Extending a Legacy Platform Providing a Minimalistic, Secure - - PowerPoint PPT Presentation

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library

20/11/2015 Göschlberger/Göttfert 1

Introduction

20/11/2015 Göschlberger/Göttfert 2

• Research Studios Austria FG

– MicroLearning and Information Environments

• Bernhard Göschlberger

– Research field: Technology Enhanced Learning

• Sebastian Göttfert

– Computer Science @JKU

• Research Project: KnowledgeMgmt-Plattform

– Extend existing plattform seamlessly

Problem

20/11/2015 Göschlberger/Göttfert 3

• Legacy system

– 12.000 existing accounts – Continuous changes – Closed registration

• Single Sign on

– Use existing accounts – Authenticate users to third party apps

Existing standards/solutions

20/11/2015 Göschlberger/Göttfert 4

• Authorization:

– OAuth 2.0

• Authentication:

– SAML – OpenID Connect – JWT

SAML – Security Assertion Markup Language

20/11/2015 Göschlberger/Göttfert 5

• Identity Provider (IdP)

– Issues Assertion

• Digital Signature

– Authentication and Message Integrity

• Service Provider (SP)

– Trusts IdP – Validates signature – Grants authorization based on Assertions

JWT – JSON Web Tokens

20/11/2015 Göschlberger/Göttfert 6

• Compact URL-save representation for claims
• Self-contained

– Header – Claim set – Signature

• Less flexible but much simpler than SAML
• Used by

– OAuth 2.0 – OpenId Connect

Standards Implementation

20/11/2015 Göschlberger/Göttfert 7

• Service Provider:

– Easy, cheap – Many frameworks and libraries

• Identity Providers

– Heavy weight – Complex – Full software solutions available

• In general:

– Standards try to cover (almost) every usecase – Tend to get complex and bulky

Previous Approach

20/11/2015 Göschlberger/Göttfert 8

• No single sign on
• Authorization via Backend-Webservice:

– Is this a valid user?

• Problems:

– Weak WS protection (static API key) – Password is sent in cleartext – Phishing (third party gets the password)

Chosen Approach

20/11/2015 Göschlberger/Göttfert 9

• Claim based

– Authorisation – Authentication

• Simple issuence by legacy system
• Signed and encrypted
• POST binding
• Additional security on top of TLS

Authentication flow

20/11/2015 Göschlberger/Göttfert 10

First step – Service Provider I

20/11/2015 Göschlberger/Göttfert 11

• Generate a random one-time secret for symmetric encryption

(=nonce) – Nonce has to be attached to user session to detect replay attacks

• Encrypt nonce and return-URL with Public Key of IDP

– Only IDP should be able to decrypt this!

• Outside library: Send nonce and return-URL to IDP

First step – Service Provider II

20/11/2015 Göschlberger/Göttfert 12

Second step – Identity Provider I

20/11/2015 Göschlberger/Göttfert 13

• (Precondition: User has successfully logged in)
• Decrypt nonce & return URL
• Calculate signature of user info
• Encrypt user info with nonce
• Encrypt nonce with public key of SP
• Outside library: Send signature, encrypted nonce and

encrypted user info to the return URL

Second step – Identity Provider II

20/11/2015 Göschlberger/Göttfert 14

Third step – Service Provider I

20/11/2015 Göschlberger/Göttfert 15

• Decrypt nonce

– Equal to initial nonce?

• Decrypt user info with nonce

– Does user info meet the signature?

Third step – Service Provider II

20/11/2015 Göschlberger/Göttfert 16

Live demo

20/11/2015 Göschlberger/Göttfert 17

http://localhost/deepsec/legacy

Result & Conclusion

20/11/2015 Göschlberger/Göttfert 18

• minSSO Library

– IdP: 114 loc (92 sloc) – SP: 156 loc (129 sloc) – https://github.com/bgoeschi/minSSO

• Conclusions

– SSO doesn‘t need to be a hassle – Legacy system as IdP feasable

Questions & Answers

20/11/2015 Göschlberger/Göttfert 19

Any questions?