Master´s Thesis

advertisement
Master´s Thesis
”Secure Authentication and Authorization Portal
Based on Single Sign-on”
Jukka Collan
Supervisor Professor Jörg Ott
Networking Laboratory
Agenda
•
•
•
•
•
•
•
•
Research problem
Thesis structure
Enterprise Single Sign-On Defined
Literature research
Case study: Software used
Risk and threat analysis
Results
Conclusions - Benefits
Research problem
•
Present approach of enterprise single sign-on
–
–
–
–
–
–
Why should user have only one user id and password?
Why enterprises are interested in single sign-on?
What kind of architecture single sign-on solution does have?
What are the risks of using single sign-on?
What are the benefits of enterprise single sign-on solution
What is the ROI of enterprise single sign-on solution
Research problem
Thesis structure
Secure Authentication and Authorization Portal Based on
Single Sign-On
Introduction
Theory
Market demand for single sign-on
Authentication technologies and
directories
Case study of Single
Sign-on
Risk and Threat
Analysis
Single sign-on
standartation
Conclusions
Enterprise Single Sign-On Defined
• Users need only one password for access to all applications and
systems
• Users can access the corporate network at the start of their workday
• Users have immediately have access to all necessary passwordprotected applications
• Users don't need to remember multiple passwords
• Users don’t have to write down their passwords
• Users don't have use easy to guess passwords, which potentially
expose applications to unauthorized users
Literature research: authentication technologies
• SECURE USER IDENTITY TECHNOLOGIES
– PKI
• X.509
– Smart card
– Electronic Identification Card (HST)
– One-time password
• Biometrics
– Fingerprints
– Iris codes
• USER AUTHENTICATION IN COMPUTER NETWORKS
– Unix
• Kerberos
– Windows
• Windows NT LAN Manager (NTLM)
– Web-based authentication
• HTTP
• SSL and HTTPS
Literature research: authentication
• USER AUTHENTICATION IN TELECOMMUNICATION
NETWORKS
– Mobile Terminals
– PDA
– Authentication, Authorization and Accounting (AAA)
• Radius
• Diameter
– GSM
– WAP
• WTLS (Wireless Transport Layer Security)
• WPKI
• POLICY BASED NETWORKS
• DIRECTORIES
– LDAP
– Windows 2000 Active Directory
– Metadirectory
Literature study: single sign-on tech: SAML
• SAML
– Security Assertion Markup Language SAML is an XML based security
standard for exchanging authentication and authorization information by
Oasis
• SAML is an XML-based security framework for exchanging security
information
• Security information is expressed in the form of assertions about
subject
– subject is an entity, which can be either human or computer
– Each entity has identity in some security domain
– A typical example of subject is person, identified by his email address in a
particular Internet DNS domain
• Assertions are represented as XML constructors
• SAML defines binding, which is Simple Object Access Protocol
(SOAP) over HTTP
Literature study: single sign-on tech: SAML
• In the SAML identifiers are defined as Uniform Resource Identifiers
(UNI) for the following authentication methods
–
–
–
–
–
–
–
–
–
–
–
Password
Kerberos
Secure Remote Password (SRP)
Hardware Token
SSL/TSL Certificate Based Client Authentication
X.509 Public Key
PGP Public Key
SPKI Public Key
XKMS Public Key
XML Digital Signature
Unspecified
SAML: Application chain
1.
2.
3.
4.
5.
6.
7.
8.
Web user authenticates with enterprise security system (authentication can be through Web
server)
Enterprise security system provides an authentication reference to Web user
Web user requests a dynamic resource from Web server, providing authentication reference
Web server requests application function from application on behalf of Web user, providing Web
user’s authentication reference
Application requests authentication document from enterprise security system, corresponding to
Web user’s authentication reference
Enterprise security system provides authentication document, including authorization attributes
for the Web user, and authn event description
Application performs application function for Web server
Web server generates dynamic resource for Web user
Literature study: Project Liberty
• Project Liberty or Liberty Alliance is the codes name for an initiative
announced to address open standards development in the network
identity and end user privacy as an alternative for the Microsoft’s
Passport
• Goals of the Project:
– Enable consumers protect the privacy and security of their network
identity information
– Enable businesses to maintain and manage their customer relationships
without third-party participation
– Provide open single sing-on standard that includes decentralized
authentication and authorization from multiple providers
– Create network identity infrastructure that supports all current and
emerging network access devices
NET Passport authentication process
•
•
•
•
•
•
The .NET Passport authentication is based on the link from the participating site to
Microsoft passport site
When user tries to access a protected Web page within participating site page that
requires authentication before allowing access, redirect is made to Passport site
NET passport compares the user’s credentials to the credentials saved in the Passport
Database
If the credentials match, user is authenticated and PUID and .NET Passport profile are
extracted from the Database.
After that .NET Passport server creates three cookies:
–
–
–
The Ticket cookie, which includes the PUID and a time stamp
The profile cookie, which store the user profile
The participating site cookie, which stores a list of the sites to which the user has signed in
Literature study: Microsoft .NET passport
•
•
•
•
•
•
•
The goal of the .NET passport is to make online purchasing easier and faster
via Internet
.NET Passport provides user the Single Sing-In (SSI) service using large user
base and powerful encryption technologies such as Secure Socket Layer (SSL)
and Triple Data Encryption Standard (3DES) algorithm for data protection
Single Sing-In (SSI) is the key service of the .NET Passport
SSI provides a common Internet authentication mechanism across
participating Web sites
Users can create a single sing-in name and password for use across
participating .NET Passport sites
.Net Passport reduces the need for consumers to remember multiple sing-on
names and passwords.
.NET Passport can provide a unique Passport ID (PUID) for every user
NET Passport authentication process
.NET Passport SSI process
1.Initial page request
2.Redirect for authentication
3.Authentication request
4.Authentication response and cookies (ticket and profile)
5.Authentication request and cookies (ticket and profile)
6.Web page, authentication and cookies (profile)
Commercial authentication and authorization portals
•
•
•
•
•
Centralizing the user management is an effective way to reduce the number of
usernames
One reason why there is no universal standard for single sing-on is that user’s digital
identity is not standardized
Corporate authentication systems must support multiple means of identity: user ID and
password, certificates, wireless authentication, third party (SecureID, smart cards, PKI),
and also enable new mechanisms to be added easily
Authentication and authorization portal provides simple, secure access to critical
information
Centralized authentication and authorization portal can support multiple authentication
mechanisms:
–
–
–
–
–
–
–
–
Basic authentication
Basic authentication over SSL
Smart Card (HST)
Forms-based authentication
PKI/X.509 certificates
Combination of passwords and certificates
Custom or third-party schemes
Biometric authentication
Federated identity management
•
•
Federated identity management provides a standardized mechanism for simplifying identity
transformation and identity management across enterprise boundaries
Federation services
–
•
Trust services
–
•
provide single-sign on accross federations
Authorization services
–
•
Provide the functionality required to evaluate and validate user-provided credentials. Evaluate credentials such
as a username and password, or secure ID token passphrases. Invoke some back end data store such as a LDAP
registry, or a secure ID token server, to validate these credentials.
Single sign-on services
–
•
manage a user's session life cycle, from session creation, to session access, to session deletion
Authentication services
–
•
Provide access to key stores used by a Trust service and allows a Trust Service to plug in/access different key
stores as required
Session management services
–
•
Federation relationships require a trust relationship-based federation between business partners
Key services
–
•
engage in trust relationships and share identity information
Authorization services are responsible for providing access decision point functionality
Identity services
–
Provide the interface to local data stores, including user registries and databases an identity service is able to
add, delete, and look up information
Tivoli FIM architecture
Tivoli FIM architecture
•
(HTTP) browser
–
•
Non-HTTP browser
–
•
–
located in the DMZ
It is typically an HTTP reverse proxy, a plug-in to a Web server capable of authenticating a user
and managing a session for that user
The HTTP PoC will invoke (when required) single sign-on services
Tivoli Federated Identity Manager functionality
–
–
–
•
Non-HTML browsers, such as WAP browsers, are used by agents such as mobile devices.
HTTP Point of Contact
–
–
•
A browser provides an interface between the end user and the infrastructure
A FIM component must communicate with the HTTP PoC for the purposes of completing
single sign-on and single sign-off functionality
It also integrates with a data store (such as a user registry) for management of the user attributes
and user aliases
Implements the single sign-on (SSO) services
User registry/data store
–
user registry/data store are used for two distinct purposes:
•
Alias management and attribute management
Case study: Goal
The goal of this case study was to design
a solution for the company, which partly
enables single sign-on and also makes the
management of users easier in the company
than it is today
Drawbacks of Passwords
•
•
•
•
•
Too many passwords. Assume each user has a unique password for each appli-cation he
uses In an enterprise with 10,000 employees using two dozen applica-tions each, that’s
240,000 different passwords for IT to manage, creating enormous administrative
complexity and burden.
Weak passwords. Users choose easy-to-remember passwords, the simplicity and obvious
nature of which provide a lower level of security
Lazy users. Do you use your birthday, social security number, name, or some combination for any of your passwords?
Reliance on human memory. There are two types of users: those who write down their
passwords, and those who don’t. The latter rely on memory for password recall, the
performance of which declines in direct proportion to both the´ complexity and number
of passwords. If each user in a company of 10,000 employees makes one password reset
call to the IT help desk per month, and the cost is 25 euros per call the annual password
reset bill comes to 3 million euros a year
Easily obtained. As for those users who write down passwords, they naturally do it in
easily remembered places
Drawbacks of Passwords
•
•
•
Easy to steal. Many desktops allow Windows to automatically fill in the password data.
If the individual application passwords are stored on the desktop in unsecured cookies,
then spy ware, worms, and other malicious codes can easily steal the passwords and
other account information.
Easy to hack. Cyber-thieves have easy access to a wide range of “password crack-ers”software specifically designed to decipher passwords
Phishing. The user is sent an e-mail asking him for his password
Software of the case : AM
IBM Tivoli Access Manager (AM) for e-business
•
•
•
•
Policy-based access control solution for e-business and enterprise applications
AM lets organizations control both wired and wireless access to applications and data;
keeping unauthorized users out
AM integrates with e-business applications to deliver a secure personalized e-business
experience for authorized users
AM integrates security for key CRM, ERP, and SCM e-business solutions, as well as
enhancements for securing J2EE-conforming applications running on WebSphere
Application Server or BEA WebLogic Server
Software of the case : TIM
•
IBM Tivoli Identity Manager provides policy-based identity management across legacy
and e-business environments
• Intuitive Web administrative and self-service interfaces integrate with existing business
processes to help simplify and automate managing identities
• improving administrator productivity
• It incorporates a workflow engine and leverages identity data for activities such as audit
and reporting
Three key benefits of IBM Tivoli Identity Manager are:
• Reduces costs through centralized user management
• Increases productivity through automated workflow and delegated administration
• Quickly realize ROI by bringing users, systems and applications online faster
IBM Tivoli Identity Manager provides a single point for managing users, and a consistent
access control policy that integrates with existing environment
Software of the case : TAMESSO
The Tivoli Access Manager for Enterprise Single Sign-On(TAMESSO) solution supports
different types of user authentication:
• passwords
• smart cards
• Biometrics
Benefits of TAMESSO
• It can store user credentials and its own system settings and policies in any LDAP
directory or one of several databases
• The administrative console simplifies administrative tasks by automatically recognizing
and configuring applications for sign-on with minimal effort by the administrator
• Users experience simple enterprise single sign-on while connected or disconnected to
the corporate network, while roaming between computers
Software of the case : TAMESSO
•
TAMESSO helps you:
– Automate sign-on and eliminate users' need to manage passwords
– Enhance security with automatic password management
– Extend audit and reporting capabilities to include user sign-on data
– Generate a quick payback and high return on investment (ROI) with a
solution that is quick and simple to deploy and reduces help desk costs
– securing enterprise single sign-on for end users
– helps organizations enhance productivity by simplifying user experiences
– reduce help-desk costs related to passwords and optimize security by
eliminating poor password management by end users.
Software of the case : TAMESSO
•
TAMESSO is designed to help organizations in their security
– Any form of user authentication — Microsoft® Windows® login, smart card,
biometric, token and more
– Any enterprise application — client/server, Java™, Web, legacy or homegrown
– Any enterprise infrastructure directory, database, network file share and so on
– Any work mode — desktop, offline, kiosk and shared workstation
– TAMESSO Provisioning Adapter provides a high level of administrative control.
For example, when application passwords are reset in TIM, TAMESSO is
simultaneously updated so that it always has the correct password
– TAMESSO synchronizes with the database or directory
– it reads and processes the instructions and updates the entries as needed in its local
credential cache
– it may add,modify or delete credentials in the appropriate user’s local credential
cache
– it synchronizes the credentials back to the database directory object for that user.
Software of the case : TAMESSO
Software of the case : TAMESSO
TAMESSO provisioning Adapter includes the following components:
• Server — accepts account credential provisioning information
• It also communicates that information to TAMESSO clients by placing
provisioning instructions into the directory or data store they use
• Console — provides a Web-based administration GUI for communicating with
the server
• Command line interface (CLI) — enables applications and administrators to
communicate with the server
• Connector-Java-based class library— integrates the server and Tivoli Identity
Manager through the CLI
The operational architecture
The operational architecture
• Internet: Global network which connects millions computers.
• Internet DMZ: Controlled zone that contains components which
uncontrolled clients may directly communicate.
• Production zone: Restricted are which means that all the connections
are strictly controlled and direct access from uncontrolled networks is
not permitted.
• Management zone: One or more network zones may be designated as
secured zone. Access is only available to a small group of authorized
stuff.
• Intranet: Like the Internet DMZ, the corporate intranet Is generally a
controlled zone that contains components with which clients may
directly communicate
Case study-integration of two-factor authentication
•
Advanced authentication typically requires two forms of authentication
–
–
One is something the user knows, such as a password or PIN.
The second form of authentication is something the user either has - an authentication device,
like a token or smart card ñ or something the user is: a biometric like a retinal scan, voice print,
or fingerprint.
With two-factor authentication, for example, security for the network is essentially
doubled by requiring users to present not one but two forms of identification:a password
and an authentication device.
Without both the password and the hardware, a user cannot access all of her applications (in graded
two-factor authentication, a user who has lost her smart card but remembers her password can
get limited access to some usability on the network until she receives a new card).
The company’s advanced authentication system requires two identification factors to gain
network access: (1) a smart card and (2) a personal identification number (PIN).
Case study-integration of two-factor authentication
Here’s how the system works:
1. Each employee receives a smart card. The user’s identity information is embedded in
two of the card’s three chips.
2. The smart card is integrated with the SSO system.
3. Digital certificates for logon, encryption, and digital signatures for all
authorized users are stored in the SSO database.
4. The system handles both building and network access with a single solution.
Employees must insert their smart card at the door to gain entry into their building.
5. Once at their desktop, employees insert their smart card into a card reader on their
PC or laptop and enter a one-time password to activate the card-management system.
6. The card management system asks a series of questions. By answering correctly,
employees prove they are authorized users.
7. The v-GO SSO system binds the card to the end user. It downloads to the card’s third
chip a set of digital certificates for logon, encryption, and digital signatures.
8. For added security, SSO also binds the end user’s identity certificates stored
on the smart card to v-GO SSO’s list of applications passwords.
9. After activation, the card logs users onto the network and their desktops.
10. With the desktop logon now downloaded onto the card, the smart card is the only
credential needed for end users to access network resources.
Case study-integration of two-factor authentication
• Importantly, user application passwords are stored in an encrypted
database in the SSO Platform, and not on the smart card. Therefore, if
a smart card is lost or stolen, the person coming into possession of the
badge does not possess any of the userís application passwords.
• Cost of system implementation was 50 euros per user for the cards,
card readers, and software.
• According to the company’s IT department, ROI was immediate, and
included a 70% reduction in the nearly 4,000 password resets the
business was performing each month.
Risk and threat analysis
The most common security risks are on the enterprise are:
• Virus threats
• Unauthorized access to Web servers
• Denial of service threats
• Unauthorized access to services
• Hacking of passwords
Possible security threats are:
• Unauthorized access by an external attacker
• Unauthorized access by internal hacker
• Eavesdropping on confidential data or personally identifiable data on the network
• Misuse by users from internal network
• Misuse by customers from the Internet
Possible vulnerabilities are:
• Insecure systems or applications
• Lost or stolen passwords
• Application failures
Risk and threat analysis
•
Based of the risk assessment the next security of the portal can be improved as follows:
Improve security to control to access to servers
–
–
–
–
–
–
–
Use complex safe passwords
Use security zones to control access to sensitive servers and applications
Use firewalls or other gateways to control communication between different security zones.
Block unwanted traffic and monitor authorized traffic.
Use reverse proxy at the edge of the network with authentication and authorization capabilities
to control access the information
Place critical service and support servers in separate networks and block access using routers of
firewalls
Use security communication protocol like SSL whenever possible
Risk and threat analysis
Improve system security to control activity on systems:
–
–
–
–
–
–
Remove unneeded components, for example, insecure programs like ftp, telnet if possible
Manage very closely accounts on systems, for example, delete accounts that are no longer be
used
Install security components, for example, system auditing tools and integrity checking tools
Check and update all default settings, for example, password rules or impersonal accounts
Enable system and application logging and send event information to a remote logging server
Monitor usage of all interfaces for users and administrations in order to detect misuse
"Hacking of passwords"
Attacker breaks the system's user
name-password pairs by means of
special programs designed for this
purpose. Modern programs are very
sophisticated, including many other
breaking techniques than just the
dictionary attacks. This is very
critical for the portal because if
attacker breaks the one-password he
has access to all client to server based
applications.
Single sing-on; single point of attack
Single Sign-On enables the user to
authenticate once in order to access many
resources. Does this single point of
authentication also introduce a single point
of attack and thereby reduce all network
security?
Single sing-on; single point of attack
•
Does SSO reduce network security? Let us take a hypothetical scenario of an end-user
with a Windows logon and 9 password-protected applications – a total of 10 passwords.
Let us assume the following:
– minimum password length is 8 characters
– each password character can be one of 76 characters: upper or lower case alphabetic (52), numeric (10) or special characters (14)
– each password is randomized and unique from every other password
– A hacker who would like to compromise all of these systems using a brute force
attack would be faced with the following task:
• 1 password x (76 characters ^ 8 characters) = 1,113 trillion combinations
• 10 passwords = 11,113 trillion combinations
Single sing-on; single point of attack
Single sing-on; single point of attack
•
Now, with SSO the end-user doesn’t need to remember 10 passwords, only one that password,
however, becomes the most obvious point of attack
– Let us assume that the Windows password is chosen as the single sign-on password, and that
therefore, the password file is easily available.
– Even if the password length is not changed at all, it will still take a hacker 2,147 days to crack it
and obtain all other passwords
– If users didn’t change their Windows password in over 5 years, it still wouldn’t be cracked
– A dictionary attack using the 30,000 most common words could conceivably crack the
Windows password in a few seconds
– if the Windows password policy is con-strained such that the password must include at least
one numeric or special character in the middle of the password, a dictionary attack no longer
works
– The hacker approach is reduced back to a brute force attack – 5 years to crack the Windows
password and thereby obtain all other application passwords.
Single sing-on; single point of attack
•
•
Can SSO actually raise network security?
– A user who has 10 passwords will seek to make his or her life as simple as possible
by:
• making them all similar
• making them memorable words
• stored in the clear on post-it notes, notepad files, etc.
By using SSO, the following is possible:
– all passwords are randomized
– none are memorable
– none are written down, but rather stored encrypted
Results
•
•
•
•
•
•
•
•
•
•
Technology is ready for single sign-on in the enterprise
SSO brings benefits to the security of the enterprises
Softwares can be easily integrated –but still more standardation required- for
the SSO thourgh the boundaries
SSO solution reduces user authentication and authorization costs
SSO solution reduces user management costs
SSO solution increases user satisfaction
SSO helps auditing the enterprise security
SSO makes strong authentication possible in the enterprice network
Works with popular authentication devices
Secures and protects applications and credentials all times
Conclusions - Benefits of SSO
•
BENEFITS OF SSO; ESSO offers a number of important advantages to the
enterprise:
–
–
–
–
–
Users gain quick and easy access – from any location – to maximize productivity
Eliminates lost or forgotten passwords – users have just one password to remember
Lowers user support costs – by virtually eliminating password-related support calls
Securely stores and manages all passwords – no more searching for lost passwords.
Improves network security – prevents unauthorized users from accessing enterprise
appli-cations.
– Simplifies administration – you can control password policies from a single
console.
– Integrates with your IDM solution and scales to any enterprise
Maximizes user productivity
For instance, if you have 10,000 users who spend
1 hour a month looking for passwords, ask-ing for
new passwords, or with other authentication
problems that prevent them from logging on and
you estimate the value of their time at 60 euros an
hour … the cost in lost productivity to your
organization is 7,200,000 euros
Lowers support costs
The ROI from ESSO is generated by reducing
password-related calls from users to IT support.
For an enterprise with 10,000 users, let’s assume
that the average user makes two password-related
calls to IT support per month. Each call costs 25
euros. The total cost of all password support calls
for the thousand users is 500,000 euros a year.
Network security
Implementing ESSO in an Identity Management System Improves network security
Conventional password protection systems entail several security risk factors for the enterprise:
•
Passwords users choose for themselves are usually short, simple, obvious, and easy to
hack.
• Users are often cavalier about protecting passwords, leaving them scribbled on Post It
notes affixed to their monitor or posted on a wall or bulletin board, in plain view for
anyone to see and copy
Simplifies administration
Most applications are not designed with the needs of
network administrators in mind, especially in the area of
authentication. Network administration is greatly simplified
when administrative functions can be performed by any
autho-rized administrator from a single console. Some SSO
solutions can provide this single point of control for the
creation, distribution, and maintenance of enterprise
application passwords.
Download