Investigate The Adoption Of Open Standards For Identity And Authentication

Work Completed By: Terence Rich Whitehead

DESCRIPTION

DETAILS/LOCATION OF PRACTICAL DEMONSTRABLE OUTPUT

Details of where code, web pages etc can be found.

Unfortunately due not been able to download a sample virtual machine and vendors been slow in issuing temporary license keys no local demonstrations are available. However, if any of these demonstration systems do become available then this document will be updated to reflect the fact.

If any one would like to experience a software tool that uses open standards for handling identities then try ‘azigo’ (http://www.azigo.com).

One of the findings of this project was the security risks associated with some identity handling programs such as OpenID. A small demo has been created to demonstrate these weaknesses. It would be unwise to make this demonstration publicly available but if anyone would like to see this demonstration then they should contact the Applications Strategy Team.

DESCRIPTION OF THE WORK CARRIED OUT

Describe how you approached this piece of work, any technologies, tools or techniques that you found useful or tried and discarded. Include any examples that you used for inspiration and any contacts you have made in carrying out the work.

Initial investigation into the OpenID project and standards relating for handling identity and authentication revealed a whole plethora of standards and implementations based around digital identity, some open, others not so open, some free, others at a cost.

Investigations were made into OpenID, the use of SAML, OpenSSO ,Card Space to name a few.
Some exploration was carried out in implementing OpenID. Attempts were also made to carryout a simple implementation of OpenSSO and PingFederate.

One important finding from this project was the inherent security risks associated with the handling identity.

OpenID

OpenID is a fully decentralised system. Users can host their own identity on any server they choose, without having to ask anybody for permission or approval; they can also choose to have it hosted by one of the many OpenID hosting services. In fact many people already have an OpenID identify without even knowing it. Yahoo, AOL, Google etc all support OpenID identities.

From a service providers angle there is a range of software implementations from various software vendors and Open Source projects.

As OpenID is decentralised then the whole systems does not fall apart if any company forming part of the decentralised system goes out of business or goes rogue (abuses the system).
OpenID and other similar implementations are susceptibility to phishing attacks; even the most armature web programmer would spot its vulnerability. For example to produce a web site that can utilise OpenID the web site developer places the following code on a page.

<iframe src="https://wcc.rpxnow.com/openid/embed?token_url=http://localhost/ID/openid/done.html" 
  scrolling="no" frameborder="no" style="width:400px;height:400px;"> </iframe>

It can be seen it would be very simple to redirect a user to a bogus phishing site other than wcc.rpxnow.com that could harvest usernames and passwords.

flickr:3833279736

When confronted with a page like the above asking the user to select a source for their OpenID information how do they know that they will be directed to the site they are expecting?

As OpenID gets more popular providing the user with more access to more and more sites it will become a greater target for phishing. Users stand a chance of actually becoming worse off than they are today as they will no longer be protected by just having one account that goes to one site hacked, they'll have all of them compromised at once!

Additional authentication via SMS, email etc could be implemented to reduce the risk, but still would not provide a totally secure system.

The development of a browser plugin to handle identities could be a way forward.

OpenID uses SSL to transfer all data that needs to be protected. Data supplying the users details is supplied as XML or JSON formatted data. Below is a sample of the data returned as a JSON structure.

{
      "profile": {
         "verifiedEmail":"johndoe@btinternet.com",
         "name": {
            "formatted":"JOHN DOE"
         },
         "displayName":"JOHN DOE",
         "preferredUsername":"JOHN",
         "utcOffset":"00:00",
         "gender":"male",
         "providerName":"Yahoo!","identifier":"https:\/\/me.yahoo.com\/a\/KyacxVE.jN93daSEoHpmG82Kaej7VSYNdI_fDDJq2t8nPE8z#b0391",
         "email":"johndoe@btinternet.com"},
      "stat":"ok"
   }

SAML

SAML is an XML-based framework for web services. It has been designed to allow the exchange of authentication and authorisation information among businesses. It provides web-based security interoperability functions, such as single sign-on across sites hosted by multiple businesses.

Single sign-on can be implemented by business via the use of SAML, thus allowing users to visit various web sites without being repeatedly prompted for their credentials. SAML also provides a way of including security information documents used in transactions. This is important for the implementation of particularly relevant for web services, where security is essential.

SAML employs standard protocols and frameworks, such as XML Signature, XML Encryption, and SOAP. The specification can be incorporated in standard environments such as HTTP and most web browsers. Other security environments can also use SAML as an authentication and authorization layer.

SAML was developed by Baltimore Technologies, BEA Systems, Computer Associates, Entrust, Hewlett-Packard, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun Microsystems, Verisign, and other members of Oasis.

It must be pointed out that SAML doesn't perform any authentication. It is used to transport authentication information. In addition, SAML can use different authentication authorities i.e. LDAP, Active Directory, and Radius, thus allowing for different identification methods such as password, biometric, Public Key Infrastructure, Secure Socket Layer, Kerberos etc.

The diagram below a typical sequence of connecting a user to a web service.

flickr:3833256772
  1. The users browser accesses a authentication server and the authentication server requests the user ID and password.
  2. The user enters their ID and password. The authentication server opens a session with the destination server.
  3. The user requests a resource from the web services server. The authentication server opens a session with the destination server.
  4. The Authentication server sends a URL to the user redirecting the users browser to the web service.

SAML does not come without its security risks namely replay attacks, DNS spoofing and HTTP referrer attack.

  • Replay Attack – A hacker hijacks a SAML token and replays it to gain illicit access.
  • DNS Spoofing – A hacker intercepts a SAML token and sends a false DNS address.
  • HTTP Referrer Attack – A hacker tries to reuse an HTTP referrer tag.

OpenSSO has been adopted by Sun in their implementation “OpenSSO Enterprise”. To quote Sun “OpenSSO Enterprise provides customers choice and interoperability with the widest support of containers, standards and operating systems in the market”.

As part of this project attempts were made to download a Virtual Machine that could be used to demonstrate an implementation of OpenSSO. Unfortunately problems were encountered when downloading this demonstration. This was a bit of a disappointment as it would have been a benefit to all.

A complete set of documentation on Sun’s OpenSSO implementation can be found at :-

http://www.sun.com/software/products/opensso_enterprise/index.xml

SSOCircle

SSOCircle was formed by a group of consultants with an experience in building ISP hosting infrastructures. SSOCircle mission is to “jump-start single sign-on deployments by providing an open identity provider for everyone and ready-to-use solutions.” These solutions support multiple protocols and introduce two-factor authentication with simplified enrolment.

SSOCircle has over time improved their authentication security. In 2007 they introduced Strong Authentication with using X.509 Certificates. The use of certificates reduced the threat of phishing a long standing issue with OpenID.

The SSOCircle model will also support smart card tokens “ePass”. This enables users to protect themselves from keystroke loggers and other potential threats at public terminals etc. With this device, users can be secure in the knowledge that their details are safe, a significant improvement over existing solutions. To quote SSOCircle “You just put it in, start your Firefox and get your certificate from the stick and then single sign-on with the certificate to the identity provider. If SSOCircle says okay, then the SAML assertion is sent to Google and you are signed on”.

SSOCircle are also looking at adding support for biometrics and integrate a fingerprint sensor.

SSOCircle also offer a range of solutions that can be downloaded and evaluated.

  1. Lightbulb a OpenSSO extension written in PHP
  2. A Simple Service Provider example that uses a CGI script that directs the user to a SSOCircle Identity provider for authentication.
  3. A SAML sample service provider that provides a federated service.

All the above can be found at :-

http://www.ssocircle.com/solutions.shtml

Shibboleth

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It has been deployed by universities, government agencies and various companies. A good example is hosted by the UK Access Management Federation for Education.

Shibboleth allows sites to make informed authorization decisions for individual access of protected online resources.
For full system documentation then visit the Shibboleth web site at :-

http://shibboleth.internet2.edu/

PROJECT OUTCOME

Describe the degree to which the work was successful in addressing the project description. Include reasons why or why not.

The general conclusion of this project is that there are no open standards that are as of yet mature enough particularly with regard to security that could be employed within WCC. However, the whole area of identity and authentication is rapidly evolving. Robust systems are been implemented, one only has to look at what the UK Access Management Federation for Education and Research have implemented using the standards-based Shibboleth software or SSOCircle and the use of biometrics.

Personally I do not think this project was successful as it appears to have raised more questions then answers. There is a lot of information that has been published on identity and authentication and this project has only just scratched the surface. To make this project successful then some of the systems should be investigated in depth along with the construction of some demonstration systems.

A full and comprehensive report on OpenID that was carried out by Edinburgh University which should be read can be found at the following location :-

H:\ISS\Strategy\StrategyArchitecture&Planning\R&D\ID\openid-finalreport-v1.0.pdf

SHORT TERM BENEFITS

What immediate impact could the output of this R&D work have on the organisation – could it provide benefits without compromising our strategic approach?

There are no short term benefits, other than offering the user an enhanced user experience, to be found in the adoption of open standards for the handling of identity and authentication. The main reasons for this are:-

  1. There are standards but the implementation of those standards is forever changing, with a range of implementations and no single winner. At present there is no telling who will be, perhaps there never will.
  2. As things stand at the moment the security risks are too high not only for the workings of WCC but the also the general public.

As far as identity is concerned OpenID etc does not prove who someone is, it is just who they say they are. This been the case then anyone signing in can only treated as an anonymous user as far a security is concerned.
There may be some argument in offering the user an enhanced user experience by saving the user time in creating their account and giving them a personal welcome etc.

In the longer term these issues will undoubtedly be addressed. Therefore it is recommended that WCC continue to monitor the ever changing situation.

Another area to monitor is that of access via mobile devices. This project has not looked at mobile devices but as more and more people are likely benefit from accessing WCC services in this manner then it many be worth looking at mobile device capabilities.

STRATEGIC IMPLICATIONS

How the work carried out fits with our strategic direction or how it should contribute to our strategic thinking.

The adoption of open standards for the handling of identity and authentication must take place at some point in time. If WCC is to offer a range of services to a board range of users in an environment that provides authentication, authorization and accountability. Then these technologies must be embraced at some point in time, but only when there is a full understanding of the potential security risks involved.

WCC already has experience of identity and authentication systems in the form of the system implemented by the UK Access Management Federation for Education to which WCC is member in providing a IdPs service. IT in Resources needs some visibility of what is taking place in other parts of the Authority and learning from their experiences would be most beneficial.

This project identified three identity and authentication systems that would warrant further investigation :-

  • Shibboleth - Shibboleth defines a common framework for access management that is being adopted by education and commercial sectors across the world.
  • Sun OpenSSO Enterprise - Single solution for Web access management, federation, and Web services security.
  • SSOCircle - SAML and OpenID Identity Provider.

OTHER NOTES ETC

Appendix - A

Below is a list of some web sites that give some insight into identity and authentication.

OpenID
The home of OpenID http://openid.net/
Libraries for use with OpenID (C++, C#, PHP, Perl, Java etc) http://wiki.openid.net/Libraries
SAML
Information on SAML http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Online SAML community http://saml.xml.org/
SAML the ten facts you need to know. http://www.pingidentity.com/information-library/what-is-saml.cfm
Misc
PHP login script to manually authenticate OpenSSO users. http://www.devdaily.com/blog/post/php/php-source-code-manual-authenticate-login-opensso/
Access & Identity Management. OpenAthens a framework of software and services that provides supported membership of the UK Access Management Federation for Education and Research. http://www.athensams.net
UK Access Management Federation for Education and Research. http://www.ukfederation.org.uk/
Wiki info on XDI (XRI Data Interchange). http://en.wikipedia.org/wiki/XDI
XDI.ORG is an international non-profit public trust organization governing open public XRI and XDI infrastructure. http://www.xdi.org/
The home of OpenSSO. https://opensso.dev.java.net/
Introduction to Windows CardSpace. http://msdn.microsoft.com/en-us/library/aa480189.aspx
The home of OAuth. http://oauth.net/
Beginner’s guide to OAuth. http://www.hueniverse.com/hueniverse/2007/10/beginners-guide.html
Framework for requesting and issuing security tokens, and to broker trust relationships. http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
RPX helps users sign-in to a website using an account they already have. https://rpxnow.com/
Open source software package for web single sign-on across or within organizational boundaries. http://shibboleth.internet2.edu/
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License