RVS

Authentication and Authorization in the Internet

Torsten BraunRechnernetze und Verteilte Systeme

Institut für Informatik und Angewandte MathematikUniversität Bern

www.iam.unibe.ch/~rvs

Schweizer Informatik-Tag 2003, Bern, 17. Oktober 2003

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

2

RVS

Overview§ Internet Security

Fundamentals l Authentication§ 3-Way Handshake

Authentication§ Authentication Server§ Public Key Authentication

l Certificates§ Trust Chains

l Authorization

§ Authentication & Authorization Probleml Example: VITELS

§ SWITCH AAI Initiativel AAI Overview and Termsl AAI Model§ Registration§ Resource Access

l Shibbolethl AAI Implementation§ AAI enabled Software§ AAI Mediators

l AAI Proxyl AAI Portal

l Further AAI Issuesl Outlook

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

3

RVS

Authentication§ Identities can be spoofed easily. § Authentication is the process of

proving one‘s identity to someone else. § Authentication protocols based on

l shared secrets, e.g. passwordsl authentication servers, e.g. Kerberosl public keys

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

4

RVS

Handshake Authentication§ Client and Server

Handshake Key (CHK/SHK) calculated from shared secret (password).

§ Problem: Client needs a password for each server.

Client Server

ClientID, E(x, CHK)

E(x+1, SHK), E(y, SHK)

E(y+1, CHK)

E(K, SHK)

x, y: randomK: session key

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

5

RVS

Authentication Server§ Shared secret keys

between A and S, B and S

§ Terminologyl Timestamp Tl Lifetime Ll Session key Kl Ticket

§ Problem: A and B need shared secrets with same authentication server

Client A Server BS

A,B

E(T+1,K)

E((T,L,K,B), KA)

E((T,L,K,A), KB) E((A,T), K)E((T,L,K,A), K

B )

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

6

RVS

Public Key Authentication

Problem: A must be sure that the public key really belongs to B. → Certificate

(Confirmation - issued by certification authority, CA -that public key belongs to a certain identity.)

Client A Server B

E(x, PublicB)

x

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

7

RVS

Certificates

Signature

Client-ID

Public client key

Signature

Hash

Client-ID

Public client key

Client-ID

Public client key

Client Certification Authority (CA)

Hash

Signature

secret CA key

Hash

public CA key

CommunicationPartner

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

8

RVS

Trust Chains§ X provides certificate for Y.§ Y provides certificate for B.§ A knows public key of X and

can verify certificate for Y from X.§ A knows then public key of Y and

can verify certificate for B from Y.§ Organisation of trust chains in hierarchical trees

Root CA

CA CA CA

Users Users Users

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

9

RVS

Authorization§ Authorization is the process to decide whether

an authenticated user is allowed to access or perform operations on a resource. § Authentication might be a basis for

authorization, if that is based on user identities.§ Problems of authorization schemes

l User accounts with high administration overheadl Credentials need to be delivered to serversl Fine-grained access control is often impractical§ Examples: on-line libraries, distance learning courses

§ Requirements for authorizationl Scalability for resource administratorsl Convenience for users,

e.g. single login / password at home organization

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

10

RVS

Authentication & Authorization Problem

ResourceB

University of Fribourg

ResourceC

University of Geneva

Infoaboutuser

ResourceA

Infoaboutuser

User

ID, Credentials

Problem: Many users - many resources - many organizations

User

ID, CredentialsID,

CredentialsID, Credentials

User

ID, CredentialsID,

CredentialsID, Credentials

Infoaboutuser

University of BernID,

Credentials

Infoaboutuser

ID, Credentials

Infoaboutuser

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

11

RVS

VITELS§ Virtual Internet and Telecommunications Laboratory of

Switzerland (www.vitels.ch)

§ Distributed resourcesl Network laboratories at several universitiesl Course server and web servers

§ Distributed users from different organizations

Students

Networklaboratory

Lab portal

Course serverWeb server

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

12

RVS

SWITCH AAI Initiative§ Authentication and Authorization Infrastructure§ 2001/2002: study phase§ early 2003: selection of Shibboleth middleware

(Internet 2) as basis for implementation§ currently: pilot implementation projects§ www.switch.ch/aai

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

13

RVS

AAI Overview and Terms§ Trust relationship

between two organizations (home organization and resource owner) is extended to trust relationship between user and resource owner

§ Users authenticate to home organization only !

§ Resource owners grant access to resource based on information about users (authorization attributes)

§ Home Organizationl Representative of a

user community, e.g. universities, libraries, university hospitals etc.

§ Resourcel Application, web site,

network, system, remote laboratory, etc.

§ Resource Ownerl Entity owning a resource

and offering resource access to users

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

14

RVS

ResourceOwner

User‘s HomeOrganization

AccessControlManager

Resource

Info(name,

address,….)

Registration

AccessControl

Definition

User

Registration

data system

Legend:

Pre-processing

UserDB

AAI Model: Registration

1

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

15

RVS

ResourceOwner

User‘s HomeOrganization

AAI

AccessControlManager

Resource

AuthorizationInformation

Authentication

AccessControl

Definition

Access Requestof an authenticated

user

User

Authorization InformationDelivery

data system

AAI-interaction

Legend:

Authentication

UserDB

1

2

3

AAI Model: Resource Access

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

16

RVS

Shibboleth§ AAI solution of Internet2 / MACE

(Middleware Architecture Committee for Education)l middleware.internet2.edu/MACE/l shibboleth.internet2.edu

§ Componentsl SHIRE: Shibboleth Indexical Reference Establisher§ Intercepts resource requests

l SHAR: Shibboleth Attribute Requester§ contacts AA to fetch authorization attributes of a user

l WAYF: Where Are You From server§ redirects user back to HS of home organization

l HS: Handle Server§ authenticates user locally and

provides opaque handle identifying a user

l AA: Attribute Authority§ retrieves attributes (according to user‘s release policy) and

passes them to SHAR

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

17

RVS

Shibboleth AA ProcessR

esou

rce

WAYF

Users HomeOrganization Resource Owner

1

SHIRE

I don’t know you.Not even which home

org you are from.I redirect your request

to the WAYF32

Please tell me where you come from

HS

5

6

I don’t know you.Please authenticate

yourself

7

User DB

Credentials

OK, I know you now.I redirect your requestto the target, together

with a handle

4

OK, I redirect yourrequest now to

the Handle Service of your home org.

SHAR

Handle

Handle8

I don’t know theattributes of this user.Let’s ask the Attribute

Authority

Handle9AA

Let’s pass over the attributes the userhas allowed me to

release

Attributes 10

Reso

urce

Man

ager

Attributes

OK, based on theattributes, I grant

access to the resource

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

18

RVS

AAI

AAI enabled Software

ResourceOwner

Application, e.g.Web Server,WebCT Vista

AAI

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

19

RVS

AAI Mediators§ Problem: Resources are not AAI aware§ Solutions: AAI Mediator

l AAI Proxy§ User is transparent for the resource§ Resource access via proxy§ Example:

Access to on-line libraries are often based on IP addresses.

l AAI Portal§ provides user information in the form required by resource § Direct resource access§ Examples: web and course servers

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

20

RVS

AAI

AAI Proxy

ResourceOwner

AAIAAI Proxy

(Web Proxy)

Web Server“Black Box”

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

21

RVS

AAI Portal

AAI

ResourceOwner

AAI AAI Portal Resourcesign on

Portaldata base

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

22

RVS

AAI Portal Implementation§ SVC Mandate „SWITCH Pilot 1“§ Access to AAI portal by

l Resource usersl Resource administrators§ Definition of resources and access rules

l Portal administrators

§ API allows to read/write user/resource data from/to AAI portal database.

§ AAI portal with interfaces (adaptors) to AAI and resources, e.g. l Shibboleth adaptor l WebCT resource adaptor§ Generation of WebCT user§ Course subscription§ Login on behalf of user§ Redirection to course page

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

23

RVS

Demoaaitest1.unibe.ch

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

24

RVS

Further AAI Issues§ Certification authorities

l Root CA at SWITCH

§ Definition of authorization attributes§ Non-technical issues

l Legall Financial

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

25

RVS

SWITCHaai Outlook

2003 2004 2005

Impl.V1.0

Pilot

2006 2007

Implemen-tation V2.0

Implemen-tation V3.0

OperationV1.0

OperationV2.0

OperationV3.0

StudyV3.0

2008

Oct

ober

17,

200

3To

rste

n B

raun

(U B

ern)

: Aut

hent

icat

ion

and

Aut

horiz

atio

n in

the

Inte

rnet

26

RVS

AcknowledgementsThanks to § Christoph Graf (SWITCHaai project leader)§ SWITCH and AAI working groups§ AAI portal design and implementation team at

Universities of Basel, Bern and SWITCH§ Swiss Virtual Campus

for supporting the AAI pilot mandate§ Audience for listening