a multipurpose delegation proxy
play

A Multipurpose Delegation Proxy rely on HTTP as communication - PowerPoint PPT Presentation

Mar 19, 2024 •19 likes •69 views

Motivation Most client-server applications on the Internet A Multipurpose Delegation Proxy rely on HTTP as communication protocol e.g. online stores / banking for WWW Credentials web-based e-mail virtual market places,

  1. Motivation � Most client-server applications on the Internet A Multipurpose Delegation Proxy rely on HTTP as communication protocol – e.g. – online stores / banking for WWW Credentials – web-based e-mail – virtual market places, enterprise portals ... � Same technology also used on intranets as it is Tobias Straub Thilo-Alexander Ginkel Johannes Buchmann ubiqitous and cost-effective TG Byte Software GmbH Computer Science Department Bensheim Technische Universität Darmstadt (now with SAP Germany) => User authentication requires credential tstraub@gkec.tu-darmstadt.de management – often burdensome EuroPKI Workshop 2005 – Canterbury T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 2 Scenario Alternative Scenario � Logon at an online portal via SSL/TLS using an � Managing personal account data X.509 user certificate for authentication online banking Account No. PIN User Name web-based e-mail ? Service ? Password (GMX, Yahoo, etc.) Marketplace User Name Password online shopping (Amazon, eBay, etc.) � Challenges: – (temporary) delegation to a proxy � Challenges: limited memory capacity, change policy, – group usage w/o revealing the credential minimum complexity rules – logging / restrict / withdraw access T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 3 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 4

  2. Requirements System Architecture Examined 4 variants: 1. Let proxy impersonate credential owner w/o need to � 3 man-in-the-middle (MITM) approaches where client reveal secret. authenticates towards gateway and gateway authenticates 2. Protect credential from unauthorized access. towards target host 3. Keep track of actual credential usage and restrict it. � 1 client-side solution where client has access to credential DB 4. Support common WWW authentication mechanisms (Basic/Digest Auth., form-based, client certificate- based) 5. Easy-to-use, small footprint solution, operate transparently. T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 5 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 6 Application Server Variant HTTP Server Variant � Gateway = web server � Gateway = machine providing remote login facilities , e.g. � calling particular URL initiates retrival of credential and – VNC (full-screen desktop) authentication to target host for actual URL, e.g. go to – X11 (forwarding single browser windows) http://gateway/amazon.com instead of http://amazon.com � Credentials managed by browser running on gateway � response returned to client seems to come from gateway Drawbacks: Drawbacks: � no proper delegation or policy enforcement, � MITM has to do hyperlink-rewriting to redirect subsequent � low protection level for credentials, requests to gateway, not directly to target host � user experience, � This is difficult for JavaScript and Macromedia Flash � network latency � Java applets won't run properly due to Sandbox restrictions. T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 7 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 8

  3. HTTP Proxy Variant Client-Side Architecture � Gateway = intelligent HTTP proxy � Standard web browser enhanced with additional functionality to access centralized credential store. � Well-known approach on the Web � Shouldn't be too difficult ... � Proxy works as forwarding agent acting both as server and client => HTTP-based credentials supported � Alternatively fit up client’s TCP/IP stack or socket library naturally � Allows seamless integration and end-to-end security (confidentiality in this case) Drawback: � SSL normally tunneled through proxy => breaking up Drawback: end-to-end security (i.e. confidentiality) � Credentials are revealed to browser => malicious client could steal them. T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 9 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 10 Comparison TLS Authentication Proxy Prototype – proxy for HTTP and HTTPS � For each variant , we assessed: – stores credentials and manages - Compatibility and Standard Compliance , access rights (ACL) - Transparency , – authentication method towards - Usability , proxy can be chosen flexibly and - Security Characteristics , independently of actual - Deployment Costs authentication method (see paper for details, please) - – credential usage is � Decided to implement HTTP proxy architecture logged – considered it superior to other MITM architectures – Web interface provided for administration and delegation – lower estimated developement costs compared to client- side variant T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 11 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 12

  4. Data flow for an SSL target web site with Data flow for an HTTP target web site certificate-based authentication Client Proxy Server Client Proxy Server CONNECT server:443 HTTP/1.1 GET http://server/ HTTP/1.1 HTTP/1.1 302 Moved SSL Handshake Location: https://server:9443/ HTTP/1.1 200 OK CONNECT server:9443 HTTP/1.1 SSL Handshake Replicate certificate SSL Handshake Create Certificate GET /index.html HTTP/1.1 GET / HTTP/1.1 GET / HTTP/1.1 SSL Handshake 401 Authorization Required GET /index.html HTTP/1.1 GET / HTTP/1.1 WWW-Authenticate: [...] Payload Payload Payload Payload T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 13 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 14 Session Management Authorization Issues � Proxy identifies end-users by distinguished name in � Basic/Digest Authentication: each request has to be their certificate, PKCS#12 tokens issued on-the-fly authenticated � Access rights modeled by database table indexed by – TLS Authentication Proxy does not wait for "401" responses => Basic Authentication speeded up pair (user ID, credential ID) – Not possible for Digest Authentication as it is a challenge- � Constraints defined on fine-grained basis (time frame for response scheme access, maximum number of total/daily logins, � Usually session management used for form-based restriction to a subset of web pages …) authentication � Flag indicates whether delegation is allowed, currently – HTTP Cookies fully supported by prototype, can re-authenticate no restriction on number of sub-delegations automatically to avoid time-outs T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 15 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 16

  5. Deployment Conclusions 1. Key and certificate distribution: � Work motivated by requirement to delegate X.509 credentials => ship root certificate within PKCS#12 file � TLS Authentication Proxy offers transparent credential management and proxy authentication 2. Web browser configuration: � Users authenticated w/o knowing credential – Web Proxy Auto-Discovery Protocol => allows delegation and group usage – obtain Proxy Auto-Configuration file from the network � Pseudo SSO: target host is unaware of what's going on automatically or manually � Zero footprint solution, reasonable deployment costs � Central storage for credentials instead of spread all over Privacy Issues: clients, however Single Point of Failure/Attack – PAC file adjusted to only route traffic through proxy that requires credential – URLs of such hosts obscured by hash function (PAC file is JavaScript code) T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 17 T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 18 Thank you for your attention! Questions? Contact: Tobias Straub / TU Darmstadt tstraub@gkec.tu-darmstadt.de www.informatik.tu-darmstadt.de/GK/participants/tstraub/ T. Straub, T.-A. Ginkel, J. Buchmann: A Multipurpose Delegation Proxy for WWW Credentials 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline n Introduction Proxy Dynamic Delegation in Grid Gateway n Is there the need for a

Outline n Introduction Proxy Dynamic Delegation in Grid Gateway n Is there the need for a

Outline n Introduction Proxy Dynamic Delegation in Grid Gateway n Is there the need for a Web portal to access Grid? n Grid Gateway (L-GRID) n Architecture n Dynamic Delegation inside GRID GW n Access Grid via Web n Job

491 views • 12 slides
DELEGATION readysetpresent.com Delegation Program Objectives ( 1 of 3 ) Understand the

DELEGATION readysetpresent.com Delegation Program Objectives ( 1 of 3 ) Understand the

DELEGATION readysetpresent.com Delegation Program Objectives ( 1 of 3 ) Understand the benefits of delegation. Define delegation, and identify its benefits and uses. Explain the basic methods involved in successful delegation. Explore the

1.79k views • 149 slides
Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation

Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation

Introduction Delegation operations in hierarchical RBAC Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation Jason Crampton Hemanth Khambhammettu semantics Conclusion Information Security

959 views • 57 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the

Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the

Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the SIPP Ashley Westra U.S. Census Bureau* U.S. Census Bureau DC-AAPOR & WSS: Summer Conference Preview/Review 2015 August 3 2015 August 3, 2015

932 views • 20 slides
Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University

Multipurpose Baseband Instrument Highlights Multipurpose Baseband Instrument IF Multipurpose Baseband Instrument using AsAP Digital Signal Processing Jeremy W. Webb University of California, Davis Electrical & Computer Engineering VLSI

425 views • 21 slides
C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS

C# Design Patterns: Proxy APPLYING THE PROXY PATTERN Steve Smith FORCE MULTIPLIER FOR DEV TEAMS @ardalis | ardalis.com | weeklydevtips.com t h s What problems does proxy solve? Objectives How is the proxy pattern structured? Apply the

779 views • 23 slides
Methodist Home for Children Multipurpose Juvenile Home and Transitional Living Programs

Methodist Home for Children Multipurpose Juvenile Home and Transitional Living Programs

Methodist Home for Children Multipurpose Juvenile Home and Transitional Living Programs Multipurpose Juvenile Homes Established in 1993 Aimed at reducing detention rates as well as YDC commitments Developed in predominantly rural

198 views • 15 slides
Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre

Web Application Proxy (WAP) Remote Access Gateway Proxy for Web Applications 1 If youre WAPpy and you know it. UAG ? WAP ? eGov ? 2 Topics This Why the County invested in WAP presentation will share: Capabilities

427 views • 20 slides
January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here. Based on our experience reviewing proxy statements for Maryland public companies, we would like to call your attention to certain matters of Maryland

272 views • 12 slides
Multipurpose Acoustic Sensor for Los Alamos National Laboratory Downhole Fluid Monitoring High

Multipurpose Acoustic Sensor for Los Alamos National Laboratory Downhole Fluid Monitoring High

Geothermal Technologies Program 2010 Peer Review Multipurpose Acoustic Sensor Public Service of Colorado Ponnequin Wind Farm Cristian Pantea Multipurpose Acoustic Sensor for Los Alamos National Laboratory Downhole Fluid Monitoring High

696 views • 16 slides
Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14 Description I Classification : Object-based structural pattern Also known as : Surrogate Purpose : Control access to a subject through

435 views • 14 slides
The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for

The Squid caching proxy Chris Wichura caw@cawtech.com What is Squid? A caching proxy for HTTP, HTTPS (tunnel only) FTP Gopher WAIS (requires additional software) WHOIS (Squid version 2 only) Supports transparent

592 views • 35 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument Closest analog is LIS LIS is LEO; has a limited time on station for a particular storm Have several ground-based, 24x7 networks;

133 views • 10 slides
Introduction to Java Java Language Language Introduction to

Introduction to Java Java Language Language Introduction to

Introduction to Java Java Language Language Introduction to plw@ku.ac.th

686 views • 40 slides
control de la seguridad en la nube Septiembre 2018 Maria Garcia Iaez

control de la seguridad en la nube Septiembre 2018 Maria Garcia Iaez

Visibilidad y control de la seguridad en la nube Septiembre 2018 Maria Garcia Iaez mginanez@sonicwall.com +34 620 703 537 Estrategia de Sonicwall para el 2018 Management, Core Firewall Automated Reporting and Platforms Breach

631 views • 27 slides
How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation

How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation

How .CO ccTLD handles cybersecurity matters Agenda 1. About us 2. .CO Security Motivation Relationship Strategy Policies Process 3. .COllaboration Efforts in Colombia 4. Q&A 2 About us . CO Internet Started

529 views • 26 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
RESOURCES WITH PRE - KNOWN INFORMATION Students : Avi Shahimov, Ariel Slonim , Nave Ariel ,

RESOURCES WITH PRE - KNOWN INFORMATION Students : Avi Shahimov, Ariel Slonim , Nave Ariel ,

D YNAMICALLY REALLOCATING RESOURCES WITH PRE - KNOWN INFORMATION Students : Avi Shahimov, Ariel Slonim , Nave Ariel , Yuri Gabaev , Yuval Kovler, Dima Kupershmidt Mentor: Segev Cohen. Supervisor: Eli Itin Hanoch Sapoznikov Month Year

263 views • 11 slides
Enterprise Mobility: Getting Ready for 2015 Meeting Objectives: Meeting Agenda: Mobility demands

Enterprise Mobility: Getting Ready for 2015 Meeting Objectives: Meeting Agenda: Mobility demands

Enterprise Mobility: Getting Ready for 2015 Meeting Objectives: Meeting Agenda: Mobility demands & challenges will keep Introduction increasing in 2015. Hence we are focusing this session on: Mobility Trends - Updating

548 views • 25 slides
Northrop Grumman Corporation Operating Safely in a Cyber Dense Environment the Good, the

Northrop Grumman Corporation Operating Safely in a Cyber Dense Environment the Good, the

Northrop Grumman Corporation Operating Safely in a Cyber Dense Environment the Good, the Bad, and the Ugly. World Air Traffic Management Congress March 2016 Dr. Dennis McCallam, DIA. Northrop Grumman Fellow Who we are Leading global

496 views • 12 slides
Digit Digital al Se Security y Training Topics Covered Week 5 Week 1 Social Media

Digit Digital al Se Security y Training Topics Covered Week 5 Week 1 Social Media

Be Best Practices A digital training brought to you by RSAT Security in partnership with Supreme Technologies Group. Digit Digital al Se Security y Training Topics Covered Week 5 Week 1 Social Media Introduction to Information Security

506 views • 24 slides

More recommend