Authentication and Authorization in the Internet - Portalbraun/pdf_zip/si2003.pdf · R V S...
Transcript of Authentication and Authorization in the Internet - Portalbraun/pdf_zip/si2003.pdf · R V S...
RVS
Authentication and Authorization in the Internet
Torsten BraunRechnernetze und Verteilte Systeme
Institut für Informatik und Angewandte MathematikUniversität Bern
www.iam.unibe.ch/~rvs
Schweizer Informatik-Tag 2003, Bern, 17. Oktober 2003
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
2
RVS
Overview§ Internet Security
Fundamentals l Authentication§ 3-Way Handshake
Authentication§ Authentication Server§ Public Key Authentication
l Certificates§ Trust Chains
l Authorization
§ Authentication & Authorization Probleml Example: VITELS
§ SWITCH AAI Initiativel AAI Overview and Termsl AAI Model§ Registration§ Resource Access
l Shibbolethl AAI Implementation§ AAI enabled Software§ AAI Mediators
l AAI Proxyl AAI Portal
l Further AAI Issuesl Outlook
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
3
RVS
Authentication§ Identities can be spoofed easily. § Authentication is the process of
proving one‘s identity to someone else. § Authentication protocols based on
l shared secrets, e.g. passwordsl authentication servers, e.g. Kerberosl public keys
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
4
RVS
Handshake Authentication§ Client and Server
Handshake Key (CHK/SHK) calculated from shared secret (password).
§ Problem: Client needs a password for each server.
Client Server
ClientID, E(x, CHK)
E(x+1, SHK), E(y, SHK)
E(y+1, CHK)
E(K, SHK)
x, y: randomK: session key
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
5
RVS
Authentication Server§ Shared secret keys
between A and S, B and S
§ Terminologyl Timestamp Tl Lifetime Ll Session key Kl Ticket
§ Problem: A and B need shared secrets with same authentication server
Client A Server BS
A,B
E(T+1,K)
E((T,L,K,B), KA)
E((T,L,K,A), KB) E((A,T), K)E((T,L,K,A), K
B )
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
6
RVS
Public Key Authentication
Problem: A must be sure that the public key really belongs to B. → Certificate
(Confirmation - issued by certification authority, CA -that public key belongs to a certain identity.)
Client A Server B
E(x, PublicB)
x
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
7
RVS
Certificates
Signature
Client-ID
Public client key
Signature
Hash
Client-ID
Public client key
Client-ID
Public client key
Client Certification Authority (CA)
Hash
Signature
secret CA key
Hash
public CA key
CommunicationPartner
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
8
RVS
Trust Chains§ X provides certificate for Y.§ Y provides certificate for B.§ A knows public key of X and
can verify certificate for Y from X.§ A knows then public key of Y and
can verify certificate for B from Y.§ Organisation of trust chains in hierarchical trees
Root CA
CA CA CA
Users Users Users
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
9
RVS
Authorization§ Authorization is the process to decide whether
an authenticated user is allowed to access or perform operations on a resource. § Authentication might be a basis for
authorization, if that is based on user identities.§ Problems of authorization schemes
l User accounts with high administration overheadl Credentials need to be delivered to serversl Fine-grained access control is often impractical§ Examples: on-line libraries, distance learning courses
§ Requirements for authorizationl Scalability for resource administratorsl Convenience for users,
e.g. single login / password at home organization
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
10
RVS
Authentication & Authorization Problem
ResourceB
University of Fribourg
ResourceC
University of Geneva
Infoaboutuser
ResourceA
Infoaboutuser
User
ID, Credentials
Problem: Many users - many resources - many organizations
User
ID, CredentialsID,
CredentialsID, Credentials
User
ID, CredentialsID,
CredentialsID, Credentials
Infoaboutuser
University of BernID,
Credentials
Infoaboutuser
ID, Credentials
Infoaboutuser
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
11
RVS
VITELS§ Virtual Internet and Telecommunications Laboratory of
Switzerland (www.vitels.ch)
§ Distributed resourcesl Network laboratories at several universitiesl Course server and web servers
§ Distributed users from different organizations
Students
Networklaboratory
Lab portal
Course serverWeb server
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
12
RVS
SWITCH AAI Initiative§ Authentication and Authorization Infrastructure§ 2001/2002: study phase§ early 2003: selection of Shibboleth middleware
(Internet 2) as basis for implementation§ currently: pilot implementation projects§ www.switch.ch/aai
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
13
RVS
AAI Overview and Terms§ Trust relationship
between two organizations (home organization and resource owner) is extended to trust relationship between user and resource owner
§ Users authenticate to home organization only !
§ Resource owners grant access to resource based on information about users (authorization attributes)
§ Home Organizationl Representative of a
user community, e.g. universities, libraries, university hospitals etc.
§ Resourcel Application, web site,
network, system, remote laboratory, etc.
§ Resource Ownerl Entity owning a resource
and offering resource access to users
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
14
RVS
ResourceOwner
User‘s HomeOrganization
AccessControlManager
Resource
Info(name,
address,….)
Registration
AccessControl
Definition
User
Registration
data system
Legend:
Pre-processing
UserDB
AAI Model: Registration
1
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
15
RVS
ResourceOwner
User‘s HomeOrganization
AAI
AccessControlManager
Resource
AuthorizationInformation
Authentication
AccessControl
Definition
Access Requestof an authenticated
user
User
Authorization InformationDelivery
data system
AAI-interaction
Legend:
Authentication
UserDB
1
2
3
AAI Model: Resource Access
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
16
RVS
Shibboleth§ AAI solution of Internet2 / MACE
(Middleware Architecture Committee for Education)l middleware.internet2.edu/MACE/l shibboleth.internet2.edu
§ Componentsl SHIRE: Shibboleth Indexical Reference Establisher§ Intercepts resource requests
l SHAR: Shibboleth Attribute Requester§ contacts AA to fetch authorization attributes of a user
l WAYF: Where Are You From server§ redirects user back to HS of home organization
l HS: Handle Server§ authenticates user locally and
provides opaque handle identifying a user
l AA: Attribute Authority§ retrieves attributes (according to user‘s release policy) and
passes them to SHAR
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
17
RVS
Shibboleth AA ProcessR
esou
rce
WAYF
Users HomeOrganization Resource Owner
1
SHIRE
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where you come from
HS
5
6
I don’t know you.Please authenticate
yourself
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
SHAR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Reso
urce
Man
ager
Attributes
OK, based on theattributes, I grant
access to the resource
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
18
RVS
AAI
AAI enabled Software
ResourceOwner
Application, e.g.Web Server,WebCT Vista
AAI
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
19
RVS
AAI Mediators§ Problem: Resources are not AAI aware§ Solutions: AAI Mediator
l AAI Proxy§ User is transparent for the resource§ Resource access via proxy§ Example:
Access to on-line libraries are often based on IP addresses.
l AAI Portal§ provides user information in the form required by resource § Direct resource access§ Examples: web and course servers
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
20
RVS
AAI
AAI Proxy
ResourceOwner
AAIAAI Proxy
(Web Proxy)
Web Server“Black Box”
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
21
RVS
AAI Portal
AAI
ResourceOwner
AAI AAI Portal Resourcesign on
Portaldata base
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
22
RVS
AAI Portal Implementation§ SVC Mandate „SWITCH Pilot 1“§ Access to AAI portal by
l Resource usersl Resource administrators§ Definition of resources and access rules
l Portal administrators
§ API allows to read/write user/resource data from/to AAI portal database.
§ AAI portal with interfaces (adaptors) to AAI and resources, e.g. l Shibboleth adaptor l WebCT resource adaptor§ Generation of WebCT user§ Course subscription§ Login on behalf of user§ Redirection to course page
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
23
RVS
Demoaaitest1.unibe.ch
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
24
RVS
Further AAI Issues§ Certification authorities
l Root CA at SWITCH
§ Definition of authorization attributes§ Non-technical issues
l Legall Financial
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
25
RVS
SWITCHaai Outlook
2003 2004 2005
Impl.V1.0
Pilot
2006 2007
Implemen-tation V2.0
Implemen-tation V3.0
OperationV1.0
OperationV2.0
OperationV3.0
StudyV3.0
2008
Oct
ober
17,
200
3To
rste
n B
raun
(U B
ern)
: Aut
hent
icat
ion
and
Aut
horiz
atio
n in
the
Inte
rnet
26
RVS
AcknowledgementsThanks to § Christoph Graf (SWITCHaai project leader)§ SWITCH and AAI working groups§ AAI portal design and implementation team at
Universities of Basel, Bern and SWITCH§ Swiss Virtual Campus
for supporting the AAI pilot mandate§ Audience for listening