Title: An Investigation Into Web Based Authentication
1An Investigation Into Web Based Authentication
- Francis Spor
- Seminar
- June 1, 2006
2Overview
- I am a lazy programmer
- The three chief virtues of a programmer are
Laziness, Impatience and Hubris. - Larry Wall -
Developer of Perl - 12 year history of commercialized Internet
- Most websites use some sort of login system
(Ebay, Amazon, Yahoo, Google, Microsoft, etc) - Someones already done this whole login system
already - Heck, Ive done it at least three times already
3Plan of attack
- Whats involved in a login?
- Individual Solutions
- Internet-wide Solutions
- Possible Future Solutions
4First some definitions
- Authentication - The verification of credentials
presented by an individual in order to determine
identity. - Authorization - To grant an individual permission
to do something or be somewhere - The login mechanism we will be discussing is
concerned with Authentication.
5Whats involved in a login?
- On a website - super basic -
- The user provides some tokens to the service
through a form (usually a username and password) - If the tokens match what they should, either
clear-text or some hash function or something
else, then the user is Authenticated. - If not, they fail, and are asked to login again.
6Individualism - Take 1
- Each site developers setup their own database of
users and passwords. - Their own forms for login
- Their own methods for authentication
- Clear-text
- Hash
- Whatever
7Individualism - Take 1Pro / Con
- Pro -
- Authentications pretty easy to setup.
- Allows for the site to have exactly the
authentication scheme it needs - Con -
- Why setup Authentication every time? Breaks the
lazy programmer rule - Security - Something that gets re-rolled before
each use, is sure to have some security holes,
that havent been tested. - Doesnt really allow for sites to grow and expand
over time
8Individualism - Take 2
- Use a secondary authentication system
- Something like MS Active Directory, Novell
eDirectory, Lotus Notes. - Communicate with the server using a mechanism
like ldap, Lightweight Directory Access Protocol - Use the server included tools for user setup and
maintenance and then the website only becomes a
point of entry for created users.
9Individualism - Take 2Pro / Con
- Pro -
- MS or Novell has spent a lot of time defining
whats involved with authentication, why not use
that knowledge - LDAP is quite secure, and no profile knowledge is
stored in the web apps knowledge pool,
increasing security.
10Individualism - Take 2Pro / Con
- Con -
- Still get to implement every time for every site
- Get to maintain all those users in your directory
system - Think about number of users for a popular site
11Individualism - Take 3
- Use a tool (MS Visual Studio 2005, in this case)
for example to handle the setup of the
authentication - Has built in ProfileProvider that knows whats
should be involved with a normal sign in - Using the tool, VS sets up the Database for user
storage and most of the forms and tools that go
along with it.
12Individualism - Take 3Pro / Con
- Pro -
- Pretty much solves lazy programmer problem
- Most tool makers have put a lot of thought into
the tool, so they are usually extensible and
theme-able.
13Individualism - Take 3Pro / Con
- Con -
- Completely reliant on toolmakers skills and
knowledge. - Completely dependant on toolmakers limitations
- Did you know that VS Studio only works well with
sites written for .Net on Windows Server?
14Individualism - Overall
- Gives developers high level of local control
- But - its not what most users want
- 29 of users said merchants should develop a
simpler Web site registration and login
mechanism. - 42 were bothered by having to manage multiple
identities - January 2002 - Jupiter Media Metrix (.Net
Passport Review Guide - pg. 2)
15Internet Wide Systems
- What if there were systems that centralized the
profile knowledge, and handled the authentication
process - Then just handed back if the user successfully
authenticated or not
16Internet Wide SystemsMicrosoft Passport
- System already exists - has since About 2000.
- Deployed on all MS sites that require login -
Hotmail, MSN, Microsoft.com, MSDN, Xbox Live, and
Messenger - Also was used on some third-party sites - Like
Ebay, Hoyts, Expedia, Amazon
17How Passport Works
- MSs word on Passport
- Convenient access
- Enables quick, easy access to site. When a
registered user visits a Passport enabled site
they are logged in quickly and easily every time
they visit. - Enhanced user experience
- The data that is stored in the passport, can be
revealed to sites that use the passport. - Reduced cost and ease of administration
- Login handled for participating site by Passport,
removing the need of the sites needing to set
that up.
18How Registration Works
- When user registers -
- User requests registration (1) from participating
site, redirected (2) to Passport site, which
handles the actual registration process (3), and
then hands back to the participating site (4)
with registered user.
19How Login Works
- When user tries to login
- User browses to participating site (1), which
redirects to Passport site (2), which handles
login, and creates cookie (4) which is read by
the participating site (5), and handles the local
login for the user (6).
20How This System Works - 2
- That way, participating sites dont actually have
to have any login knowledge - Only given back key to profile information
- Also dont have to implement registration / login
process.
21What is returned to the participating client?
- A Passport User Id (PUID)
- 64-bit number that is encrypted and sent back to
the site after login - Whenever the user updates their profile
information, that PUID is changed, so the
participating sites know if theres any new
information they should get - A Site Dependant Cookie
22What login consists of
- Two sets of cookies stored on user computer
- Domain Authority Cookies - From Passport to aide
future login to Passport - Participant Cookies - From Passport for the
participating client to use for profile
information.
23Cookie Information
- Domain Authority Cookies - Never expire, just
hang in the users computer forever. - Participant Cookies - Expire the next time the
browser is closed, unless the user has chosen to
Login Automatically
24Other Passport Features
- Localization
- Automatically adjusts login forms and responses
for up to 27 locales. - Kids Passport
- Claims to be able to restrict Kids access to only
the materials authorized by their parent or
guardian - Integrated with Windows XP
- Can be completely integrated with the user
accounts in Windows XP
25Sounds great - Whats the hitch?
- Privacy Concerns
- Security Concerns
- Developer Concerns
26Passport Privacy Concerns
- Because the data is collected by MS using the
Passport mechanism, any trust bond between user
and client has to rely on the trustworthiness of
a third party - Which in this case is Microsoft
- Actually violates EU privacy policy.
27Passport Security Concerns
- Created a centralized location with information
on over 200 million Internet Users - Owned my Microsoft, which is a constant attack
target - There have been proof of concept hacks that are
able to reclaim information stored in cookies and
then get the remainder of secure user data
stored at passport.
28Passport Developer Concerns
- Its Microsoft
- Closed Source - Most internet technologies of
this type are and should be open source, for peer
review and modification - Its expensive - 10,000 for the service for each
domain yearly, and a periodic compliance testing
fee of 1,500 bucks.
29Lifes not all good for Passport
- There have been some speed bumps on the Passport
road - March, 2003 MS phases out Wallet portion of
Passport, out of concerns that their storage and
security mechanisms for users credit card numbers
was less than great - Few small developers have adopted it, because of
cost. - Large companies (Amazon, Ebay) have abandoned
Passport for their own systems.
30End Of Life of Passport
- Microsoft has announced that Passport will be
replaced by a new system Windows Live ID - More on that, later
31A Non-Microsoft Option
- Liberty Alliance
- Formed in 2001, and headed by Sun Microsystems,
Liberty is at work creating its own Identity
Management System - Partners include
- IBM
- Novell
- NEC
- AOL
- Almost 150 others
32Liberty Alliance Layout
33Liberty Alliance System
- An established federation of Information
Providers - Removes the centralized point of failure
- Creates a series of identity managers who all
know bits of the total identity image. - All linked through circle of trust
34Libertys Architecture Overview
35Liberty ID-FF Info
- Foundation Framework
- Privacy-oriented identity federation and SSO
- Allows for authentication to be reused across
different sites - Creates an authentication response / request
mechanism - Extends SAML to include various needed methods
for singleton sign-out and identity information
36SAML -
- Security Assertion Markup Language
- Defines assertions that carry statements
- Provides a protocol for disseminating assertions
among authorities and relying authorities
37Liberty ID-WSF Info
- Web Service Framework
- Framework for locating and invoking identity
based Web services to provide a simplified
customized online experience - Identity based web services
- Associated with and can be invoked by Principals
identity - For example My Calendar
- Permission based Attribute Sharing
- Invoking services under control of user
- Service Requestor doing so on behalf of the user
38Identity Services
- Lightweight Web Service that provides access to
some public portion of an identity - The Identity Service creates a secure method to
interact with the stored identity, through SOAP
interfaces.
39Implementation Example
- AOL
- Huge authentication system
- Millions of Users
- World Wide
- Using a variety of connection methods
- Fat Client
- Web Mail
- AOL Instant Messenger
- Radio
40Overall AOL Implementation
41Radio_at_AOL Specific Details
42Liberty ID-SIS
- Service Interface Specifications
- Predefined Standard Interfaces that use the WSF
to allow the local programmers to be lazy, and
rely on well-known interfaces.
43SIS Common Interfaces
- Personal Profile Services
- Employee Profile Services
- Geo-location Services
- Presence Services
- Contact Book Services
- Gaming Profile Services
- SMS/MMS Messaging Services
44Liberty Alliance SystemPro / Con
- Pros -
- Open Specification
- Large, well thought out system including
interfaces for common needs - User Identification distributed and controlled
through well documented interfaces
45Liberty Alliance SystemPro / Con
- Cons -
- Few complete toolkit implementations so far
- The Alliance has to be contacted prior to
beginning any project that uses the system to get
the full implementation details.
46Microsofts Second Attempt - Windows Live ID
- Debuts in Summer 2006
- Replacement for Passport
- Part of MSs whole Windows Live project
- Windows Live ID is being treated as the identity
service that authenticates users for their
services and authorizes their use
47Windows Live ID Breakdown
48Windows Live - Familiar Ideas
- Federated Identity Authorities
- SAML Based Interaction
- Creates an Identity Metasystem to act as
interfaces to User identity.
49Windows Live - InfoCards
- Additionally, MS plans for the creation of
InfoCard. - An InfoCard will provide a discrete bit of
knowledge that will be passed to Web Services for
what parts of Identity are needed - Should appear 4th Quarter 2006, and in Windows
Vista
50Windows Live - Developer Info
- MS is claiming that they learned their
development lessons from Passport - Will be releasing SDKs for Live Id
- Also will be having open forums and wiki-like
documentation for the community. - Cost, if any, at this point has not been
disclosed.
51Windows Live - My Two Cents
- The more I look at Windows Live ID, I think that
they downloaded the Liberty Alliance documents
and just did their own version (see Java ? C)
52Finale
- So, where do we stand now?
- The only existing system, Passport, is due for
replacement and already crippled from the
original release - A new system is proposed, is in place by AOL and
a few other vendors and has been almost copied as
a replacement by MS.
53Finale - Part 2
- So.
- This all means to me that Internet-wide
authentications not quite there yet. - To me that means that anything I implement going
forward, for at least the next little bit will
use small local mechanisms.
54Finale - Part 3
- What I would do -
- Current project - Content Managable Website
Engine for use in large websites that require
both anonymous and logged in web users for user
tracking and statistic management. - Primary Project - www.iloveny.com
55Finale - Part 4
- For user authentication -
- I just setup a local database and created fast
interfaces that I can use for tracking. - The internet wide options were too slow, and too
difficult to get involved with.
56