Docstoc

Integrated Security Demo - Oracle 9iAS

Document Sample
Integrated Security Demo - Oracle 9iAS Powered By Docstoc
					Integrated Security Demo - Web Services
      Security ,Oracle 9iAS, PKI




          CSCI 5931 – Web Security
         Instructor: Dr. Andrew Yang
            Team: Web Warriors
 Rohan Bairat, Shashank Dhond, Mohd A Azeem
              23 rd April 2003
                                              1
Single Sign on
n   In any client/server relationship, single sign-on is a
    session/user authentication process that permits a
    user to enter one name and password in order to
    access multiple applications
n   In e-commerce, the single sign-on is designed to
    centralize consumer financial information on one
    server - not only for the consumer's convenience, but
    also to offer increased security by limiting the number
    of times the consumer enters credit card numbers or
    other sensitive information used in billing
n   Two Types of Single Sign-on
     n Web Single Sign-on

     n Legacy Single Sign-on
                                                           2
Web Single Sign-on
n   The Web is made up of portals which act as gateways to
    many layers of web sites
n   Earlier Web security was based on protecting URLs, not
    applications and SSL was suppose to be a complete
    solution
n   As applications and databases started being attached to
    the backend of URLs SSL limitations showed up.
n   SSL is CPU intensive cannot create a user experience
n   SSL only can work between two endpoints
n   A single sign-on solution will write the front-end
    authentication through to a central management console
    on the backend, and share this information between
    applications for the extent of the user session
                                                          3
Legacy Single Sign-on
n   Legacy single sign-on enables smooth
    navigation of the various applications on an
    intranet through one authentication session
n   Industry analysts refer to legacy single sign-
    on as employee single sign-on
n   It conceptually uses the same authentication
    and authorization architecture structure as
    Web single sign-on, except a portal is not part
    of the front-end picture
                                                4
More on Single Sign-on
n   Single sign-on and password synchronization are two
    different things
    n   A password synchronization system does is distribute and
        synchronize a main password to other systems
    n   true single sign-on products that offer advanced and
        sophisticated capabilities, a user can actually have different
        passwords for every application
    n   The single sign-on server stores these passwords in a
        protected database, and makes them available to the user
        upon login
n   Players in Single Sign-on
    n   Entrust, Evidian, Netegrity, and RSA Security. All three of
        these products can be run on UNIX platforms, and offer rules
        -based capabilities, roles-based capabilities, and LDAP
        compliancy                                                  5
Agenda – Web Services single sign-on

n   Web Services Security
n   Single Sign-on in Web Services
n   Methods
n   Available Solutions




                                       6
Web Services Security
n   Different companies had posted their
    own standards for securing web
    services
n   IBM WS Security
n   The Java WSDP Security
n   The Liberty Alliance SSO Architecture


                                            7
Single sign-on in Web Service
n   Single sign-on security architecture is to shift the
    complexity of the security architecture to the called
    SSO service
n   In the SSO architecture, all security algorithms are
    found in the single SSO server which acts as the
    single and only authentication point for a defined
    domain
n   SSO approach can be used for authentication
    /registration: a user has to sign-on only once
n   The SSO server can be a Web service

                                                        8
The Simple SSO Scenario
n   Modus Operandi
    n   The authenticated party first calls the SSO server and
        requests the authentication token that identifies it in
        the particular domain
    n   Token is available only when party provides the correct
        authentication credentials
         n   username/password
         n   Certificates
         n   Other methods
    n   The SSO server performs a validation of the users'
        credentials using the underlying security infrastructure
    n   The Token is issued to the user
         n   Token is a unique identification for the user in Simple SSO
             Scenario
                                                                           9
Simple Single sign on Scenario




                                 10
Advantage
n   Encapsulation of the underlying security infrastructure in
    the SSO server
n   Implementation, deployment and maintenance are much
    easier as all communicating parties in the distributed
    system don't need to individually implement all of the
    security features and mechanisms.
n   The SOAP interface to the SSO server makes the SSO
    architecture universal
n   The SSO server enhances security of the whole system
    as the security credentials don't need to be passed around
n   Authentication can be performed outside the security
    domain but security credentials stay within a security
    domain
                                                          11
Advanced SSO-using SAML
n   In the previous simple SSO scenario each time the user is
    challenged for identity verification
n   In this approach the token itself contains valuable security
    information that allows validation without having to call
    the SSO server each time
n   The token contains the authentication or authorization
    information signed by SSO server
n   There is a new standard for exchanging security-related
    information in XML called Security Assertions Markup
    Language (SAML) (developed by OASIS)



                                                            12
Security Assertions Markup Language

n   SAML defines the protocol by which the service consumer issues
    the SAML request and the so-called SAML authority returns the
    SAML response with assertions
n   The security information described by SAML is expressed in the
    form of assertion statements about security subjects (e.g. users,
    machines or services)
n   Assertions
     n   The Authentication statement informs about the authentication of a
         particular subject in a specific time and scope.
     n   The Authorization decision allows or denies a subject access to a specific
         resource.
     n   The Attributes further qualify the subject (e.g. credit line info, citizenship
         etc.)



                                                                                 13
Advanced SSO-using SAML




                          14
     Agenda - Oracle 9iAS single Sign-On

•   Overview of Single Sign-On
•   Web Single Sign-On
•   Legacy Single Sign-On
•   Features of Single Sign-On
•   SSO Components & Application Types
•   SSO Authentication Methods
•   Functional Overview of Oracle 9i AS SSO
•   Oracle 9i AS Security Architecture


                                              15
Overview of Single Sign on
n   In any client/server relationship, single sign-on is a 
    session/user authentication process that permits a user to 
    enter one name and password in order to access multiple 
    applications
n   In e-commerce, the single sign-on is designed to centralize 
    consumer financial information on one server - not only 
    for the consumer's convenience, but also to offer increased 
    security by limiting the number of times the consumer 
    enters credit card numbers or other sensitive information 
    used in billing
n   Two Types of Single Sign-on
     n Web Single Sign-on

     n Legacy Single Sign-on
                                                             16
    Web Single Sign-on
n   The Web is made up of portals which act as gateways to 
    many layers of web sites
n   Earlier Web security was based on protecting URLs, not 
    applications and SSL was suppose to be a complete 
    solution
n   As applications and databases started being attached to the 
    backend of URLs SSL limitations showed up.
n   SSL is CPU intensive cannot create a user experience 
n   SSL only can work between two endpoints
n   A single sign-on solution will write the front-end 
    authentication through to a central management console on 
    the backend, and share this information between 
    applications for the extent of the user session
                                                             17
    Legacy Single Sign-on

n   Legacy single sign-on enables smooth navigation of the 
    various applications on an intranet through one 
    authentication session
n   Industry analysts refer to legacy single sign-on as 
    employee single sign-on
n   It conceptually uses the same authentication and 
    authorization architecture structure as Web single sign-on, 
    except a portal is not part of the front-end picture



                                                              18
More on Single Sign-on
n   Single sign-on and password synchronization are two 
    different things
     n A password synchronization system does is distribute 
        and synchronize a main password to other systems
     n The single sign-on server stores these passwords in a 
        protected database, and makes them available to the 
        user upon login
n   Players in Single Sign-on
     n Entrust, Evidian, Netegrity, and RSA Security. All 
        three of these products can be run on UNIX platforms, 
        and offer rules-based capabilities, roles-based 
        capabilities, and LDAP compliancy
                                                           19
 Features of Single Sign-On (SSO)

Centralized authentication for web applications
• Secure 
• Inexpensive
• PKI support
• 3rd party integration




                                                  20
     SSO Components

• Applications
    - Partner
    - External
• Centralized SSO Server
      – Verifies SSO password
      – Sets SSO cookie at client
      – External app username/password store
• Username/Password managed in LDAP directory
       – Oracle Internet Directory (OID)
       – Other LDAPv3 directory requires OID gateway
       – Users provisioned through OID Delegated Administrative
         Services (DAS)
                                                                  21
    SSO Authentication Methods
   Oracle9iAS Single Sign-On uses one of these authentication 
    methods: 

    Local user authentication: Uses a lookup table within the Login 
    Server schema. This table contains user name, password, Login Server 
    privilege level, and other auditing fields for the user. The incoming 
    password is one-way hashed and compared to the entry in the table.

    External repository authentication:Typically relies on an LDAP-
    compliant directory. In this case, the Login Server binds to the LDAP-
    compliant directory, then looks up the user credentials stored there. 
    External Authentication includes LDAP and Database Authentication 
    and any others that may be custom-developed

                                                                         22
Functional Overview of Oracle9i AS SSO

        Initial Authentication

                     •     User accesses Partner App A which determines user 
                           isn’t authenticated.
                     •     App A redirects user to SSO server.
                     •     SSO server prompts user to give username and 
                           password.
                     •     SSO server verifies password and sets SSO cookie 
                           on client machine for authentication by Partner App.
                     5.    SSO credentials may be stored in external server.
                     6.    SSO server redirects user to partner App and also 
                           provides the partner App with an encrypted copy of 
                           the SSO cookie for it to verify the client’s identity.
                     7.        Partner App A sets its own cookie after verifying 
                              the client with the copy of the SSO cookie obtained 
                              from the SSO server.
                                                                              23
         Functional Overview of Oracle9i AS SSO

                Authentication to partner applications
       Once a user has been authenticated and an SSO cookie has   
       been set, Oracle 9i AS SSO directs the user back to the 
       partner application and includes an encrypted token which 
       contains the user’s identity in the partner application URL. 
       Then the token is encrypted in a key which is shared only 
       by Oracle 9i AS SSO and the partner application. This 
       assures the partner application that the token is authentic 
       and was created by Oracle 9i AS SSO.



                                                                       24
Functional Overview of Oracle9i AS SSO

    Authentication to External Applications
                        •   Client requests access to external App. is 
                            redirected to SSO server.
                        •   SSO server prompts client for username and 
                            password.
                        •   Clients username and password are 
4                           encrypted and sent to External App for 
          5
                            authentication.
                        •   After external app verifies client, SSO 
                            server sets SSO cookie on client and 
                            redirects client to App.
                        •   It sends a copy to the App for verification.
                            The SSO server uses external App’s 
                            verification module to authenticate user and 
                            sets the SSO cookie on the client.


                                                                           25
          Functional Overview of Oracle9i AS SSO


                            LDAP integration
        Directories supporting the Lightweight Directory Access 
       Protocol (LDAP) are increasingly used as a single source of 
       enterprise-wide information about users.
       Oracle9iAS SSO verifies usernames and passwords using OID. 
       When a user submits username and password as part of the 
       initial authentication, Oracle9iAS SSO compares the username 
       and password with that maintained in OID. If the comparison 
       succeeds, username and password are considered to be verified.

                                                                   26
Oracle 9i AS Security Architecture




                                     27
What is PKI?

n   PKI is a security architecture that has been introduced to 
    provide an increased level of confidence for exchanging 
    information over an increasingly insecure Internet.

n   PKI is based on the use of digital certificates that allow 
    users to verify the identity of the person or institution that 
    they're communicating with, and to digitally sign 
    transactions.


                                                                28
What PKI offers…
n   A certificate-based system that provides:
     n Authentication to verify the identity of the sender and 

       the recipient.
     n Data integrity to verify that information is received 

       unaltered from the sender.
     n Data confidentiality to ensure that sensitive 

       information does not fall into the wrong hands.
     n Non-repudiation to ensure that transactions are legally 

       binding, protecting your business from fraud.


                                                           29
PKI Technology and Architecture




                                  30
The Primary Technical Components of PKI


n   End Entity Application (EE).
n   Registration Authority (RA): It performs the necessary 
    checks to make sure the person requesting the certificate is 
    the same that he/she claims to be.
n   Certification Authority (CA):  Issues and verifies 
    certificates.
n   PKI directories: They are databases that are X.500/LDAP 
    compliant. They contain certificates in X.500/LDAP in th 
    X.509format, and that they  provide specific search 
    Facilities.

                                                             31
How PKI can be used with SSO
n   SSO layer of the application is built on top of a PKI layer.
n   PKI handles the LDAP directory part. The SSO server 
    refers to the Certificate Authority (CA) to verify the 
    credibility of the user and to authenticate his certificate.
n   Thus, in a SSO implemented with PKI:
     n The user first obtains a certificate from the CA using 

       PKI.
     n The user then calls the SSO server, provides the SSO 

       server with its certificate and requests for a token 
       identifying its domain.

                                                             32
How PKI can be used with SSO…

  n   The SSO server refers to the CA to verify the users 
      certificate.
  n   The CA checks its PKI directory to verify the certificate 
      provided by the SSO server.
  n   If the certificate checks out to be good the SSO server 
      issues the user with a token.




                                                           33
    References

o    http://www.certicom.com/pdfs/whitepapers/Trustpoint_PKI.
     pdf
o    http://www.articsoft.com/wp_pki_intro.htm
o    http://technet.oracle.com/sample_code/deploy/security/files/
     ssosecurity/Readme.html
o    http://technet.oracle.com/sample_code/deploy/security/files/
     ssosecurity/Readme.html



                                                             34
Wrapping Up…




               35

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:10/7/2013
language:Latin
pages:35