Public Key
advertisement
Cryptography Three methods: Symmetric key Asymmetric key Hashing 1 Symmetric Key Encryption • Encryption of almost everything Data at rest: disk encryption, files, data bases Data in motion: SSL/TLS, IPsec • Today’s standards Advanced Encryption Standard: AES-128 and AES-256 Processor hardware acceleration for Galois/Counter Mode (GCM) < 1% performance impact AddRoundKey SubBytes • SDP/PA use AES-256 for ShiftRows MixColumns Single Packet Authorization mutual TLS communication AddRoundKey • Shared key encryption The same key used to encrypt, also decrypts Must be kept secret !!! Very difficult to transmit a secret across an untrusted network The quick brown fox jumps over the lazy dog Encrypt 9e107d9d372bb6826bd81d3542a419d6 The quick brown fox jumps over the lazy dog Decrypt 2 Asymmetric Key (a.k.a. Public Key) Cryptography • Purpose Exchange secrets over an untrusted network Secretly (encrypted) and with integrity (signed) • Only encrypts small pieces of data Message must be smaller than the asymmetric key • Only used for 2 things Asymmetric Key Signature Hash Encrypt symmetric keys (common for data at rest) Encrypt hashes (together known as a “signature”) • Today’s standards Diffie-Hellman, RSA (PKCS#1), Digital Signature Standard (DSS) • SDP/PA use asymmetric key encryption for: Encrypting keys on disk Exchanging symmetric keys during the TLS handshake Generating and validating X.509 certificates David Kravitz Controller Cert subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature 3 Hash (a.k.a. Message Authentication Code or MAC) • Converts an arbitrarily long message into a single number The number is “Unique”– typical values are 2256, 2384, 2512 2256 = 1157920892373160000000000000000000000000000000000000000000000000000000000000000 Approx. # atoms in observable universe • Cannot be reversed Once converted to a hash, cannot be convert back into the message Re-hash the message and compare hashes Same hash means same message message Hash Equal ? Hash • Today’s standards Secure Hash Algorithm 1 (SHA-1) – widely used, considered insecure SHA-2 family of hashes, typical use: 256, 384, 512-bit SHA-3 released Aug 5, 2015 Message Digest 5 (MD5) – considered cryptographically broken • SDP/PA use hashing for: One Time Password (OTP) and GMAC of Single Packet Authorization (SPA) Integrity of TLS handshake X.509 certificates (prior to being encrypted with asymmetric keys) Derivation of TLS symmetric keys and Initialization Vectors (IV) Key Derivation Function (KDF) Km = create master key K1 = H[Km] K2 = H[K1] K3 = H[K2] K4 = H[K3] 4 Cryptography • Only 3 methods Symmetric key encryption Asymmetric key encryption Hashing (MAC) • Almost always used in combination • Example Method for SSL/TLS connection Generate asymmetric keys TLS cypher suite Exchange asymmetric keys Symmetric key encryption Symmetric key & hashing Hash (KDF) Authentication via asymmetric & hashing TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 5 Symmetric Key Encryption with Message Authentication 6 Symmetric Key Encryption Untrusted Network PT Ek Cypher Text (CT) Dk PT 7 Symmetric Key Encryption & Block Cyphers Untrusted Network PT 0 1 Cypher Text (CT) Ek 2 0 0 0 0 0 1 0 1 0 0 1 1 XOR 1 1 0 0 1 0 1 1 1 1 0 1 CT 1 1 0 0 1 1 1 0 1 1 1 0 3 5 PT 3 PT 6 Dk 6 8 Symmetric Key Encryption & Block Cyphers Untrusted Network PT 0 1 Cypher Text (CT) Ek 2 Dk 3 6 PT 3 5 6 PT 0 0 0 0 0 1 0 1 0 0 1 1 CT 1 1 0 0 1 1 1 0 1 1 1 0 XOR 1 1 0 0 1 0 1 1 1 1 0 1 XOR 1 1 0 0 1 0 1 1 1 1 0 1 CT 1 1 0 0 1 1 1 0 1 1 1 0 PT 0 0 0 0 0 1 0 1 0 0 1 1 6 3 5 6 0 1 2 3 9 Symmetric Key Encryption & Message Authentication Untrusted Network PT 0 1 Cypher Text (CT) Ek 2 Dk 3 6 PT 3 5 6 PT 0 0 0 0 0 1 0 1 0 0 1 1 CT 1 1 0 0 1 1 1 0 1 1 1 0 XOR 1 1 0 0 1 0 1 1 1 1 0 1 XOR 1 1 0 0 1 0 1 1 1 1 0 1 CT 1 1 0 0 1 1 1 0 1 1 1 0 PT 0 0 0 0 0 1 0 1 0 0 1 1 6 3 5 6 0 1 2 3 10 Symmetric Key Encryption & Message Authentication Untrusted Network PT 6 CT 3 Cypher Text (CT) Ek 5 6 CT Input XOR out Hash 6 6 7 4 6 1 3 7 5 PT 6 1 1 0 0 1 1 1 0 1 0 1 1 3 5 6 Dk Hi Function XOR 0 6 Func Hi-1 0 2 1 5 2 6 3 4 4 3 5 1 6 77 7 0 3 5 6 1 1 0 0 1 1 1 0 1 0 1 1 Input 6 XOR 6 Hash 7 3 5 6 4 6 1 3 7 5 11 Galois/Counter Mode (GCM) and GMAC 12 Galois/Counter Mode (GCM) and GMAC 0128 IV || 1 1 IV || n n IV || 032 Ek Ek Ek Ek PT1 GHASH0 PTn AD1 ADm CT1 CTn len(AD) || len(PT) len(PT) GHASH1 GHASHm GHASHm+1 GHASHm+n GHASH Ek is the encryption algorithm and key, which is AES 256 PT is Plain Text that gets encrypted into Cypher Text (CT) All blocks are 128 bits in length IV is a 96-bit Initialization Vector, which is a nonce 1st counter block is the IV followed by the 32-bit number “1” The output is the Cypher Text and the Tag AD is Additional Data (that does not get encrypted) TAG 13 Asymmetric Key Cryptography (Public Key) 14 Asymmetric Key Cryptography • Algorithms generate 2 keys Private key is kept private, public key is shared Elliptic curve keys are hundreds of bits RSA keys are thousand bits Message smaller than the key Concerns: 1. How does Alice know it’s Bob’s key? Answer: Public Key Infrastructure • 2 uses 2. If the conversation is recorded And if Bob’s private key is compromised Then attacker can decrypt message Solution: Perfect Forward Secrecy Encrypt a symmetric key Alice encrypt the symmetric key with Bob’s public key So Bob can decrypt with his private key Encrypt a hash (MAC) Alice encrypt the hash with Alice’s private key So Bob can decrypt it with Alice’s public key Math Example (RSA) Alice Message Encryption Cypher Text Decryption Message m me mod n c cd mod n m For example: Symmetric key “e” is Bob’s public key Untrusted Network Bob “d” is Bob’s Private key (me)d ≡ me*d ≡ m1 ≡ m (mod n) 15 Perfect Forward Secrecy • Compromise of long term key Alice Does not compromise past keys • Thought exercise/analogy Diffie-Hellman Ephemeral (DHE) But with buckets of paint* • Thought exercise/small numbers Also from Wikipedia Remember this is not RSA math + a=6 = A = 5^6 mod 23 = 8 Each separately blends their secret color with the common color b = 15 = B = 5^15 mod 23 = 19 Blends 19 + * Wikipedia “Diffie–Hellman key exchange” https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange + Both choose a secret color Exchange • Perfect Forward Secrecy Not encrypted key sent to another Random keys, neither knows both Bob g = common # = 5 p = modulus = 23 Both agree on a common color Each now has the other’s blended color Each separately blends their secret color with the other’s blended color = 19^6 mod 23 = 2 8 + = Both arrive at the same common blended color (a common secret) 8^15 mod 23 = 2 16 Asymmetric Key Summary • 2 uses of asymmetric key Encrypt symmetric key (using receiver’s public) Encrypt hashes (using sender’s private) • RSA math (me)d ≡ me*d ≡ m1 ≡ m (mod n) Crypto of symmetric keys and hashes • Diffie-Hellman analogy Paint buckets (ga)b (mod n) ≡ (gb)a (mod n) Perfect Forward Secrecy Becomes basis for pre-master key 17 Public Key Infrastructure (PKI) 18 Public Key Infrastructure (PKI) • What is it used for? Create and distribute digital certificates Acts as a trusted 3rd party Enables authentication over an untrusted network Certificate Authority (Trusted 3rd Party) • SDP/PA use it for Mutual Authentication of: Clients to Controllers Clients to Gateways Gateways to Controllers Basically, all trust Mutual trust, not just single-ended Mutual Authentication Untrusted Network 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate • How does it work? 19 Initialization of PKI Certificate Authority (CA) Root Cert Root Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Vidder issuer: Vidder Hash Vidder Public ---------------Signature CRL CA OCSP 20 Server Gets a Private Key and Certificate Root Cert Server Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Server issuer: Vidder Hash Server Public ---------------Signature CRL CA OCSP Server Cert subj: Server issuer: Vidder Server Public ---------------Signature 21 PKI Part of TLS Root Cert OCSP Response CRL subj: Vidder issuer: Vidder Vidder Public ---------------Signature Valid certifacate Not expired Not revoked Cert is trusted !!! Good CA Serial # Validity Time Hash Good ---------------Signature OCSP Server Cert Hash Hash Serial # Equal ? Equal ? Original Hash Original Hash subj: Server issuer: Vidder Server Public ---------------Signature Root Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature 22 Client Certificate Client Universal ID Pinned to SDP Rest of Cert Subject Issuer Serial # Hash for Signature Public Key Key Usage see RFC 5280 pg. 29 Signature (not Hashed) 23 Is PKI Broken? • Is it broken? No The technology is sound Certificate Authority (Trusted 3rd Party) • Is it broken in some other way? Yes The hundreds of certificate authorities should not be trusted DigiNotar compromised – Google’s email service was compromised in Iran Root cert injection creates additional trusted websites Sophisticated attack that undermines trust Certificate subject is a name, not an IP address DNS spoofing can fool PKI Requires revocation checking Enables DoS attack of the infrastructure Mutual Authentication Untrusted Network 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate • Does Vidder fix it? Yes Dedicated PKI means only the SDP’s certificate authority is trusted Additional root certs cannot be injected – the one and only root is encrypted on disk Certificate subject is an IP address, not a name – spoofing is not possible OCSP responses are “stapled” – defeating DoS attacks 24 PKI Summary • PKI’s purpose is to Create and distribute digital certificates Act as a trusted 3rd party Enables authentication over an untrusted network Certificate Authority (Trusted 3rd Party) • PKI consists of a root cert and certs derived from it Everyone inherently trusts the root • Certificates can be cryptographically proven Signing proves the certificated hasn’t been altered Signature: encrypts the hash with issuer’s private key Creates a chain of trust that must be validated Mutual Authentication Untrusted Network 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate 1. Private Key 2. Public key / Certificate 3. Trusted Root certificate • The public implementation of PKI is “broken” But the technology is not SDP’s implementation fixes the breakage 25 keyed-Hash Message Authentication Code (HMAC) 26 HMAC • Prove the integrity of a message Send message over an untrusted network Message: encrypted or not Prove it has not been altered Untrusted Network Message Altered • Hash alone will not work Attacker can alter the message Compute the hash for it • Solutions GMAC – shared secret key using Galois field hash Signature – encrypt hash with private key HMAC – shared secret key with SHA hash Untrusted Network Message Hash Altered New Hash 27 HMAC Algorithm • Minor changes to message create major hash differences SHA-2 of “abcedf” is 99afa43d51c4800bae04c2afb4a4aa97c548cba5d61b938cd1935bdc4cb93915 SHA-2 of “abcdefg” is 34541528206d252e76bb2597687112b53aff7f70dd1da1d763dab4c59095bf89 Appending “g” completely changes the hash But, in theory, susceptible to length extension attacks • Therefore the algorithm is defined to be HMAC[K,m] = H[K Where: 0x5C5C… || H[K 0x3636… || m]] K is a secret key, m is the message to be hashed, H is a hash function (e.g., SHA-1, SHA-2) is the XOR function, || is concatenation Key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef XOR = 36363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636 XOR’d key = 37157351bf9dfbd937157351bf9dfbd937157351bf9dfbd937157351bf9dfbd937157351bf9dfbd937157351bf9dfbd937157351bf9dfbd937157351bf9dfbd9 message = 1st 00000000000000000000000000000000 hash = 27160c985407f5131478c099d73032cf32bd8a3f866a0cb1bf96c08a04940517594fe0e9eed02a83accb4286c9537a12d35e9d576c17b7d87836533b8a41959b XOR = 5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c XOR’d key = 5d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b35d7f193bd5f791b3 HMAC = 26fecd895f4fbbfe3e3d2a74e2f545624d3e5889e8e10df41fbb1628a0a7c9dac73ad34064df40904623fb2f3cd64890b63f6d033309eac1e47bf591bd6e964f 28 HMAC in the Software Defined Perimeter (SDP) • Used in Single Packet Authorization (SPA) SPA = UID, CTR, HOTP, GMAC Based on RFC 4226 HOTP = HMAC[K, CTR] Untrusted Network CTR, HOTP HOTP = HMAC[K, CTR] HOTP ?= HMAC[K, CTR] 29 HMAC and SDP/PA • Single Packet Authorization RFC 4226 specifies HMAC for Hashed One-Time Password (HOTP) 30 SDP Device Authentication 1. SPA 2. Mutual TLS 3. Fingerprint 31 SDP Device Authentication Single Packet Authorization (SPA) 32 Attacks on SSL/TLS Name SSLstrip DigiNotar THC-SSL-DOS BEAST CRIME Lucky 13 TIME RC4 biases BREACH goto fail Triple Handshake Heartbleed BERserk Poodle Poodle++ FREAK Bar-mitzvah logjam Date Feb 2009 Sept 2011 Oct 2011 Apr 2012 Sept 2012 Feb 2013 Mar 2013 Mar 2013 Aug 2013 Feb 2014 Mar 2014 Apr 2014 Sept 2014 Oct 2014 Dec 2014 Mar 2015 Mar 2015 May 2015 Attack http to https MitM forged certs DoS attack on SSL Java Applet oracle MitM SPDY compressing oracle MitM CBC padding oracle Browser JavaScript timing oracle MitM RC4 oracle Website redirect, compression MitM counterfeit key via coding error Server MitM on client cert OpenSSL bug MitM PKCS#1.5 padding MitM SSLv3 oracle MitM JavaScript timing oracle MitM negotiation 512 bit key View RC4 MitM downgrade to 512 bit key Unauthorized SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA SPA Authorized Users No http Pinned certs Device deleted Client-based No compression GCM Client-based No cypher negotiation No redirect or compression Pinned dedicated cert Pinned dedicated cert Not single-ended SSL Not Mozilla NSS No cypher negotiation Client-based No key negotiation No RC4 No suite negotiation PrecisionAccess defeats all recent attacks on SSL/TLS by both Unauthorized and Authorized users 33 Single Packet Authorization (SPA) • SPA = UID, CTR, OTP, GMAC • History: Each client has a UID, Seed, CTR, and EK Invented >10 years ago Commonly used for super user ssh access to servers Mitigates attacks by unauthorized users • SPA in the Software Defined Perimeter Spec Based on RFC 4226, "HOTP” HMAC-based One-Time Password Used for hardware/software one time password tokens UID = Universal ID of SDP Client CTR = hashed with seed to create OTP OTP = One-Time Password GMAC = signature of UID, CTR, and OTP for data authentication Seed = shared secret for OTP EK = shared key for GMAC AES-256 OTP = HMAC[seed || CTR] GMAC = EK [UID || OTP || CTR] UID, OTP, CTR, & GMAC are sent as clear text. Counter is increment to mitigate playback attacks SPA occurs before TLS (SSL) connection Mitigates DoS & other TLS attacks by unauthorized users • Highly efficient rejection Defeats DoS & other attacks on SSL 32-bit 64-bit 32-bit 128-bit UID Counter OTP GMAC 34 SDP Device Authentication mutual TLS 35 Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 • EC: • AES256-GCM: Elliptic Curve cryptography Smaller keys / faster math than RSA cryptography • DHE: Diffie-Hellman key exchange algorithm Generates the pre-master keys of GCM Ephemeral keys per session for Perfect Forward Secrecy But not client or server authentication • RSA: Public/private key pair with an X.509 certificate Client and server authentication Vidder’s implementation: Certificates “pinned” to a trusted root certificate Advanced Encryption Standard (NIST FIPS 197) Symmetric key encryption 256-bit key, 128-bit cipher block size Galois/Counter Mode Encryption with simultaneously data authentication PC’s and servers implement GCM in hardware Negligible performance impact • SHA384: Secure Hash Algorithm (member of SHA-2) Generates a 384 bit hash Key Derivation Function (KDF) for generating keys from master Not the hundreds of (possibly compromised) roots browsers trust Employs OCSP stapling (RFC 6066) Forwards the OCSP response with TLS Server hello Reduces the load on the OCSP responder Mitigates a DoS attack of the OCSP responder Mutual TLS Authentication of the client to server & server to client 36 SDP Device Authentication Single Packet Authorization and mutual TLS Handshake Deep Dive for: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 37 Controller’s PKI Certificate Authority (CA) Initialization Root Cert Root Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Vidder issuer: Vidder Hash Vidder Public ---------------Signature CRL CA OCSP PA 38 Controller Initialization Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Hash Ctrl Public ---------------Signature CRL CA Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature OCSP PA 39 Mutual TLS: Client Initialization Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Hash Client Public ---------------Signature CRL CA Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature OCSP PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature Private key put in Certificate Store as Non-Exportable 40 Single Packet Authorization Root Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature CRL SYN/ACK CA SYN ACK Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature OCSP Client Hello Highest SSL version, Ciphers supported, Session Id = 0, SPA RND Client PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 41 Mutual TLS: Client Hello Root Cert CRL subj: Vidder issuer: Vidder Vidder Public ---------------Signature CA Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature OCSP Client Hello Highest SSL version, Ciphers supported, Session Id = 0, Client RND OCSP status PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 42 Mutual TLS: Server Hello Root Cert OCSP Response subj: Vidder issuer: Vidder Vidder Public ---------------Signature CRL Server Hello Selected SSL version, Selected Cipher, Session Id = RND, Server RND Good CA Certificate request (Vidder root only) Server Done OCSP Server Key Exchange βG --------------Signature Cr, Sr, βG Hash Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl Serial # issuer: Vidder Ctrl Public ---------------Signature Serial # Validity Time Hash Good ---------------Signature Random starting point “β” Calculate βG PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 43 Mutual TLS: Client Verifies Server Cert Root Cert Valid cert chain Not expired Not revoked Controller’s cert is trusted !!! βG Equal ? Controller Cert Root Cert Controller Cert Serial # Hash Validity Time Good ---------------Signature Original Hash subj: Ctrl issuer: Vidder Hash Ctrl Public ---------------Signature Original Hash subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature Server Key Exchange βG --------------Signature Cr,Hash Sr, βG Equal ? CA OCSP Response Certificate request (Vidder root only) Server Done Cr,Hash Sr, βG CRL subj: Vidder issuer: Vidder Vidder Public ---------------Signature Equal ? OCSP Server Hello Selected SSL version, Selected Cipher, Session Id = RND, Server RND PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 44 Mutual TLS: Client Key, Client Cert, Verify Client OCSP Response Client Cert Equal ? Valid cert chain Not expired Not revoked Client’s cert is trusted !!! Client is trusted !!! αG subj: Client issuer: Vidder Hash Serial # Client Public ---------------Signature Original Hash CRL Good CA OCSP OCSP Response Equal ? Random starting point “α” Calculate αG Serial # Validity Hash Time Good ---------------Signature Original Hash Serial # Validity Time Hash Good ---------------Signature Certificate Verify Signature Hash Hash All text Equal ? Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature Certificate Verify All text Signature Hash PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 45 Mutual TLS: Calculate Final ECDH Key, Derive Session Keys CRL Find point ECDH on the elliptic curve Premaster key (Kpm) = x coord of ECDH Master Key (Km) = PRF(Kpm, "master secret", Cr, Sr) Iterate PRF(Km, "key expansion", Sr, Cr) for AES keys: Client Key, Server Key, Client IV, Server IV Created α Received βG ECDH = α(βG) Created β Received αG ECDH = β(αG) CA Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature OCSP PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 46 Mutual TLS: Client Change Cipher Spec, Server Integrity Check Client Cert subj: Client issuer: Vidder Client Public ---------------Signature CRL CA OCSP Certificate Verify Signature Hash Hash All text Equal ? Change Cypher Spec Root Cert Controller Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature Certificate Verify All text Signature Hash PA Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 47 Mutual TLS: Server Change Cipher Spec, Client Integrity Check Client Cert subj: Client issuer: Vidder Client Public Change ---------------Cypher Spec Signature CRL CA OCSP Certificate Verify All text Signature Hash Controller Cert Root Cert Controller Cert subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Ctrl issuer: Vidder Ctrl Public ---------------Signature PA Certificate Verify Signature Hash All text Hash Equal ? Root Cert Client Cert subj: Vidder issuer: Vidder Vidder Public ---------------Signature subj: Client issuer: Vidder Client Public ---------------Signature 48 Security Assertion Markup Language (SAML) 49 Security Assertion Markup Language • SAML Open standard for browser-based Single Sign-On Typically, extends Active Directory Widely adopted enterprise solution Business-to-business apps & SaaS Service of AD (ADFS) and, soon, Azure • Defines 3 rolls Principle – the user or device Service Provider (SP) – the app to accessed Identity Provider (IdP) – authenticates and authorizes the Principle to the SP 50 Typical Operation Website with SAML SP plugin IdP connected to AD: read access Client wants access to website Intercepted by SP, no valid cookie http 302 redirect to IdP Web Server (e.g., Apache) Identity Provider (IdP) Web page Server SP cookie Plugin Signed Auth’n Request Member of AD Domain Active Directory (AD) Read Access Port 584 Valid Groups Signed Username IdP Session Password cookie XML IdP requests credentials (can be MFA) User provides credentials Call made to AD 2 things returned: Cookie to the IdP Session XML file to the server SP validates signature Completes request to web server Client receives web page, cookie get URL Name x5hwotb 51
