OPeNDAP/HTTP Security Issues

1
OPeNDAP/HTTP Security Issues

• John Caron
• Unidata

2
HTTP BASIC Authentication
GET http//server8080/thredds/dodsC/request.dds
challenge
HTTP/1.x 401 Unauthorized WWW-Authenticate Basic
realmTDS"
Obtain password
GET http//server8080/thredds/dodsC/request.dds A
uthorization Basic usernamepassword
HTTP/1.x 200 OK Data
3
BASIC Authentication

• When challenged, Client must be able to respond
  with username/password
• 2x messages can preemptively authenticate
• Protection space (authentication scope) all
  paths at or below current URI
• (serverport/path/, Realm, authentication scheme
• Problem password is clear text

4
HTTP Digest Authentication
GET http//server8080/thredds/dodsC/request.dds
challenge
HTTP/1.x 401 Unauthorized WWW-Authenticate
Digest realmTDS", qop"auth",
nonce"6a7bdac5def00457ab6654ac333ad7dc",
opaque"2aeea813b88a52a2fed10653f8346b88"
Obtain password Calculate digest
GET http//server8080/thredds/dodsC/request.dds A
uthorization Digest username"tigge",
realmTDS", nonce"6a7bdac5def00457ab6654ac333
ad7dc", uri"/thredds/dodsC/request.dds",
response"5b76b64babb0ca64b62a3282a8693202",
opaque"2aeea813b88a52a2fed10653f8346b88",
qopauth, nc00000001, cnonce"082c875dcb2ca740"
HTTP/1.x 200 OK Data
5
DIGEST Authentication

• Response is a digest of (user, password, realm,
  nonce). Nonce prevents replay attacks.
• Client must be able to calculate digests
• Handled by network libraries
• Nonce complicates preemptive authorization
• Unique nonce doubles the messages
• Timeout nonce window of vulnerability
• Next nonce sent with previous response cant
  pipeline
• Protection space all URIs on the server, or
  specify explicitly with WWW-Authenticate header

6
Digest Authentication

• Cryptographically not as strong as public key
  encryption
• Need careful nonce handling for pre-emptive
  authorization without vulnerability
• Vulnerable to Man-in-the-Middle attacks
• inability for client to validate the server
• Storing passwords on the server, even encrypted,
  is a problem if server is compromised
• Message not encrypted (no confidentiality)

7
HTTPS Authentication
GET https//server8443/thredds/dodsC/request.dds
challenge
HTTP/1.x 401 Unauthorized WWW-Authenticate Basic
realmTDS"
Obtain password
GET httpsserver8080/thredds/dodsC/request.dds Au
thorization Basic usernamepassword
HTTP/1.x 200 OK Data
8
HTTPS Authentication

• Client must be able to use TLS (Transport Layer
  Security), aka SSL
• Certificates server (required), client
  (optional)
• Encryption (CPU intensive)
• But handled by network libraries
• No replay, no Man-in-middle, content is secure
• Problem cost
• SSL socket setup 2 extra roundtrips (?)
• Data is encrypted

9
HTTPS/TLS cost
Fig. 10. Throughput in hits/sec. Percentages show
the throughput relative to non-TLS Apache on
the same platform. Average file size 46KB.
TLS imposes a factor of 3.4 to 9
overhead. Faster CPUs will eventually bridge
the gap
Performance Analysis of TLS Web Servers CRISTIAN
COARFA, PETER DRUSCHEL, and DAN S. WALLACH, Rice
University ACM Transactions on Computer Systems,
Vol. 24, No. 1, February 2006.
10
SSL Benchmarks

• SPECweb2005 (300)

11
Central Authentication Service Single Sign On
(SSO)

• Open source, Yale/JA-SIG
• Server Java Servlet, pluggable Authentication
• Clients in Java, Ageci/Spring, Perl, php, Ruby,
  .NET, Zope, etc

12
CAS SSO
GET http//server8080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
https//server8443/cas/login?orgURL Set-Cookie
TDS Path/thredds
GET https//server8443/cas/login?orgURL
HTTP/1.x 201 OK
Login Page
POST /cas/login?serviceorgURL usernametestpassw
ordtestltLT-0-rFsBI72KV4A9bXbhVwcA
HTTP/1.x 302 Moved Temporarily Locationhttp//ser
ver8080/data/request.nc.dds?ticketltidgt Set-Cooki
e CAS Path/cas
GET http//server8080/data/request.nc.dds?ticket
ltticketgt CookieTDS
HTTP/1.x 201 OK
13
CAS SSO logged in
GET http//server8080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
https//server8443/cas/login?orgURL Set-Cookie
ltsessionIDgt Path/thredds
GET https//server8443/cas/login?orgURL CookieCA
S
HTTP/1.x 302 Moved Temporarily Locationhttp//ser
ver8080/data/request.nc.dds?ticketltidgt
GET http//server8080/data/request.nc.dds?ticket
ltticketgt CookieltsessionIDgt
HTTP/1.x 201 OK
14
TDS logged in
GET http//server8080/data/request.nc.dds Cookie
TDS
HTTP/1.x 201 OK Set-CookieTDS-2
15
Session Cookies

• Vulnerable to replay attack session hijack
• Change cookie each time
• back button may not work
• Keep track of users IP hard to get responses
  back if IP is spoofed
• users with variable IP addresses (use FF.FF.FF.00
  or FF.FF.00.00)
• No longer stateless logged in

16
Software stacks
Application
GUI
OPeNDAP server
DB
Password
Web server/ Servlet container
OPeNDAP library
HTTP library
HTTP library
Follow redirects Calculate digests SSL encryption
Session tracking Basic, Digest Authentication SSL
17
CAS SSO
GET http//server8080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
https//server8443/cas/login?orgURL Set-Cookie
TDS Path/thredds
GET https//server8443/cas/login?orgURL
HTTP/1.x 201 OK
Login Page
POST /cas/login?serviceorgURL usernametestpassw
ordtestltLT-0-rFsBI72KV4A9bXbhVwcA
HTTP/1.x 302 Moved Temporarily Locationhttp//ser
ver8080/data/request.nc.dds?ticketltidgt Set-Cooki
e CAS Path/cas
GET http//server8080/data/request.nc.dds?ticket
ltticketgt CookieTDS
HTTP/1.x 201 OK
18
Form based authentication

• Login page requires human intervention
• Or perhaps can figure out how to respond
  automatically
• May be a burden even for a GUI application to
  process the form
• Really appropriate only for portals.
• Want software (web service) to fetch the resource
  without human intervention
• Acting as a proxy for an authorized human

19
(No Transcript)
20
(No Transcript)
21
HTTPS Redirect
GET http//server8080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
https//server8443/login Set-Cookie
jsession76fddf33a34675fsf
GET https//server8443/login/role Cookie
jsession76fddf33a34675fsf
challenge
HTTP/1.x 401 Unauthorized WWW-Authenticate Basic
realmTDS"
Obtain password
GET httpsserver8443/login Authorization Basic
usernamepassword Cookie jsession76fddf33a34675f
sf
HTTP/1.x 302 Moved Temporarily Locationhttp//ser
ver8080/data/request.nc.dds
GET http//server8080/data/request.nc.dds
Cookie jsession76fddf33a34675fsf
HTTP/1.x 201 OK
22
Logged in Session based
GET http//server8080/data/request.nc.dds Cookie
jsession76fddf33a34675fsf
HTTP/1.x 201 OK
23
HTTPS Redirect

• Client must
• follow redirects
• return cookies
• Support SSL
• Cost
• 4x messages for login
• No extra messages after logging in
• Vulnerable to session hijacking

24
Community Data Portal (NCAR) Authorization
Central Authorization
Data request
CDP
Client
http//cdp.ucar.edu9080/thredds/dodsC/request.dds
?authorize3482090293840
authorize3482090293840
TDS/Tomcat
Filter
ok
25
CAS Authorization
CDP Authorization
Client
Data request
http//cdp.ucar.edu9080/thredds/dodsC/request.dds
http//cdp.ucar.edu9080/thredds/dodsC/request.dds
?authorize3482090293840
authorize3482090293840
TDS/Tomcat
Filter
ok
26
TDS Pluggable Authorization
Step 1
Data request
TDS
Client
Redirect URL Auth request
Step 2
Auth request
Central Authorization
Client
Redirect URL Data?ticket
Validate ticket
Step 3
Data?ticket
TDS
Client
Return Data
27
CDP TBD
28
Summary Client libraries

• To allow full range of server options, client
  libraries should support
• Basic and Digest Authentication
• SSL
• Follow redirects
• Return cookies
• Hooks for applications to provide username/
  password based on URL and Realm.
• Should be a written standard

29
Summary Servers

• Digest authentication is often good enough
• Probably Basic is often good enough!
• Full HTTPS is perhaps 2-3X slower.
• HTTPS-Redirect with sessions may be a good
  compromise
• Session must check IP address
• Avoid Form authentication human in the loop
  unless some standard is agreed on.
• Exceptions ? CAS ?

30
The END

• After this is other stuff I might use later

31
(No Transcript)
32
TDS Restricted Datasets
Add roles in tomcat-users.xml ltrole
rolename"restrictedDatasetUser"/gt ltuser
usernamejohnny" passwordboy
roles"restrictedDatasetUser"/gt
Specify in catalog.xml ltdataset name"Test
Restricted Dataset" serviceNamedods"
urlPathmyData/testData.nc" restrictAccess"restr
ictedDatasetUser/gt
33
Standard TDS web.xml
ltfilter-mappinggt ltfilter-namegtRestrictedAcces
sFilterlt/filter-namegt lturl-patterngt/restricted
Access/lt/url-patterngt lt/filter-mappinggt
ltsecurity-constraintgt ltweb-resource-collection
gt ltweb-resource-namegtrestricted access
datasetslt/web-resource-namegt
lturl-patterngt/restrictedAccess/lt/url-patterngt
lthttp-methodgtGETlt/http-methodgt
lt/web-resource-collectiongt ltauth-constraintgt
ltrole-namegtrestrictedDatasetUserlt/role-namegt
lt/auth-constraintgt lt/security-constraintgt
34
Tomcat / TDS Authorization
TDS/Tomcat
Realm
35
HTTPS Redirect - 2
GET http//cdp.ucar.edu9080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
https//cdp.ucar.edu9080/restrict/role
GET https//cdp.ucar.edu9080/restrict/role
HTTP/1.x 401 Unauthorized WWW-Authenticate Basic
realm" THREDDS Data Server "
GET https//cdp.ucar.edu9080/restrict/role Author
ization Basic Y2Fyb246Y2FybyQ
HTTP/1.x 302 Moved Temporarily Location
http//cdp.ucar.edu9080/data/request.nc.dds Cooki
e jsession76fddf33alsf
GET http//cdp.ucar.edu9080/data/request.nc.dds C
ookie jsession76fddf33alsf
36
Digest Redirect
GET http//server8080/data/request.nc.dds
HTTP/1.x 302 Moved Temporarily Location
http//server8080/restrictedAccess/tiggeData Set-
Cookie jsession76fddf33a34675fsf
GET http//server8080/restrictedAccess/tiggeData
Cookie jsession76fddf33a34675fsf
challenge
HTTP/1.x 401 Unauthorized WWW-Authenticate
Digest realmTDS"
Obtain password
GET http//server8080/restrictedAccess/tiggeData
Authorization Digest usernamepassword Cookie
jsession76fddf33a34675fsf
HTTP/1.x 302 Moved Temporarily Locationhttp//ser
ver8080/data/request.nc.dds
GET http//server8080/data/request.nc.dds
Cookie jsession76fddf33a34675fsf
HTTP/1.x 201 OK
37
Digest with Sessions
GET http//cdp.ucar.edu9080/data/request.nc.dds
HTTP/1.x 401 Unauthorized WWW-Authenticate
Digest realm" THREDDS Data Server
GET http//cdp.ucar.edu9080/data/request.nc.dds A
uthorization Digest blah-blah
HTTP/1.x 200 ok Cookie jsession76fddf33alsf Data