Federated Security

1
Federated Security
Lecture on

• Can delegated trust work?

Walter Kriha
2
Overview

• Why we need federated trust? Direct trust does
  not scale in distributed systems
• What makes federated trust secure? Leveraging
  high quality direct trust relations and
  delegation of authority
• Cross-Domain Trust between infrastructures
• Web-SSO Architectures
• Identity and Federation in Social Networks
  (Facebook etc.)

3
Super-Hub Architecture
Direct trust does not scale!
4
Ways to combine registries
Meta Directory
Virtual Directory
Federated Identities
META Registry
Service Interface
User Registry
User Registry
dynamically pull
copy and replicate
User Registry
User Registry
User Registry
User Registry
exchange metadata on users. Allow aliases to
protect users. Do not expose login credentials
Consistency? Name clashes? Privacy? Politics and
Economics?
Performance? Name clashes? Privacy? Politics and
Economics?
Trust? Control? QoS?
5
Federated Visa Card System
Dealer
Present card
Customer
Request payment
Issue card
Card Issuing Bank
Dealers Bank
clearing
Visa
6
Outsourcing of Trust Establishment
Present request and Proof of Identity
Identity Provider
Token
Return signed token containing authentication
statement
Trust relation to IP
Present token to establish remote, authenticated
session
Service Provider
7
Third Party Identity Assertion and Authorization
Log-in to SSO System
Company
Request token for supplier
Token
Return signed token containing authentication
statement and optionally autorisation to order
stuff from supplier
Employee
Trust relation secured by certificates
Present token to prove work-relation and optional
authority.
Supplier
Check signature of company. Knows now a)
employee really works for company b) Employee is
authorized to order (optional)
8
Why Third Party Trust is OK

• Does receiver really have a trust relation to
  employee of the company?
• What does it mean for the receiver to give the
  foreign employee a login name and credential?
• What happens if the employee
• Changes job function?
• Leaves the company?
• Uses credentials a year later?
• Starts buying non-authorized things?
• Hands-over login credentials?
• How many login credentials does the employee
  need?
• How many times does she use them?

9
Federated Identity Management Across Domains
Token
Token
User Registry
Customer alias
Author. Server
Identity Server
Credent. Vault.
Authent Server
client
Token
Reverse Proxy
App. Server
App. Server
Host
CSIv2
CSIv2
Internet
CSIv2
Token
Token
Token
App. Server
WS-S
WS-S
Internet
Token
Customer alias
Internet
External TTP
Point of contact
Other Company
App. Server
Token
Domain Bridge (TTP)
Authentication provider
Infrastructure converter
10
WS-Trust Server checking foreign Token
WS-Trust Server
Token
Token
11
Web-based SSO Scenarios

• Redirect Mechanism
• Background communication
• Where are you from
• Privacy issues

12
Redirect of unauthenticated request to identity
provider Pull Szenario
2.
Service Provider 1
Identity Provider
302 www.ip.com/original_request
GEThttp//www.SP1.com
GEThttp//www.IP.com with IP-Adresse of SP1.com
ls parameter
GEThttp//www.SP1.com
1.
3.
User
13
Re-redirect back to Service Provider
Service Provider 1
Identity Provider
4.
Redirect to Service Provider with token as
parameter
Redirect http//www.IP.com/sp....
TOKEN
TOKEN
5.
User
14
Functional Extensions to simple Web-SSO

• WAYF (Where are you from) How can the service
  provider know which STI the customer is using?
• Account Linking (SP and Customer are members of
  several STIs/IPs)
• Size and content of token
• Different user agents and transport protocols
  (e.g. web-services)

15
Federative Extensions to simple Web-SSO

• Both Service Provider and IP run their own
  identity management with separate user registries
• The customer is using several IPs
• The SP has several contract relations with other
  SPs

16
Redirect of authenticated user to selected SP
(Push Model)
Clicked by user
TOKEN1

• Dynamic Menue
• Link to SP1
• Link to SP2
• Link to SP3

TOKEN2
TOKEN3
Service Provider 1
Identity Provider
Redirect to Service Provider with token as
parameter
GEThttp//www.SP1.com
TOKEN1
TOKEN1
GEThttp//www.IP.com/loginForm.html
User
17
Front-Channel vs. Back-Channel
Back channel communication for extended user
information
Service Provider 1
Identity Provider
Redirect to Service Provider with token as
parameter
Redirect http//www.IP.com/sp....
push mechanism
Pull mechanism
TOKEN
Random number or extended user information (SAML)
User
Front channel
18
Account linking with User Alias
User_X, PW_X, IP_Alias 123
X_User, PW_Z, IP_Alias 123
Back channel communication for automatic
provisioning
Service Provider 1
Identity Provider
Redirect http//www.IP.com/sp....
Redirect to Service Provider with token as
parameter
Allows mapping between IP Alias and own UserID
for user
TOKEN IP_Alias 123
Front channel mapping
User
At IP User_X, PW_X At SP1 X_User, PW_Z
19
Secure Messages with Active Profile Web
Service enabled communication
2.
Service Provider 1
Identity Provider, WS-Trust Server
WS-Profile data
3.
WS-Federation Requests based on WS-Security
Messages
WS-Profile Messages to learn about requirements
1.
4.
TOKEN
TOKEN
5.
Web Service Client Application
20
Secure Association Markup Language (SAML)

• Policy Expression Language
• XML based language for secure statements
  (Assertions)
• Elements like user, attributes, validity
  constraints, QoS etc.
• Authentication Assertion
• Attribute Assertion
• Authority Assertion
• Binding information about transport protocols,
  get/post methods etc.
• Object/Message based security instead of only
  channel based security

21
SAML Assertion (example)
ltsamlAssertion Version"2.0 ID"_34234se72
IssueInstant"2005-04-01T165833.173Z"gt ltsamlIs
suergthttp//authority.example.com/lt/samlIssuergt
ltdsSignaturegt...lt/dsSignaturegt lt! issuer
signature ? ltsamlSubjectgt ltsamlNameID
format"urnoasisnamestcSAML2.0nameid-format
persistent"gt jygH5F90l lt/samlNameIDgt lt/samlSu
bjectgt ltsamlAuthnStatement AuthnInstant"2005-04
-01T165730.000Z"gt ltsamlAuthnContextgt ltsamlA
uthnContextClassRefgt urnoasisnamestcSAML2.0
acclassesPasswordProtectedTransport lt/samlAu
thnContextClassRefgt lt/samlAuthnContextgt lt/samlA
uthnStatementgt lt/samlAssertiongt
From ANTON06
22
SAML embedded in SOAP Header
ltSOAP-ENVEnvelopegt lt! SOAP Spec.
? ltSOAP-ENVHeadergt ltwsseSecuritygt lt! Web
Services Security Spec. ? ltsamlAssertiongtuser,
authentication, issuer etc. lt/samlAssertiongt
lt/wsseSecuritygt lt/SOAP-ENVHeadergt ltSOAP-ENV
Bodygt... lt/SOAP-ENVBodygt lt/SOAP-ENVEnvelopegt
From ANTON06
23
WS-Federation Active Profile Example
CompanyXYZ
TelCo Provider
SSO
Portal
Internal STI
Conference System
Link with Forms Post to TelCo
Own Token
SPNEGO
login
User XYZ_guest CN foo Email foo_at_xyz.com
TOKEN
Company XYZ User foo Email foo_at_xyz.com
employee
Mapping of all employees to ONE guest account for
XYZ at access manager of TelCo
SAML Assertion in Token
24
ID and time of issued assertion, namespaces galore
ltsamlAssertion AssertionID"
IssueInstant"2007-03-20T123050Z" Issuer"https
//www.xyz.com/wsf" MajorVersion"1
MinorVersion"1 xmlnsdshttp//www.w3.org/2000/
09/xmldsig xmlnssaml"urnoasisnamestcSAML1.
0assertion"gt ltsamlConditions
NotBefore"2005-07-16T151429Z
NotOnOrAfter"2005-07-16T153429Z"gt ltsamlAudien
ceRestrictionConditiongt ltsamlAudiencegthttps//w
ww.telco.com/wsf lt/samlAudiencegt lt/samlAudien
ceRestrictionConditiongt lt/samlConditionsgt lt
samlAuthenticationStatement AuthenticationInstant
"2005-07-16T152429Z" AuthenticationMethod"urn
oasisnamestcSAML1.0ampassword"gt
ltsamlSubjectgt ltsamlNameIdentifier
Format"urnoasisnamestcSAML1.1nameid-format
emailAddress"gt emp1_at_ltxyz.com lt/samlNameIdentif
iergt lt/samlSubjectgt lt/samlAuthenticationState
mentgt ltsamlAttributeStatementgt
ltsamlSubjectgt ltsamlNameIdentifier
Format"urnoasisnamestcSAML1.1nameid-format
emailAddress"gt emp1_at_xyz.com lt/samlNameIdentifi
ergt lt/samlSubjectgt ltsamlAttribute
AttributeName"cn AttributeNamespace"http//www.
xyz.com/cn"gt ltsamlAttributeValuegtEmployee One
lt/samlAttributeValuegt lt/samlAttributegt lt/samlA
ttributeStatementgt
When is this statement valid?
Who is the receiver?
Who is authenticated? (subject)
What attributes does subject have?
federation part of assertion defines
conditions, authentication, subject and subject
attributes
25
ltdsSignature Id"uuid203f1582-0105-efbb-6039-8ce3
efd72411 xmlnsds"http//www.w3.org/2000/09/xmld
sig"gt ltdsSignedInfogt ltdsCanonicalizationMethod
Algorithm"http//www.w3.org/2001/10/xml-exc-c14n
"/gt ltdsSignatureMethod Algorithm"http//www.w3.o
rg/2000/09/xmldsigrsa-sha1"/gt ltdsReference
URI"Assertion-uuid203f1557-0105-f23c-5b82-8ce3ef
d72411"gt ltdsTransformsgt ltdsTransform
Algorithm"http//www.w3.org/2000/09/xmldsigenvel
oped-signature"/gt ltdsTransform
Algorithm"http//www.w3.org/2001/10/xml-exc-c14n
"gt ltxc14nInclusiveNamespaces PrefixList"saml
ds xmlnsxc14n"http//www.w3.org/2001/10/xml-exc
-c14n"/gt lt/dsTransformgt lt/dsTransformsgt ltdsDig
estMethod Algorithm"http//www.w3.org/2000/09/xml
dsigsha1"/gt ltdsDigestValuegt sWS4qUyQXSgMRHM62ADx
LHGfFD4 lt/dsDigestValuegt lt/dsReferencegt lt/dsSi
gnedInfogt ltdsSignatureValuegt signature over
assertion (according to XMLDsig
Spec.)... lt/dsSignatureValuegt ltdsKeyInfogt ltdsX
509Datagt ltdsX509Certificategt XYZ Corp.
Certificate,...... lt/dsX509Certificategt lt/dsX509
Datagt lt/dsKeyInfogt lt/dsSignaturegt lt/samlAssert
iongt
How signature was created
Signature value to Check against
Who did it Signers certificate so receiver
(telco) can check signature
Non-federation part of assertion deals only
with message security of assertion statement
26
Identity and Federation in Social Networks

• The Tripartite Identity Pattern
• OpenID (Technology and the Nascar Problem)
• OAuth (Granular access delegation)
• XRD/JRD

27
Randy Farmer developed the above pattern which
separates functions of IDs along the dimensions
of uniqueness and memorizablity. Account IDs are
uniq and can be of arbitrary complexity as they
are used only for internal linking and
bookkeeping and are never exposed. Login IDs are
critical because they need to be both unique and
easy to remember. Public IDs are not unique but
should be easy to remember. They need additional
criteria for disambiguation (pictures, friends,
actions). The diagram is taken from Super
Social Everybody how to survive in the social
web, Thomas Fankhauser, Stuttgart Media
University 2010
28
OpenID/OAuth

• The Password Anti-Pattern
• The Nascar Problem
• Acceptance and Problems
• Service Providers as Identity Provider

29
The Nascar Problem
Too many big labels/icons of identity providers
(from http//factoryjoe.com/blog/2009/04/06/does-
openid-need-to-be-hard/)
30
OAuth/WRAP

• Granular Token Generation for Mashups
• Message/API Signatures
• Simple Bearer Tokens
• The Question of Channel Security

Spec. At http//oauth.net/core/1.0a/,
http//hueniverse.com/2010/05/introducing-oauth-2-
0/ http//hueniverse.com/2010/01/open-questions-a
bout-oauth-2-0-authentication/ http//hueniverse.c
om/2010/05/jrd-the-other-resource-descriptor/comm
ents http//hueniverse.com/oauth/
31
OAuth Sequence Diagram
From http//d.hatena.ne.jp/ZIGOROu/20090811/12500
06392
32
Facebook Authorization Example
From http//www.uml-diagrams.org/sequence-diagram
s-examples.html
33
Security Analysis

• Token Integrity and Confidentiality
• Token Verification
• Phising with bad redirect to phony IP
• Customer confusion about credentials if both SP
  and IP support their own identity management
  mechanisms
• Privacy problems with Identity Provider
• Log-out problem Guarantees for customer?
• Token abuse by SP?
• Attack on tokens at client?
• Session to IP?

34
Resources

• Anton E. Anton, Web Services in realen
  Business-Anwendungen Sicherheit,
  Transaktionalität, Geschäftsprozess-Modellierung,
  Diplomarbeit HdM 2006, http//www.kriha.de/krihaor
  g/dload/uni/anton.pdf
• EBR J. Eisenmann, A. Rauber, S. Simon, Single
  Sin On, Software-Projekt HdM 2003,
  http//www.kriha.de/krihaorg/dload/uni/eisenmann_
  rauber_simon.zip
• Bueck A. Buecker, W.Filip, H.Hinton,
  H.Hippenstiel, M.Hollin, R.Neucom, S.Weeden,
  J.Westman, Federated Identity Management and Web
  Services Security, IBM Redbook 2005
• End D. Endler, SessionID Hacking,
  http//www.idefense.com
• SAML Security Assertion Markup Language(SAML)
  2.0 Technical Overview. 2006, http//www.oasis-op
  en.org/committees/download.php/20645/sstc-saml-te
  ch-overview-2200-draft-10.pdf
• Wind P. J. Windley, Digital Identity
  unmasking Identity Management Architecture (IMA),
  OReilly 2005
• WS-FED H. Lockhart et al., Web Services
  Federation Language Version 1.1 (2006),
  http//www.ibm.com/developerworks/library/specific
  ation/ws-fed/
• WS-SEC B. Atkinson et al. Web Services
  Security (WS Security), http//www.ibm.com/devel
  operworks/library/ws-secure