collan_061006.ppt - Master´s Thesis

Document Sample
collan_061006.ppt - Master´s Thesis Powered By Docstoc
					             Master´s Thesis
‖Secure Authentication and Authorization Portal
          Based on Single Sign-on‖
                Jukka Collan
         Supervisor Professor Jörg Ott
           Networking Laboratory
•   Research problem
•   Thesis structure
•   Enterprise Single Sign-On Defined
•   Literature research
•   Case study: Software used
•   Risk and threat analysis
•   Results
•   Conclusions - Benefits
                       Research problem

•   Present approach of enterprise single sign-on
    –   Why should user have only one user id and password?
    –   Why enterprises are interested in single sign-on?
    –   What kind of architecture single sign-on solution does have?
    –   What are the risks of using single sign-on?
    –   What are the benefits of enterprise single sign-on solution
    –   What is the ROI of enterprise single sign-on solution
Research problem
                             Thesis structure
       Secure Authentication and Authorization Portal Based on
                           Single Sign-On

    Market demand for single sign-on
                                        Case study of Single
Authentication technologies and

                                                          Risk and Threat
            Single sign-on                                   Analysis

         Enterprise Single Sign-On Defined

• Users need only one password for access to all applications and
• Users can access the corporate network at the start of their workday
• Users have immediately have access to all necessary password-
  protected applications
• Users don't need to remember multiple passwords
• Users don’t have to write down their passwords
• Users don't have use easy to guess passwords, which potentially
  expose applications to unauthorized users
       Literature research: authentication technologies
   – PKI
       • X.509
   – Smart card
   – Electronic Identification Card (HST)
   – One-time password
• Biometrics
   – Fingerprints
   – Iris codes
   – Unix
       • Kerberos
   – Windows
       • Windows NT LAN Manager (NTLM)
   – Web-based authentication
       • HTTP
       • SSL and HTTPS
              Literature research: authentication
   – Mobile Terminals
   – PDA
   – Authentication, Authorization and Accounting (AAA)
      • Radius
      • Diameter
   – GSM
   – WAP
      • WTLS (Wireless Transport Layer Security)
      • WPKI
   – LDAP
   – Windows 2000 Active Directory
   – Metadirectory
      Literature study: single sign-on tech: SAML
    – Security Assertion Markup Language SAML is an XML based security
      standard for exchanging authentication and authorization information by
• SAML is an XML-based security framework for exchanging security
• Security information is expressed in the form of assertions about
    – subject is an entity, which can be either human or computer
    – Each entity has identity in some security domain
    – A typical example of subject is person, identified by his email address in a
      particular Internet DNS domain
• Assertions are represented as XML constructors
• SAML defines binding, which is Simple Object Access Protocol
  (SOAP) over HTTP
        Literature study: single sign-on tech: SAML

• In the SAML identifiers are defined as Uniform Resource Identifiers
  (UNI) for the following authentication methods
    –   Password
    –   Kerberos
    –   Secure Remote Password (SRP)
    –   Hardware Token
    –   SSL/TSL Certificate Based Client Authentication
    –   X.509 Public Key
    –   PGP Public Key
    –   SPKI Public Key
    –   XKMS Public Key
    –   XML Digital Signature
    –   Unspecified
                      SAML: Application chain

1.   Web user authenticates with enterprise security system (authentication can be through Web
2.   Enterprise security system provides an authentication reference to Web user
3.   Web user requests a dynamic resource from Web server, providing authentication reference
4.   Web server requests application function from application on behalf of Web user, providing Web
     user’s authentication reference
5.   Application requests authentication document from enterprise security system, corresponding to
     Web user’s authentication reference
6.   Enterprise security system provides authentication document, including authorization attributes
     for the Web user, and authn event description
7.   Application performs application function for Web server
8.   Web server generates dynamic resource for Web user
              Literature study: Project Liberty
• Project Liberty or Liberty Alliance is the codes name for an initiative
  announced to address open standards development in the network
  identity and end user privacy as an alternative for the Microsoft’s
• Goals of the Project:
    – Enable consumers protect the privacy and security of their network
      identity information
    – Enable businesses to maintain and manage their customer relationships
      without third-party participation
    – Provide open single sing-on standard that includes decentralized
      authentication and authorization from multiple providers
    – Create network identity infrastructure that supports all current and
      emerging network access devices
                          NET Passport authentication process

•   The .NET Passport authentication is based on the link from the participating site to
    Microsoft passport site
•   When user tries to access a protected Web page within participating site page that
    requires authentication before allowing access, redirect is made to Passport site
•   NET passport compares the user’s credentials to the credentials saved in the Passport
•   If the credentials match, user is authenticated and PUID and .NET Passport profile are
•   extracted from the Database.
•   After that .NET Passport server creates three cookies:
     –   The Ticket cookie, which includes the PUID and a time stamp
     –   The profile cookie, which store the user profile
     –   The participating site cookie, which stores a list of the sites to which the user has signed in
             Literature study: Microsoft .NET passport
•   The goal of the .NET passport is to make online purchasing easier and faster
    via Internet
•   .NET Passport provides user the Single Sing-In (SSI) service using large user
    base and powerful encryption technologies such as Secure Socket Layer (SSL)
    and Triple Data Encryption Standard (3DES) algorithm for data protection
•   Single Sing-In (SSI) is the key service of the .NET Passport
•   SSI provides a common Internet authentication mechanism across
    participating Web sites
•   Users can create a single sing-in name and password for use across
    participating .NET Passport sites
•   .Net Passport reduces the need for consumers to remember multiple sing-on
    names and passwords.
•   .NET Passport can provide a unique Passport ID (PUID) for every user
                          NET Passport authentication process

.NET Passport SSI process
    1.Initial page request
    2.Redirect for authentication
    3.Authentication request
    4.Authentication response and cookies (ticket and profile)
    5.Authentication request and cookies (ticket and profile)
    6.Web page, authentication and cookies (profile)
         Commercial authentication and authorization portals
•   Centralizing the user management is an effective way to reduce the number of
•   One reason why there is no universal standard for single sing-on is that user’s digital
    identity is not standardized
•   Corporate authentication systems must support multiple means of identity: user ID and
    password, certificates, wireless authentication, third party (SecureID, smart cards, PKI),
    and also enable new mechanisms to be added easily
•   Authentication and authorization portal provides simple, secure access to critical
•   Centralized authentication and authorization portal can support multiple authentication
     –    Basic authentication
     –    Basic authentication over SSL
     –    Smart Card (HST)
     –    Forms-based authentication
     –    PKI/X.509 certificates
     –    Combination of passwords and certificates
     –    Custom or third-party schemes
     –    Biometric authentication
                              Federated identity management

•   Federated identity management provides a standardized mechanism for simplifying identity
    transformation and identity management across enterprise boundaries
•   Federation services
     –   engage in trust relationships and share identity information
•   Trust services
     –   Federation relationships require a trust relationship-based federation between business partners
•   Key services
     –   Provide access to key stores used by a Trust service and allows a Trust Service to plug in/access different key
         stores as required
•   Session management services
     –   manage a user's session life cycle, from session creation, to session access, to session deletion
•   Authentication services
     –   Provide the functionality required to evaluate and validate user-provided credentials. Evaluate credentials such
         as a username and password, or secure ID token passphrases. Invoke some back end data store such as a LDAP
         registry, or a secure ID token server, to validate these credentials.
•   Single sign-on services
     –   provide single-sign on accross federations
•   Authorization services
     –   Authorization services are responsible for providing access decision point functionality
•   Identity services
     –   Provide the interface to local data stores, including user registries and databases an identity service is able to
         add, delete, and look up information
Tivoli FIM architecture
                                    Tivoli FIM architecture

•   (HTTP) browser
     –   A browser provides an interface between the end user and the infrastructure
•   Non-HTTP browser
     –   Non-HTML browsers, such as WAP browsers, are used by agents such as mobile devices.
•   HTTP Point of Contact
     –   located in the DMZ
     –   It is typically an HTTP reverse proxy, a plug-in to a Web server capable of authenticating a
         user and managing a session for that user
     –   The HTTP PoC will invoke (when required) single sign-on services
•   Tivoli Federated Identity Manager functionality
     –   A FIM component must communicate with the HTTP PoC for the purposes of completing
         single sign-on and single sign-off functionality
     –   It also integrates with a data store (such as a user registry) for management of the user attributes
         and user aliases
     –   Implements the single sign-on (SSO) services
•   User registry/data store
     –   user registry/data store are used for two distinct purposes:
           •   Alias management and attribute management
         Case study: Goal
  The goal of this case study was to design
a solution for the company, which partly
enables single sign-on and also makes the
management of users easier in the company
than it is today
                              Drawbacks of Passwords

•   Too many passwords. Assume each user has a unique password for each appli-cation he
    uses In an enterprise with 10,000 employees using two dozen applica-tions each, that’s
    240,000 different passwords for IT to manage, creating enormous administrative
    complexity and burden.
•   Weak passwords. Users choose easy-to-remember passwords, the simplicity and
    obvious nature of which provide a lower level of security
•   Lazy users. Do you use your birthday, social security number, name, or some com-
    bination for any of your passwords?
•    Reliance on human memory. There are two types of users: those who write down their
    passwords, and those who don’t. The latter rely on memory for password recall, the
    performance of which declines in direct proportion to both the´ complexity and number
    of passwords. If each user in a company of 10,000 employees makes one password reset
    call to the IT help desk per month, and the cost is 25 euros per call the annual password
    reset bill comes to 3 million euros a year
•    Easily obtained. As for those users who write down passwords, they naturally do it in
    easily remembered places
                              Drawbacks of Passwords

•   Easy to steal. Many desktops allow Windows to automatically fill in the password data.
    If the individual application passwords are stored on the desktop in unsecured cookies,
    then spy ware, worms, and other malicious codes can easily steal the passwords and
    other account information.
•   Easy to hack. Cyber-thieves have easy access to a wide range of ―password crack-ers‖-
    software specifically designed to decipher passwords
•   Phishing. The user is sent an e-mail asking him for his password
                       Software of the case : AM

IBM Tivoli Access Manager (AM) for e-business
•   Policy-based access control solution for e-business and enterprise applications
•   AM lets organizations control both wired and wireless access to applications and data;
    keeping unauthorized users out
•   AM integrates with e-business applications to deliver a secure personalized e-business
    experience for authorized users
•   AM integrates security for key CRM, ERP, and SCM e-business solutions, as well as
    enhancements for securing J2EE-conforming applications running on WebSphere
    Application Server or BEA WebLogic Server
                       Software of the case : TIM

•   IBM Tivoli Identity Manager provides policy-based identity management across legacy
    and e-business environments
• Intuitive Web administrative and self-service interfaces integrate with existing business
    processes to help simplify and automate managing identities
• improving administrator productivity
• It incorporates a workflow engine and leverages identity data for activities such as audit
    and reporting
Three key benefits of IBM Tivoli Identity Manager are:
• Reduces costs through centralized user management
• Increases productivity through automated workflow and delegated administration
• Quickly realize ROI by bringing users, systems and applications online faster

IBM Tivoli Identity Manager provides a single point for managing users, and a consistent
   access control policy that integrates with existing environment
                Software of the case : TAMESSO

The Tivoli Access Manager for Enterprise Single Sign-On(TAMESSO) solution supports
    different types of user authentication:
• passwords
• smart cards
• Biometrics

Benefits of TAMESSO
• It can store user credentials and its own system settings and policies in any LDAP
   directory or one of several databases
• The administrative console simplifies administrative tasks by automatically recognizing
   and configuring applications for sign-on with minimal effort by the administrator
• Users experience simple enterprise single sign-on while connected or disconnected to
   the corporate network, while roaming between computers
              Software of the case : TAMESSO

•   TAMESSO helps you:
     – Automate sign-on and eliminate users' need to manage passwords
     – Enhance security with automatic password management
     – Extend audit and reporting capabilities to include user sign-on data
     – Generate a quick payback and high return on investment (ROI) with a
       solution that is quick and simple to deploy and reduces help desk costs
     – securing enterprise single sign-on for end users
     – helps organizations enhance productivity by simplifying user experiences
     – reduce help-desk costs related to passwords and optimize security by
       eliminating poor password management by end users.
                Software of the case : TAMESSO
•   TAMESSO is designed to help organizations in their security
     – Any form of user authentication — Microsoft® Windows® login, smart card,
       biometric, token and more
     – Any enterprise application — client/server, Java™, Web, legacy or homegrown
     – Any enterprise infrastructure directory, database, network file share and so on
     – Any work mode — desktop, offline, kiosk and shared workstation
     – TAMESSO Provisioning Adapter provides a high level of administrative control.
       For example, when application passwords are reset in TIM, TAMESSO is
       simultaneously updated so that it always has the correct password
     – TAMESSO synchronizes with the database or directory
     – it reads and processes the instructions and updates the entries as needed in its local
       credential cache
     – it may add,modify or delete credentials in the appropriate user’s local credential
     – it synchronizes the credentials back to the database directory object for that user.
Software of the case : TAMESSO
              Software of the case : TAMESSO

TAMESSO provisioning Adapter includes the following components:
• Server — accepts account credential provisioning information
• It also communicates that information to TAMESSO clients by placing
  provisioning instructions into the directory or data store they use
• Console — provides a Web-based administration GUI for communicating with
  the server
• Command line interface (CLI) — enables applications and administrators to
  communicate with the server
• Connector-Java-based class library— integrates the server and Tivoli Identity
  Manager through the CLI
The operational architecture
                 The operational architecture

• Internet: Global network which connects millions computers.
• Internet DMZ: Controlled zone that contains components which
  uncontrolled clients may directly communicate.
• Production zone: Restricted are which means that all the connections
  are strictly controlled and direct access from uncontrolled networks is
  not permitted.
• Management zone: One or more network zones may be designated as
  secured zone. Access is only available to a small group of authorized
• Intranet: Like the Internet DMZ, the corporate intranet Is generally a
  controlled zone that contains components with which clients may
  directly communicate
         Case study-integration of two-factor authentication

•   Advanced authentication typically requires two forms of authentication
     –   One is something the user knows, such as a password or PIN.
     –   The second form of authentication is something the user either has - an authentication device,
         like a token or smart card ñ or something the user is: a biometric like a retinal scan, voice print,
         or fingerprint.

     With two-factor authentication, for example, security for the network is essentially
     doubled by requiring users to present not one but two forms of identification:a password
     and an authentication device.

     Without both the password and the hardware, a user cannot access all of her applications (in graded
        two-factor authentication, a user who has lost her smart card but remembers her password can
        get limited access to some usability on the network until she receives a new card).

     The company’s advanced authentication system requires two identification factors to gain
     network access: (1) a smart card and (2) a personal identification number (PIN).
        Case study-integration of two-factor authentication
Here’s how the system works:
1. Each employee receives a smart card. The user’s identity information is embedded in
two of the card’s three chips.
2. The smart card is integrated with the SSO system.
3. Digital certificates for logon, encryption, and digital signatures for all
authorized users are stored in the SSO database.
4. The system handles both building and network access with a single solution.
Employees must insert their smart card at the door to gain entry into their building.
5. Once at their desktop, employees insert their smart card into a card reader on their
PC or laptop and enter a one-time password to activate the card-management system.
6. The card management system asks a series of questions. By answering correctly,
employees prove they are authorized users.
7. The v-GO SSO system binds the card to the end user. It downloads to the card’s third
chip a set of digital certificates for logon, encryption, and digital signatures.
8. For added security, SSO also binds the end user’s identity certificates stored
on the smart card to v-GO SSO’s list of applications passwords.
9. After activation, the card logs users onto the network and their desktops.
10. With the desktop logon now downloaded onto the card, the smart card is the only
 credential needed for end users to access network resources.
      Case study-integration of two-factor authentication

• Importantly, user application passwords are stored in an encrypted
  database in the SSO Platform, and not on the smart card. Therefore, if
  a smart card is lost or stolen, the person coming into possession of the
  badge does not possess any of the userís application passwords.
• Cost of system implementation was 50 euros per user for the cards,
  card readers, and software.
• According to the company’s IT department, ROI was immediate, and
  included a 70% reduction in the nearly 4,000 password resets the
  business was performing each month.
                              Risk and threat analysis

The most common security risks are on the enterprise are:
• Virus threats
• Unauthorized access to Web servers
• Denial of service threats
• Unauthorized access to services
• Hacking of passwords
Possible security threats are:
• Unauthorized access by an external attacker
• Unauthorized access by internal hacker
• Eavesdropping on confidential data or personally identifiable data on the network
• Misuse by users from internal network
• Misuse by customers from the Internet
Possible vulnerabilities are:
• Insecure systems or applications
• Lost or stolen passwords
• Application failures
                                   Risk and threat analysis

•   Based of the risk assessment the next security of the portal can be improved as follows:
    Improve security to control to access to servers
     –   Use complex safe passwords
     –   Use security zones to control access to sensitive servers and applications
     –   Use firewalls or other gateways to control communication between different security zones.
     –   Block unwanted traffic and monitor authorized traffic.
     –   Use reverse proxy at the edge of the network with authentication and authorization capabilities
         to control access the information
     –   Place critical service and support servers in separate networks and block access using routers of
     –   Use security communication protocol like SSL whenever possible
                                  Risk and threat analysis

Improve system security to control activity on systems:
     –   Remove unneeded components, for example, insecure programs like ftp, telnet if possible
     –   Manage very closely accounts on systems, for example, delete accounts that are no longer be
     –   Install security components, for example, system auditing tools and integrity checking tools
     –   Check and update all default settings, for example, password rules or impersonal accounts
     –   Enable system and application logging and send event information to a remote logging server
     –   Monitor usage of all interfaces for users and administrations in order to detect misuse
       "Hacking of passwords"

   Attacker breaks the system's user
  name-password pairs by means of
  special programs designed for this
 purpose. Modern programs are very
 sophisticated, including many other
   breaking techniques than just the
    dictionary attacks. This is very
    critical for the portal because if
 attacker breaks the one-password he
has access to all client to server based
         Single sing-on; single point of attack

Single Sign-On enables the user to
authenticate once in order to access many
resources. Does this single point of
authentication also introduce a single point
of attack and thereby reduce all network
                      Single sing-on; single point of attack

•   Does SSO reduce network security? Let us take a hypothetical scenario of an end-user
    with a Windows logon and 9 password-protected applications – a total of 10 passwords.
    Let us assume the following:
     – minimum password length is 8 characters
     – each password character can be one of 76 characters: upper or lower case alpha-
         betic (52), numeric (10) or special characters (14)
     – each password is randomized and unique from every other password
     – A hacker who would like to compromise all of these systems using a brute force
         attack would be faced with the following task:
           • 1 password x (76 characters ^ 8 characters) = 1,113 trillion combinations
           • 10 passwords = 11,113 trillion combinations
Single sing-on; single point of attack
                          Single sing-on; single point of attack

•   Now, with SSO the end-user doesn’t need to remember 10 passwords, only one that password,
    however, becomes the most obvious point of attack
     – Let us assume that the Windows password is chosen as the single sign-on password, and that
        therefore, the password file is easily available.
     – Even if the password length is not changed at all, it will still take a hacker 2,147 days to crack it
        and obtain all other passwords
     – If users didn’t change their Windows password in over 5 years, it still wouldn’t be cracked
     – A dictionary attack using the 30,000 most common words could conceivably crack the
        Windows password in a few seconds
     – if the Windows password policy is con-strained such that the password must include at least
        one numeric or special character in the middle of the password, a dictionary attack no longer
     – The hacker approach is reduced back to a brute force attack – 5 years to crack the Windows
        password and thereby obtain all other application passwords.
                      Single sing-on; single point of attack

•   Can SSO actually raise network security?
     – A user who has 10 passwords will seek to make his or her life as simple as possible
          • making them all similar
          • making them memorable words
          • stored in the clear on post-it notes, notepad files, etc.
•   By using SSO, the following is possible:
     – all passwords are randomized
     – none are memorable
     – none are written down, but rather stored encrypted

•   Technology is ready for single sign-on in the enterprise
•   SSO brings benefits to the security of the enterprises
•   Softwares can be easily integrated –but still more standardation required- for
    the SSO thourgh the boundaries
•   SSO solution reduces user authentication and authorization costs
•   SSO solution reduces user management costs
•   SSO solution increases user satisfaction
•   SSO helps auditing the enterprise security
•   SSO makes strong authentication possible in the enterprice network
•   Works with popular authentication devices
•   Secures and protects applications and credentials all times
                      Conclusions - Benefits of SSO

•   BENEFITS OF SSO; ESSO offers a number of important advantages to the
     – Users gain quick and easy access – from any location – to maximize productivity
     – Eliminates lost or forgotten passwords – users have just one password to remember
     – Lowers user support costs – by virtually eliminating password-related support calls
     – Securely stores and manages all passwords – no more searching for lost passwords.
     – Improves network security – prevents unauthorized users from accessing enterprise
     – Simplifies administration – you can control password policies from a single
     – Integrates with your IDM solution and scales to any enterprise
      Maximizes user productivity
For instance, if you have 10,000 users who spend
1 hour a month looking for passwords, ask-ing for
   new passwords, or with other authentication
problems that prevent them from logging on and
you estimate the value of their time at 60 euros an
   hour … the cost in lost productivity to your
         organization is 7,200,000 euros
         Lowers support costs

  The ROI from ESSO is generated by reducing
 password-related calls from users to IT support.
 For an enterprise with 10,000 users, let’s assume
that the average user makes two password-related
 calls to IT support per month. Each call costs 25
euros. The total cost of all password support calls
  for the thousand users is 500,000 euros a year.
                             Network security

Implementing ESSO in an Identity Management System Improves network security

Conventional password protection systems entail several security risk factors for the enter-
•   Passwords users choose for themselves are usually short, simple, obvious, and easy to
• Users are often cavalier about protecting passwords, leaving them scribbled on Post It
   notes affixed to their monitor or posted on a wall or bulletin board, in plain view for
   anyone to see and copy
        Simplifies administration

   Most applications are not designed with the needs of
 network administrators in mind, especially in the area of
authentication. Network administration is greatly simplified
  when administrative functions can be performed by any
autho-rized administrator from a single console. Some SSO
  solutions can provide this single point of control for the
   creation, distribution, and maintenance of enterprise
                   application passwords.

Shared By: