwords, leaving them scribbled on Post It notes affixed to their monitor or posted on a wall or bulletin board, in plain view for anyone to see and copy Simplifies administration Most applications are not designed with the needs of network administrators in mind, especially in the area of authentication. Network administration is greatly simplified when administrative functions can be performed by any autho-rized administrator from a single console. Some SSO solutions can provide this single point of control for the creation, distribution, and maintenance of enterprise application passwords.