Master´s Thesis

licoricebedsSecurity

Feb 22, 2014 (3 years and 8 months ago)

115 views

Master
´
s Thesis


Secure Authentication and Authorization Portal
Based on Single Sign
-
on


Jukka Collan

Supervisor Professor Jörg Ott

Networking Laboratory


Agenda


Research problem


Thesis structure


Enterprise Single Sign
-
On Defined


Literature research


Case study: Software used


Risk and threat analysis


Results


Conclusions
-

Benefits



Research problem



Present approach of enterprise single sign
-
on


Why should user have only one user id and password?


Why enterprises are interested in single sign
-
on?


What kind of architecture single sign
-
on solution does have?



What are the risks of using single sign
-
on?


What are the benefits of enterprise single sign
-
on solution


What is the ROI of enterprise single sign
-
on solution


Research problem

Thesis structure

Secure Authentication and Authorization Portal Based on
Single Sign-On
Theory
Case study of Single
Sign-on
Risk and Threat
Analysis
Authentication technologies and
directories
Market demand for single sign-on
Single sign-on
standartation
Conclusions
Introduction
Enterprise Single Sign
-
On Defined


Users need only one password for access to all applications and
systems


Users can access the corporate network at the start of their workday


Users have immediately have access to all necessary password
-
protected applications


Users don't need to remember multiple passwords


Users don’t have to write down their passwords


Users don't have use easy to guess passwords, which potentially
expose applications to unauthorized users

Literature research: authentication technologies


SECURE USER IDENTITY TECHNOLOGIES


PKI


X.509


Smart card


Electronic Identification Card (HST)


One
-
time password


Biometrics


Fingerprints


Iris codes


USER AUTHENTICATION IN COMPUTER NETWORKS


Unix


Kerberos


Windows


Windows NT LAN Manager (NTLM)


Web
-
based authentication


HTTP


SSL and HTTPS


Literature research: authentication


USER AUTHENTICATION IN TELECOMMUNICATION
NETWORKS


Mobile Terminals


PDA


Authentication, Authorization and Accounting (AAA)


Radius


Diameter


GSM


WAP


WTLS (Wireless Transport Layer Security)


WPKI


POLICY BASED NETWORKS


DIRECTORIES


LDAP


Windows 2000 Active Directory


Metadirectory


Literature study: single sign
-
on tech: SAML


SAML


Security Assertion Markup Language SAML is an XML based security
standard for exchanging authentication and authorization information by
Oasis


SAML is an XML
-
based security framework for exchanging security
information


Security information is expressed in the form of assertions about
subject


subject is an entity, which can be either human or computer


Each entity has identity in some security domain


A typical example of subject is person, identified by his email address in a
particular Internet DNS domain


Assertions are represented as XML constructors


SAML defines binding, which is Simple Object Access Protocol
(SOAP) over HTTP


Literature study: single sign
-
on tech: SAML


In the SAML identifiers are defined as Uniform Resource Identifiers
(UNI) for the following authentication methods


Password


Kerberos


Secure Remote Password (SRP)



Hardware Token


SSL/TSL Certificate Based Client Authentication


X.509 Public Key


PGP Public Key


SPKI Public Key


XKMS Public Key


XML Digital Signature


Unspecified


SAML: Application chain

1.
Web user authenticates with enterprise security system (authentication can be through Web
server)

2.
Enterprise security system provides an authentication reference to Web user

3.
Web user requests a dynamic resource from Web server, providing authentication reference

4.
Web server requests application function from application on behalf of Web user, providing Web
user’s authentication reference

5.
Application requests authentication document from enterprise security system, corresponding to
Web user’s authentication reference

6.
Enterprise security system provides authentication document, including authorization attributes
for the Web user, and authn event description

7.
Application performs application function for Web server

8.
Web server generates dynamic resource for Web user


Literature study:
Project Liberty


Project Liberty or Liberty Alliance is the codes name for an initiative
announced to address

open standards development in the network
identity and end user privacy as an alternative for the Microsoft’s
Passport


Goals of the Project:


Enable consumers protect the privacy and security of their network
identity information


Enable businesses to maintain and manage their customer relationships
without third
-
party

participation


Provide open single sing
-
on standard that includes decentralized
authentication and

authorization from multiple providers


Create network identity infrastructure that supports all current and
emerging network access

devices

NET Passport authentication process




The .NET Passport authentication is based on the link from the participating site to
Microsoft passport site


W
hen user tries to access a protected Web page within participating site page that
requires

authentication before allowing access, redirect is made to Passport site


NET passport compares the user’s credentials to the credentials saved in the Passport
Database


If the credentials match, user is authenticated and PUID and .NET Passport profile are


extracted from the Database.


After that .NET Passport server creates three cookies:


The Ticket cookie, which includes the PUID and a time stamp


The profile cookie, which store the user profile


The participating site cookie, which stores a list of the sites to which the user has signed in



Literature study: Microsoft .NET passport


The goal of the .NET passport is to make online purchasing easier and faster
via Internet


.NET Passport provides user the Single Sing
-
In (SSI) service using large user
base and powerful encryption technologies such as Secure Socket Layer (SSL)
and Triple Data Encryption Standard (3DES) algorithm for data protection


Single Sing
-
In (SSI) is the key service of the .NET Passport


SSI provides a common Internet authentication mechanism across
participating Web sites


Users can create a single sing
-
in name and password for use across
participating .NET Passport sites


.Net Passport reduces the need for consumers to remember multiple sing
-
on
names and passwords.


.NET Passport can provide a unique Passport ID (PUID) for every user




NET Passport authentication process


.NET Passport SSI process

1.
Initial page request

2.
Redirect for authentication

3.
Authentication request

4.
Authentication response and cookies (ticket and profile)

5.
Authentication request and cookies (ticket and profile)

6.
Web page, authentication and cookies (profile)


Commercial authentication and authorization portals


Centralizing the user management is an effective way to reduce the number of
usernames


One reason why there is no universal standard for single sing
-
on is that user’s digital
identity is not standardized


Corporate authentication systems must support multiple means of identity: user ID and
password, certificates, wireless authentication, third party (SecureID, smart cards, PKI),
and also

enable new mechanisms to be added easily


Authentication and authorization portal provides simple, secure access to critical
information


Centralized authentication and authorization portal can support multiple authentication
mechanisms:


Basic authentication


Basic authentication over SSL


Smart Card (HST)


Forms
-
based authentication


PKI/X.509 certificates


Combination of passwords and certificates


Custom or third
-
party schemes


Biometric authentication


Federated identity management


F
ederated identity management provides a standardized mechanism for simplifying identity
transformation and identity management across enterprise boundaries


Federation services


engage in trust relationships and share identity information


Trust services


Federation relationships require a trust relationship
-
based federation between business partners


Key services


Provide access to key stores used by a Trust service and allows a Trust Service

to plug in/access different key
stores as required


Session management services


manage a user's session life cycle, from session creation, to session access, to session deletion


Authentication services


Provide the functionality required to evaluate and validate user
-
provided credentials. Evaluate credentials such
as a username and password, or secure ID token passphrases. Invoke some back end data store such as a LDAP
registry, or a secure ID token server, to validate these credentials.


Single sign
-
on services


provide single
-
sign on accross federations


Authorization services


Authorization services are responsible for providing access decision point functionality


Identity services


Provide the interface to local data stores, including user registries and databases

a
n identity service is able to
add, delete, and look up information

Tivoli FIM architecture


Tivoli FIM architecture


(HTTP) browser


A browser provides an interface between the end user and the infrastructure


Non
-
HTTP browser


Non
-
HTML browsers, such as WAP browsers, are used by agents such as mobile devices.


HTTP Point of Contact


located in the DMZ


It is typically an HTTP reverse proxy, a plug
-
in to a Web server capable of authenticating a
user and managing a session for that user


The HTTP PoC will invoke (when required) single sign
-
on services


Tivoli Federated Identity Manager functionality


A FIM component must communicate with the HTTP PoC for the purposes of completing
single sign
-
on and single sign
-
off functionality


It also integrates with a data store (such as a user registry) for management of the user

attributes
and user aliases


Implements the single sign
-
on (SSO) services


User registry/data store


user registry/data store are used for two distinct purposes:


Alias management and attribute management


Case study: Goal


T
he

goal

of

this

case

study

was

to

design

a

solution

for

the

company,

which

partly

enables

single

sign
-
on

and

also

makes

the

management

of

users

easier

in

the

company

than

it

is

today


Drawbacks of Passwords


Too many passwords. Assume each user has a unique password for each appli
-
cation he
uses

In an enterprise with 10,000 employees using two dozen applica
-
tions each, that’s
240,000 different passwords for IT to manage, creating enormous administrative
complexity and burden.


Weak passwords. Users choose easy
-
to
-
remember passwords, the simplicity and
obvious nature of which provide a lower level of security


Lazy users. Do you use your birthday, social security number, name, or some

com
-
bination for any of your passwords?



Reliance on human memory. There are two types of users: those who write down their
passwords, and those who don’t. The latter rely on memory for password recall, the
performance of which declines in direct proportion to both the
´

complexity and number
of passwords. If each user in a company of 10,000 employees makes one password reset
call to the IT help desk per month, and the cost is 25 euros per call

the annual password
reset bill comes to 3 million euros a year



Easily obtained. As for those users who write down passwords,

they naturally do it in
easily remembered places

Drawbacks of Passwords


Easy to steal. Many desktops allow Windows to automatically fill in the password data.

If the individual application passwords are stored on the desktop in unsecured cookies,

then spy ware, worms, and other malicious codes can easily steal the passwords and

other account information.


Easy to hack. Cyber
-
thieves have easy access to a wide range of “password crack
-
ers”
-

software specifically designed to decipher passwords


Phishing. The user is sent an e
-
mail asking him for his password

Software of the case : AM

IBM Tivoli Access Manager (AM) for e
-
business


Policy
-
based access control solution for e
-
business and enterprise applications


AM lets organizations control both wired and wireless access to applications and data;
keeping unauthorized users out


AM integrates with e
-
business applications to deliver a secure personalized e
-
business
experience for authorized user
s


AM integrates security for key CRM, ERP, and SCM e
-
business solutions, as well as
enhancements for securing J2EE
-
conforming applications running on WebSphere
Application Server or BEA

WebLogic Server


Software of the case : TIM


IBM Tivoli Identity Manager provides policy
-
based identity management across legacy
and e
-
business environments


Intuitive Web administrative and self
-
service interfaces integrate with existing business
processes to help simplify and automate managing identities


improving administrator productivity


It incorporates a workflow engine and leverages identity data for activities such as audit
and reporting

Three key benefits of IBM Tivoli Identity Manager are:


Reduces costs through centralized user management


Increases productivity through automated workflow and delegated administration


Quickly realize ROI by bringing users, systems and applications online faster


IBM Tivoli Identity Manager provides a single point for managing users, and a consistent
access control

policy that integrates with existing environment


Software of the case : TAMESSO

The Tivoli Access Manager for Enterprise Single Sign
-
On
(TAMESSO)

solution supports
different types of user

authentication:


passwords


smart cards


Biometrics


Benefits of TAMESSO


It can store user credentials and its own system settings and policies in any LDAP
directory or one of several databases


The administrative console simplifies administrative tasks by automatically recognizing
and configuring applications for sign
-
on with

minimal effort by the administrator


Users experience simple enterprise single sign
-
on while connected

or disconnected to
the corporate network, while roaming between computers


Software of the case : TAMESSO





TAMESSO helps you:


Automate sign
-
on and eliminate users' need to manage passwords



Enhance security with automatic password management



Extend audit and reporting capabilities to include user sign
-
on data



Generate a quick payback and high return on investment (ROI) with a
solution that is quick and simple to deploy and reduces help desk costs


securing enterprise single sign
-
on for end users



helps organizations enhance productivity by simplifying user experiences


reduce help
-
desk costs related to passwords and optimize security by
eliminating poor password management by end users.


Software of the case : TAMESSO


TAMESSO is designed to help organizations in their security


Any form of user authentication


Microsoft® Windows® login, smart card,
biometric, token and more


Any enterprise application


client/server, Java™, Web, legacy or homegrown


Any enterprise infrastructure directory, database, network file share and so on


Any work mode


desktop, offline, kiosk and shared workstation


TAMESSO Provisioning Adapter provides a high level of administrative control.
For
e
xample, when application passwords

are reset in TIM, TAMESSO is
simultaneously updated so that it always has the correct password


TAMESSO synchronizes with the database or directory


it reads and processes the instructions and updates the entries as needed in its local
credential cache


it may add,modify or delete credentials in the appropriate user’s local credential
cache


it

synchronizes the credentials back to the database directory object for that user.

Software of the case : TAMESSO

Software of the case : TAMESSO

TAMESSO provisioning Adapter includes the following components:


Server


accepts account credential provisioning information


It also communicates that information to TAMESSO clients by placing
provisioning instructions into the directory or data store they use


Console


provides a Web
-
based administration GUI for communicating with
the server


Command line interface (CLI)


enables applications and administrators to
communicate with the server


Connector
-
Java
-
based class library


integrates the server and Tivoli Identity
Manager through the CLI

The operational architecture


The operational architecture


Internet
:

Global

network

which

connects

millions

computers
.


Internet

DMZ
:

Controlled

zone

that

contains

components

which

uncontrolled

clients

may

directly

communicate
.



Production

zone
:

Restricted

are

which

means

that

all

the

connections

are

strictly

controlled

and

direct

access

from

uncontrolled

networks

is

not

permitted
.


Management

zone
:

One

or

more

network

zones

may

be

designated

as

secured

zone
.

Access

is

only

available

to

a

small

group

of

authorized

stuff
.


Intranet
:

Like

the

Internet

DMZ,

the

corporate

intranet

Is

generally

a

controlled

zone

that

contains

components

with

which

clients

may

directly

communicate


Case study
-
integration of
two
-
factor authentication


Advanced authentication typically requires two forms of authentication


One is something the user knows, such as a password or PIN.


The second form of authentication is something the user either has
-

an authentication device,
like a token or smart card ñ or something the user is: a biometric like a retinal scan, voice print,
or fingerprint.


With two
-
factor authentication, for example, security for the network is essentially

doubled by requiring users to present not one but two forms of identification:a password

and an authentication device.


Without both the password and the hardware, a user cannot access all of her applications (in graded

two
-
factor authentication, a user who has lost her smart card but remembers her password can
get limited access to some usability on the network until she receives a new card).


The company’s advanced authentication system requires two identification factors to gain

network access: (1) a smart card and (2) a personal identification number (PIN).


Case study
-
integration of
two
-
factor authentication

Here’s how the system works:

1. Each employee receives a smart card. The user’s identity information is embedded in

two of the card’s three chips.

2. The smart card is integrated with the SSO system.

3. Digital certificates for logon, encryption, and digital signatures for all

authorized users are stored in the SSO database.

4. The system handles both building and network access with a single solution.

Employees must insert their smart card at the door to gain entry into their building.

5. Once at their desktop, employees insert their smart card into a card reader on their

PC or laptop and enter a one
-
time password to activate the card
-
management system.

6. The card management system asks a series of questions. By answering correctly,

employees prove they are authorized users.

7. The v
-
GO SSO system binds the card to the end user. It downloads to the card’s third

chip a set of digital certificates for logon, encryption, and digital signatures.

8. For added security, SSO also binds the end user’s identity certificates stored

on the smart card to v
-
GO SSO’s list of applications passwords.

9. After activation, the card logs users onto the network and their desktops.

10. With the desktop logon now downloaded onto the card, the smart card is the only


credential needed for end users to access network resources.

Case study
-
integration of
two
-
factor authentication


Importantly, user application passwords are stored in an encrypted
database in the SSO Platform,

and not on the smart card. Therefore, if
a smart card is lost or stolen, the person coming into

possession of the
badge does not possess any of the userís application passwords.


Cost of system implementation was 50 euros per user for the cards,
card readers, and software.


According to the company’s IT department, ROI was immediate, and
included a 70% reduction in the nearly 4,000 password resets the
business was performing each month.


Risk and threat analysis

The most common security risks are on the enterprise are:


Virus threats


Unauthorized access to Web servers


Denial of service threats


Unauthorized access to services


Hacking of passwords

Possible security threats are:


Unauthorized access by an external attacker


Unauthorized access by internal hacker


Eavesdropping on confidential data or personally identifiable data on the network


Misuse by users from internal network


Misuse by customers from the Internet

Possible vulnerabilities are:


Insecure systems or applications


Lost or stolen passwords


Application failures

Risk and threat analysis


Based of the risk assessment the next security of the portal can be improved as follows:

Improve security to control to access to servers


Use complex safe passwords


Use security zones to control access to sensitive servers and applications


Use firewalls or other gateways to control communication between different security zones.


Block unwanted traffic and monitor authorized traffic.


Use reverse proxy at the edge of the network with authentication and authorization capabilities
to control access the information


Place critical service and support servers in separate networks and block access using routers of
firewalls


Use security communication protocol like SSL whenever possible

Risk and threat analysis

Improve system security to control activity on systems:


Remove unneeded components, for example, insecure programs like ftp, telnet if possible


Manage very closely accounts on systems, for example, delete accounts that are no longer be
used


Install security components, for example, system auditing tools and integrity checking tools


Check and update all default settings, for example, password rules or impersonal accounts


Enable system and application logging and send event information to a remote logging server


Monitor usage of all interfaces for users and administrations in order to detect misuse


"Hacking of passwords"

Attacker breaks the system's user
name
-
password pairs by means of
special programs designed for this
purpose. Modern programs are very
sophisticated, including many other
breaking techniques than just the
dictionary attacks. This is very
critical for the portal because if
attacker breaks the one
-
password he
has access to all client to server based
applications.

Single sing
-
on;
single point of attack


S
ingle Sign
-
On enables the user to

authenticate once in order

to access many
resources. Does this single point of
authentication also introduce a single point
of attack and thereby reduce all network
security?

Single sing
-
on;
single point of attack


Does SSO reduce network security?

Let us take a hypothetical scenario of an end
-
user
with a Windows logon and 9 password
-
protected applications


a total of 10 passwords.
Let us assume the following:


minimum password length is 8 characters


each password character can be one of 76 characters: upper or lower case alpha
-
betic (52), numeric (10) or special characters (14)


each password is randomized and unique from every other password


A hacker who would like to compromise all of these systems using a brute force
attack would be faced with the following task:


1

password x (76 characters ^ 8 characters) = 1,113 trillion combinations


10 passwords = 11,113 trillion combinations

Single sing
-
on;
single point of attack

Single sing
-
on;
single point of attack


Now, with
SSO

the end
-
user doesn’t need to remember 10 passwords, only one

t
hat password,
however, becomes the most obvious point of attack


Let us assume that the Windows password is chosen as the single sign
-
on password, and that
therefore, the password file is easily available.


Even if the password length is not changed at all, it will still take a hacker 2,147 days to crack it
and obtain all other passwords



If users didn’t change their Windows password in over 5 years, it still wouldn’t be cracked


A dictionary attack using the 30,000 most common words could conceivably crack
t
he
Windows password in a few seconds



if the Windows password policy is con
-
strained such that the password must include at least
one numeric or special character in the middle of the password, a dictionary attack no longer
works



The hacker approach is reduced back to a brute force attack


5 years to crack the Windows

password and thereby obtain all other application passwords.


Single sing
-
on;
single point of attack


Can SSO actually raise network security?


A user who has 10 passwords will seek to make his or her life as simple as possible
by:



making them all similar



making them memorable words


stored in the clear on post
-
it notes, notepad files, etc.


By using SSO, the following is possible:


all passwords are randomized



none are memorable


none are written down, but rather stored encrypted

Results


Technology is ready for single sign
-
on in the enterprise


SSO brings benefits to the security of the enterprises


Softwares can be easily integrated

but still more standardation required
-

for
the SSO thourgh the boundaries


SSO solution reduces user authentication and authorization costs


SSO solution reduces user management costs


SSO solution increases user satisfaction


SSO helps auditing the enterprise security


SSO makes strong authentication possible in the enterprice network


Works with popular authentication devices


Secures and protects applications and credentials all times

Conclusions
-

Benefits of SSO


BENEFITS OF SSO; ESSO offers a number of important advantages to the
enterprise:


Users gain quick and easy access


from any location


to maximize productivity


Eliminates lost or forgotten passwords


users have just one password to remember


Lowers user support costs


by virtually eliminating password
-
related support calls


Securely stores and manages all passwords


no more searching for lost passwords.


Improves network security


prevents unauthorized users from accessing enterprise
appli
-
cations.


Simplifies administration


you can control password policies from a single
console.


Integrates with your IDM solution and scales to any enterprise

Maximizes user productivity


For instance, if you have 10,000 users who spend
1 hour a month looking for passwords,

ask
-
ing for
new passwords, or with other authentication

problems that prevent them from logging

on and
you estimate the value of their time at 60 euros an
hour … the cost in lost productivity

to your
organization is 7,200,000 euros

Lowers support costs


The ROI from ESSO is generated by reducing
password
-
related calls from users to IT support.

For an enterprise with 10,000 users, let’s assume

that the average user makes two password
-
related


calls to IT support per month. Each call costs 25

euros.

The total cost of all password support calls
for the thousand users is 500,000 euros a year.

Network security

Implementing ESSO in an Identity Management System Improves network security


Conventional password protection systems entail several security risk factors for the enter
-
prise:



Passwords users choose for themselves are usually short, simple, obvious, and easy to
hack.


Users are often cavalier about protecting passwords, leaving them scribbled on Post It
notes

affixed to their monitor or posted on a wall or bulletin board, in plain view for
anyone to see

and copy

Simplifies administration



Most applications are not designed with the needs of
network administrators in mind,

especially in the area of
authentication.

Network administration is greatly simplified
when administrative functions can be

performed by any
autho
-
rized administrator from a single console. Some

SSO
solutions can provide this single point of control for the
creation, distribution, and maintenance of

enterprise

application passwords.