SM11: Applications – Remote Login, Access, and Controlaggrimm/teaching/2015ss/SMA/SM11... · – SAML Assertions between home service and requested service • Shibboleth: – Internet2/MACE,

06.06.2011

1

© R. Grimm / D. Pähler, Uni Koblenz 1/37

Security for Mobile Applications

SM11: Applications –Remote Login, Access, and Control

R. Grimm, D. PählerInstitute for Information Systems Research

University Campus Koblenz

Content

• Single-Sign-On

– Liberty Alliance

– Shibboleth

• DFN-Roaming

• Remotile


06.06.2011

2

Single-Sign On – Problem (1)

• Users have many accounts in the network

• Home banking

• Social networks

• Shopping portals

• Ticket booking

• CSCW services (such as cooperative reviewing)

• Local area networks


Single-Sign On – Problem (2)

• Users have many User-Ids and Passwords

• Biological memory

• Simple-to-guess derivation rules for passwords

• (Un)encrypted written notes

• Dongles

• Password setters (e.g. Firefox)


06.06.2011

3

Single-Sign On – Definition

• Definition (Pashalidis/Mitchell 2003):

[...] Single Sign-On (SS0), a technique whereby the user authenticates him/herself only once and is automatically logged into [Service Providers] as necessary, without necessarily requiring further manual interaction.

• One Authentication Service (AS) for many services

– Centralized and decentralized solutions


Centralized Single-Sign On

• Windows Live ID

– formerly ”Microsoft Passport”

– Compatible to MS Passport Network

– MSN Messenger, MSN Hotmail, MSN Music

– More MSN Sites and Services


06.06.2011

4

Decentralized Single-Sign On

• Liberty Alliance:

– SUN Microsystems, Intel, AOL, ...

– SAML Assertions between home service and requested service

• Shibboleth:

– Internet2/MACE, Open Source License

– SAML Assertions between home service and requested service

• DFN Roaming / Eduroam:

– WLAN access

– European Universities campus solution

– 802.1X security technology for inter-institutional roaming

– Same credentials everywhere as from home


Content

• Single-Sign-On

– Shibboleth

• DFN-Roaming

• Remotile


06.06.2011

5

• Liberty Alliance: consortium of ~150 organizations

(commercial & academic), est. 2001

• Aim: Federated Network Identity

– Sign on once, be recognized everywhere (“single-sign on”)

– Distributed personal preferences & histories

• Dangers / Problems:– Centralization?

– Privacy Concerns?

– Mobility?

• Means:

– Open standards, implemented by many providers

– Anonymous user handles (not the same for different websites)

– Operational guidelines for cooperating businesses

– Use of ”ubiquitous” technology on client side

: decentralized AS


Liberty Alliance – Components

• Service provider:

– offers common web-based service

• Identity provider:

– aggregates service providers to ”Circle of Trust“

– offers single point of trust to users

– service providers may also be identity providers

• Principal (User):

– may be customer of several identity providers,

i.e., have several Circles of Trust


06.06.2011

6

Liberty Alliance – Circles of Trust

User

Identity Provider A

e-Mail

CSCW

ERP

Identity Provider B /e-Banking

e-Mail

Social Network

Online Shop

Enterprise Circle of Trust

Consumer Circle of Trust


Liberty Alliance – SSO Example (scenario)

• Scenario:

– user is already logged in at Identity Provider B,

– wants to use Online Shop Website without an additional login

User

Identity Provider B /e-Banking

e-Mail

Social Network

Online Shop

Consumer Circle of Trust


06.06.2011

7

Liberty Alliance – SSO Example (login protocol to next service)


SAML – Security Assertion Markup Language

• XML data format specification for

– exchange of authentication and authorization information

between Web services (XML via SOAP)

• Assertions:

– Authentication data, authorization data, session attributes

• Bindings:

– How SAML is embedded into other standard message formats

• Protocol:

– Request and response of SAML-Assertions Bindings

• Profiles:

– Combine the above into use cases

• Can be signed


06.06.2011

8

SAML assertion types

• Authentication assertions:

– assert that a certain user is who they claim to be

• Attribute assertions:

– assert that a certain user has certain attributes

– (privacy! user control!)

• Authorization decision assertions:

– map users on access methods for objects


A simple SAMLAuthenticationAssertion

<saml:Assertion

AssertionID="10.255.1.3.1034108172377"

[…]

xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

<saml:Conditions

NotBefore="2002-10-08T20:16:12.307Z

NotOnOrAfter="2002-10-08T22:16:12.307Z"/>

<saml:AuthenticationStatement

AuthenticationInstant="2002-10-08T20:16:12.307Z"

AuthenticationMethod="urn:oasis:names:tc:SAML">

<saml:Subject>

<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0"

NameQualifier="Domain Name">

Marc Chanliau

</saml:NameIdentifier>

<saml:SubjectConfirmation>

<saml:ConfirmationMethod>http://www/>

<saml:SubjectConfirmationData>

R1VD8fkkvlrhp

</saml:SubjectConfirmationData>

</saml:SubjectConfirmation>

</saml:Subject>

</saml:AuthenticationStatement>

</saml:Assertion>

Source:http://entwickler.com/itr/online_artikel/psecom,id,468,nodeid,69.htmlListing 1 [6.6.2011]


06.06.2011

9

Content

• Single-Sign-On


• DFN-Roaming

• Remotile


: decentralized AS

• Internet2/MACE, Open Source License

• Aim: Easy access mechanism on Web-based services

• Authenticate once at home environment

• Use remote Web-based service on the basis of home authentication

• Web service and home authentication communicate via SAML


06.06.2011

10

Shibboleth components

• User:

– at any place in the network, e.g. at home, at office (not

necessarily moving!)

• Identity provider (handle server + login server)

– at home

• Service provider

– at any place in the Web, e.g. remote

• WAYF (Where are you from?) server

– localize home of requesting user


Shibboleth interaction

wayf.deServer

User1. request remote

web service

2. "where areyou from?"

3. selecthome domain

4. redirect to home login

5. login ok

6. login ok:use this handle

Home domainShibboleth IdP

Home domain"login" server

Service Provider

7. SAML: user parametersvia handle

8. provide service4a. if notalreadylogged in:login now


06.06.2011

11

Comparison: Liberty Alliance vs. Shibboleth

Liberty Alliance Shibboleth

Aim SSO SSO

Main usage area economy science / universities

User mobility not limited (ubiquitoustechnology)

not limited (ubiquitoustechnology)

App. mobility limited (Identity Provider mustbe reachable)

limited (home domain must bereachable)

What does theService knowafterauthorization?

detailed authentication andauthorization information(SAML)

detailed authentication andauthorization information (SAML)

What does theuser get afterauthorization?

a valid session at the serviceprovider

a valid session at the serviceprovider

Trust Basis any service in trust circle home network


Content

• Single-Sign-On


– Shibboleth

• DFN-Roaming

• Remotile


06.06.2011

12

DFN Roaming / Eduroam: decentralized AS

• Aim

– Eduroam for roaming in European universities

– Easy access mechanism on WLANs

– Alternative: web-based authentication

– Same credentials everywhere as from home

– 802.1X security technology for inter-institutional roaming

• Authenticate once at home environment

• Dial into remote WLAN on the basis of home authentication

• "Super-RADIUS" coordinates local RADIUS services


DFN Roaming interaction (802.1X-based)

DFN top levelRadius routing

User1. request WLAN access (EAP)

"userid@home"

3. selecthome RADIUS

7. WLAN session key

Home domainRADIUS server

air RAS/NAS1)

1) RAS/NAS = Remote/NetworkAccess Service

6. "user is ok", WLANsession key

2. "where isyour homeRADIUS?"

Internet

4. authenticate self, buildencrypted tunnel

5. "userid@home, password"

= encryptedtunnel


06.06.2011

13

Comparison: (Liberty Alliance/Shibboleth) vs. DFN-Roaming

Liberty A./Shibboleth DFN-Roaming

Aim SSO (to web-sites) remote authentication for networkaccess

Main usage area economy / science,universities

universities

User mobility not limited (ubiquitoustechnology)

limited (host network mustsupport DFN-Roaming, devicemust support 802.1X)

App. mobility limited (IdP/home domainmust be reachable)

none (rather complex setup withinDFN-Roaming-Hierarchy)

What does theService know afterauthorization?

detailed authentication andauthorization information(SAML)

authorization information(boolean, user is either authorizedor not)

What does the userget after auth.?

a valid session at theservice provider

WLAN session key

Trust Basis home ntework home network


Content

• Single-Sign-On


– Shibboleth

• DFN-Roaming


06.06.2011

14

• Software to enable a remotely controlled home

• Backend:– Runs on a server in the house

– Connected to sensors/actuators and ISDN system

– Set of hand-crafted PHP scripts executes commands

• Frontend:– J2ME, runs on Java-capable mobile phones

– Touch-screen-version is also available

• Developed as a ”Diplomarbeit” at the AG Hampe– Was meant to be functional, not secure


• Backend server is connected to a ”residential gateway”:– Can receive data from arbitrary sensors (e.g., smoke detector) – Can send arbitrary commands to actuators (e.g., turn off oven)

• ISDN is remotely usable:– List of missed calls– Answering machine– Call diversion programmable

• Backend/frontend communication is done via HTTP:– GET/POST supported by practically every network-enabled

device– No SOAP used (overhead!) – Can pass through most firewalls

• J2ME Frontend

Live demonstration of Remotile...

Remotile features


06.06.2011

15

Review (SM1): Reference model for mobile application security

authentication

air

mobile device

access point

air

mobile device authenticationaccess point

service

Alice

Bob

application object

5

5

2

2

16 3

4

7

7

ICT network


Concrete examples for failures/attacks in Remotile

1. The connection to the server can be recognized (”user is not at

home”) or even wiretapped

2. The connection can get interrupted (e.g., in a tunnel), leaving the

system in an unclear state

3. Authentication fails because of a software error, legitimate user is

locked out

4. The battery runs out of power, leaving the user unable to control

the system

5. The device gets stolen, the thief can control the system (e.g., turn

the alarm off)

6. User unintentionally misuses the system (e.g., opens the garage

instead of the window shutter)

7. User is talked into lending the phone to a stranger who can then

find out login-credentials for the system


06.06.2011

16

Countermeasures

1. The connection to the server can berecognized/wiretapped

Encryption, Anonymization (e.g. via JAP)

2. The connection can get interrupted None (at least not pratical, e.g. user doesnot move)

3. Authentication fails (false rejection) Robust E2E authentication protocol

4. The battery runs out of power Fallback access possibility

5. The device gets stolen Per-transaction user authentication,possibility to lock accounts (requiresfallback access, too)

6. User unintentionally misuses thesystem

Easy-to-use interface, protection ofsensitive commands

7. Stranger finds out credentials viasocial engineering

Increasing user awareness, protectedcredentials (e.g., by a separatepassword)


Alternative to Remotile: ”Hydra“

• Large-scale, 48-month project, funded by the EU

• Finished by the end of 2009

• ”Middleware for networked embedded system“

• Meant for heterogeneous devices

• Communication is done via services in a SOA

• Middleware now available for applications

– http://hydramiddleware.eu.com


06.06.2011

17

Hydra features

• SOA-based middleware:

– Abstracts from single devices of multiple vendors

– Creates a unified interface

– Reduces the need for hand-crafted sensor- / actuator-

communication

• (Broad) focus on ”ambient intelligence“

(~ ”ubiquitous computing“):

– Shall connect (embedded) devices everywhere

– Scenarios in healthcare (patient-monitoring) and agriculture

(livestock-monitoring) are explicitly formulated and supported

– Multi-purpose in contrast to Remotile

• Security was a design goal from the beginning


Summary: What we‘ve learnt

• The Single-Sign-On problem

• ”Windows Live ID” alternatives:


– Shibboleth

• Decentralization of authentication decision and attestation

with DFN Roaming (WLAN)

• Remote management of physical facilities


06.06.2011

18

References

Shibboleth, MS Passport, Liberty Alliance, Single Sign-on:

A. Pashalidis, C. J. Mitchell, A Taxonomy of Single Sign-On Systems, 2003

Liberty Alliance Project Specifications, http://www.projectliberty.org/resource_center/specifications [6.6.2011]

Technical Information On Bluewin Identity Provider, http://www.projectliberty.org/liberty/content/download/378/2693/file/IdP_Public_TechWhitePaper_Englishv2.3.

pdf [6.6.2011]

Website of Shibboleth: http://shibboleth.internet2.edu/ [6.6.2011]

Detailed technical explanation of Shibboleth: http://www.switch.ch/aai/demo/expert.html [6.6.2011]

DFN Roaming / Eduroam:

Home page of DFN: http://www.dfn.de/dienstleistungen/dfnaai/ [6.6.2011]

Ralf Paffrath, DFN Roaming, DFN Mitteilungen 74/2008, S. 12-14

Remotile, Hydra:

Remotile: http://www.uni-koblenz-landau.de/koblenz/fb4/institute/iwvi/aghampe/projekte/remotile [6.6.2011]

Andreas Rosendahl, Mobile Gebäudesteuerung und ISDN-Konfiguration, Diplomarbeit, Universität Koblenz-

Landau, Fachbereich 4:Informatik, 2005.

Adolphs, C; Hampe, F.: Interaktive Überwachung – mobile Steuerung. In: König-Ries, Lehner, Malaka, Türker:

Mobilität und mobile Informationssysteme. LNI P-104, 2007, pp. 61-72.

Hydra: http://hydramiddleware.eu.com/ (includes 15 scientific papers) [6.6.2011]


Questions to check your knowledge

• What is Single-Sign-On good for? State the problem and sketch solutions.

• How does Liberty Alliance support Single-Sign-On?

• How does Shibboleth help Web services to gain attestation of a user who is not member of the home environment of the services?

• How does DFN Roaming help WLANs to gain attestation of a user who is not member of the home environment of the WLAN?

• Name possible dangers and the respective countermeasures in Remotile that correspond to each of the seven areas in the reference model.


06.06.2011

19

Testfragen

• Wozu dient "Single-Sign-On"? Skizzieren Sie das Problem und Lösungen.

• Wie unterstützt Liberty Alliance Single-Sign-On? Nutzen Sie ggf. eine Skizze.

• Wie hilft "Shibboleth" Web Services geprüfte Berechtigungen von fremdenNutzern zu erhalten? Nutzen Sie ggf. eine Skizze.

• Wie hilft "DFN Roaming" WLANs geprüfte Berechtigungen von fremdenNutzern zu erhalten? Nutzen Sie ggf. eine Skizze.

• Nennen Sie zu jedem der sieben Bereiche im Referenzmodell entsprechende Gefahren, die in Remotile auftreten können, sowie mögliche Gegenmaßnahmen.


SM11: Applications – Remote Login, Access, and Controlaggrimm/teaching/2015ss/SMA/SM11... · – SAML Assertions between home service and requested service • Shibboleth: – Internet2/MACE,

Documents