An Investigation Into Web Based Authentication

1
An Investigation Into Web Based Authentication

• Francis Spor
• Seminar
• June 1, 2006

2
Overview

• I am a lazy programmer
• The three chief virtues of a programmer are
  Laziness, Impatience and Hubris. - Larry Wall -
  Developer of Perl
• 12 year history of commercialized Internet
• Most websites use some sort of login system
  (Ebay, Amazon, Yahoo, Google, Microsoft, etc)
• Someones already done this whole login system
  already
• Heck, Ive done it at least three times already

3
Plan of attack

• Whats involved in a login?
• Individual Solutions
• Internet-wide Solutions
• Possible Future Solutions

4
First some definitions

• Authentication - The verification of credentials
  presented by an individual in order to determine
  identity.
• Authorization - To grant an individual permission
  to do something or be somewhere
• The login mechanism we will be discussing is
  concerned with Authentication.

5
Whats involved in a login?

• On a website - super basic -
• The user provides some tokens to the service
  through a form (usually a username and password)
• If the tokens match what they should, either
  clear-text or some hash function or something
  else, then the user is Authenticated.
• If not, they fail, and are asked to login again.

6
Individualism - Take 1

• Each site developers setup their own database of
  users and passwords.
• Their own forms for login
• Their own methods for authentication
• Clear-text
• Hash
• Whatever

7
Individualism - Take 1Pro / Con

• Pro -
• Authentications pretty easy to setup.
• Allows for the site to have exactly the
  authentication scheme it needs
• Con -
• Why setup Authentication every time? Breaks the
  lazy programmer rule
• Security - Something that gets re-rolled before
  each use, is sure to have some security holes,
  that havent been tested.
• Doesnt really allow for sites to grow and expand
  over time

8
Individualism - Take 2

• Use a secondary authentication system
• Something like MS Active Directory, Novell
  eDirectory, Lotus Notes.
• Communicate with the server using a mechanism
  like ldap, Lightweight Directory Access Protocol
• Use the server included tools for user setup and
  maintenance and then the website only becomes a
  point of entry for created users.

9
Individualism - Take 2Pro / Con

• Pro -
• MS or Novell has spent a lot of time defining
  whats involved with authentication, why not use
  that knowledge
• LDAP is quite secure, and no profile knowledge is
  stored in the web apps knowledge pool,
  increasing security.

10
Individualism - Take 2Pro / Con

• Con -
• Still get to implement every time for every site
• Get to maintain all those users in your directory
  system
• Think about number of users for a popular site

11
Individualism - Take 3

• Use a tool (MS Visual Studio 2005, in this case)
  for example to handle the setup of the
  authentication
• Has built in ProfileProvider that knows whats
  should be involved with a normal sign in
• Using the tool, VS sets up the Database for user
  storage and most of the forms and tools that go
  along with it.

12
Individualism - Take 3Pro / Con

• Pro -
• Pretty much solves lazy programmer problem
• Most tool makers have put a lot of thought into
  the tool, so they are usually extensible and
  theme-able.

13
Individualism - Take 3Pro / Con

• Con -
• Completely reliant on toolmakers skills and
  knowledge.
• Completely dependant on toolmakers limitations
• Did you know that VS Studio only works well with
  sites written for .Net on Windows Server?

14
Individualism - Overall

• Gives developers high level of local control
• But - its not what most users want
• 29 of users said merchants should develop a
  simpler Web site registration and login
  mechanism.
• 42 were bothered by having to manage multiple
  identities
• January 2002 - Jupiter Media Metrix (.Net
  Passport Review Guide - pg. 2)

15
Internet Wide Systems

• What if there were systems that centralized the
  profile knowledge, and handled the authentication
  process
• Then just handed back if the user successfully
  authenticated or not

16
Internet Wide SystemsMicrosoft Passport

• System already exists - has since About 2000.
• Deployed on all MS sites that require login -
  Hotmail, MSN, Microsoft.com, MSDN, Xbox Live, and
  Messenger
• Also was used on some third-party sites - Like
  Ebay, Hoyts, Expedia, Amazon

17
How Passport Works

• MSs word on Passport
• Convenient access
• Enables quick, easy access to site. When a
  registered user visits a Passport enabled site
  they are logged in quickly and easily every time
  they visit.
• Enhanced user experience
• The data that is stored in the passport, can be
  revealed to sites that use the passport.
• Reduced cost and ease of administration
• Login handled for participating site by Passport,
  removing the need of the sites needing to set
  that up.

18
How Registration Works

• When user registers -
• User requests registration (1) from participating
  site, redirected (2) to Passport site, which
  handles the actual registration process (3), and
  then hands back to the participating site (4)
  with registered user.

19
How Login Works

• When user tries to login
• User browses to participating site (1), which
  redirects to Passport site (2), which handles
  login, and creates cookie (4) which is read by
  the participating site (5), and handles the local
  login for the user (6).

20
How This System Works - 2

• That way, participating sites dont actually have
  to have any login knowledge
• Only given back key to profile information
• Also dont have to implement registration / login
  process.

21
What is returned to the participating client?

• A Passport User Id (PUID)
• 64-bit number that is encrypted and sent back to
  the site after login
• Whenever the user updates their profile
  information, that PUID is changed, so the
  participating sites know if theres any new
  information they should get
• A Site Dependant Cookie

22
What login consists of

• Two sets of cookies stored on user computer
• Domain Authority Cookies - From Passport to aide
  future login to Passport
• Participant Cookies - From Passport for the
  participating client to use for profile
  information.

23
Cookie Information

• Domain Authority Cookies - Never expire, just
  hang in the users computer forever.
• Participant Cookies - Expire the next time the
  browser is closed, unless the user has chosen to
  Login Automatically

24
Other Passport Features

• Localization
• Automatically adjusts login forms and responses
  for up to 27 locales.
• Kids Passport
• Claims to be able to restrict Kids access to only
  the materials authorized by their parent or
  guardian
• Integrated with Windows XP
• Can be completely integrated with the user
  accounts in Windows XP

25
Sounds great - Whats the hitch?

• Privacy Concerns
• Security Concerns
• Developer Concerns

26
Passport Privacy Concerns

• Because the data is collected by MS using the
  Passport mechanism, any trust bond between user
  and client has to rely on the trustworthiness of
  a third party
• Which in this case is Microsoft
• Actually violates EU privacy policy.

27
Passport Security Concerns

• Created a centralized location with information
  on over 200 million Internet Users
• Owned my Microsoft, which is a constant attack
  target
• There have been proof of concept hacks that are
  able to reclaim information stored in cookies and
  then get the remainder of secure user data
  stored at passport.

28
Passport Developer Concerns

• Its Microsoft
• Closed Source - Most internet technologies of
  this type are and should be open source, for peer
  review and modification
• Its expensive - 10,000 for the service for each
  domain yearly, and a periodic compliance testing
  fee of 1,500 bucks.

29
Lifes not all good for Passport

• There have been some speed bumps on the Passport
  road
• March, 2003 MS phases out Wallet portion of
  Passport, out of concerns that their storage and
  security mechanisms for users credit card numbers
  was less than great
• Few small developers have adopted it, because of
  cost.
• Large companies (Amazon, Ebay) have abandoned
  Passport for their own systems.

30
End Of Life of Passport

• Microsoft has announced that Passport will be
  replaced by a new system Windows Live ID
• More on that, later

31
A Non-Microsoft Option

• Liberty Alliance
• Formed in 2001, and headed by Sun Microsystems,
  Liberty is at work creating its own Identity
  Management System
• Partners include
• IBM
• Novell
• NEC
• AOL
• Almost 150 others

32
Liberty Alliance Layout
33
Liberty Alliance System

• An established federation of Information
  Providers
• Removes the centralized point of failure
• Creates a series of identity managers who all
  know bits of the total identity image.
• All linked through circle of trust

34
Libertys Architecture Overview
35
Liberty ID-FF Info

• Foundation Framework
• Privacy-oriented identity federation and SSO
• Allows for authentication to be reused across
  different sites
• Creates an authentication response / request
  mechanism
• Extends SAML to include various needed methods
  for singleton sign-out and identity information

36
SAML -

• Security Assertion Markup Language
• Defines assertions that carry statements
• Provides a protocol for disseminating assertions
  among authorities and relying authorities

37
Liberty ID-WSF Info

• Web Service Framework
• Framework for locating and invoking identity
  based Web services to provide a simplified
  customized online experience
• Identity based web services
• Associated with and can be invoked by Principals
  identity
• For example My Calendar
• Permission based Attribute Sharing
• Invoking services under control of user
• Service Requestor doing so on behalf of the user

38
Identity Services

• Lightweight Web Service that provides access to
  some public portion of an identity
• The Identity Service creates a secure method to
  interact with the stored identity, through SOAP
  interfaces.

39
Implementation Example

• AOL
• Huge authentication system
• Millions of Users
• World Wide
• Using a variety of connection methods
• Fat Client
• Web Mail
• AOL Instant Messenger
• Radio

40
Overall AOL Implementation
41
Radio_at_AOL Specific Details
42
Liberty ID-SIS

• Service Interface Specifications
• Predefined Standard Interfaces that use the WSF
  to allow the local programmers to be lazy, and
  rely on well-known interfaces.

43
SIS Common Interfaces

• Personal Profile Services
• Employee Profile Services
• Geo-location Services
• Presence Services
• Contact Book Services
• Gaming Profile Services
• SMS/MMS Messaging Services

44
Liberty Alliance SystemPro / Con

• Pros -
• Open Specification
• Large, well thought out system including
  interfaces for common needs
• User Identification distributed and controlled
  through well documented interfaces

45
Liberty Alliance SystemPro / Con

• Cons -
• Few complete toolkit implementations so far
• The Alliance has to be contacted prior to
  beginning any project that uses the system to get
  the full implementation details.

46
Microsofts Second Attempt - Windows Live ID

• Debuts in Summer 2006
• Replacement for Passport
• Part of MSs whole Windows Live project
• Windows Live ID is being treated as the identity
  service that authenticates users for their
  services and authorizes their use

47
Windows Live ID Breakdown
48
Windows Live - Familiar Ideas

• Federated Identity Authorities
• SAML Based Interaction
• Creates an Identity Metasystem to act as
  interfaces to User identity.

49
Windows Live - InfoCards

• Additionally, MS plans for the creation of
  InfoCard.
• An InfoCard will provide a discrete bit of
  knowledge that will be passed to Web Services for
  what parts of Identity are needed
• Should appear 4th Quarter 2006, and in Windows
  Vista

50
Windows Live - Developer Info

• MS is claiming that they learned their
  development lessons from Passport
• Will be releasing SDKs for Live Id
• Also will be having open forums and wiki-like
  documentation for the community.
• Cost, if any, at this point has not been
  disclosed.

51
Windows Live - My Two Cents

• The more I look at Windows Live ID, I think that
  they downloaded the Liberty Alliance documents
  and just did their own version (see Java ? C)

52
Finale

• So, where do we stand now?
• The only existing system, Passport, is due for
  replacement and already crippled from the
  original release
• A new system is proposed, is in place by AOL and
  a few other vendors and has been almost copied as
  a replacement by MS.

53
Finale - Part 2

• So.
• This all means to me that Internet-wide
  authentications not quite there yet.
• To me that means that anything I implement going
  forward, for at least the next little bit will
  use small local mechanisms.

54
Finale - Part 3

• What I would do -
• Current project - Content Managable Website
  Engine for use in large websites that require
  both anonymous and logged in web users for user
  tracking and statistic management.
• Primary Project - www.iloveny.com

55
Finale - Part 4

• For user authentication -
• I just setup a local database and created fast
  interfaces that I can use for tracking.
• The internet wide options were too slow, and too
  difficult to get involved with.

56

• Any questions?