SINGLE SIGN ON AND SECURITY

1
SINGLE SIGN ON AND SECURITY

• By
• Mwamini Naggayi
• CS 795 MW

2
Outline

• Introduction
• What is single sign on?
• Protocols
• Purpose
• Benefits
• Risk
• Conclusion
• Demos (Not available)
• References

3
Introduction

• As computer systems increases to support business
  processes, users and system administrators are
  faced with an increasingly complicated interface
  to accomplish their job functions. Users
  typically have to sign-on to multiple systems,
  with an equivalent number of sign-on dialogues,
  each of which may involve different usernames and
  authentication information.
• System administrators are also faced with
  managing user accounts within each of the
  multiple systems to be accessed in a
  co-coordinated manner in order to maintain the
  integrity of security policy enforcement. This
  legacy approach to user sign-on to multiple
  systems is illustrated below

4
Legacy Approach User Sign-on to Multiple Systems
5
Legacy Approach User Sign-on to Multiple Systems

• Those components act as independent domains in
  the sense that end-user has to identify and
  authenticate himself independently to each of the
  domains s/he wishes to interact with
• To invoke the services of a secondary domain end
  user is required to perform a Secondary Domain
  Sign-on
• From the management perspective the legacy
  approach requires independent management of each
  domain and the use of multiple user account
  management interfaces

6
What is single sign on?

• Single sign-on (SSO) is mechanism whereby a
  single action of user authentication and
  authorization can permit a user to access all
  computers and systems where s/he has access
  permission, without the need to enter multiple
  passwords.
• The user needs to authenticate only once and the
  authenticated identity is securely carried across
  the network to access resources on behalf of the
  user.

7
Purpose of single sign on

• Develop applications to provide a common, single
  end-user sign-on interface for an enterprise
• The development of applications for the
  co-coordinated management of multiple user
  account management information bases maintained
  by an enterprise.
• Users only need to remember one username and
  password, and authentication can be provided for
  multiple services.

8
Protocols Single sign on

• Kerberos is a computer network authentication
  protocol which allows individuals communicating
  over an insecure network to prove their identity
  to one another in a secure manner.
• Kerberos single sign-on is possible because all
  of the services are under the same administrative
  control. There is a centralized database
  containing keys that are shared with each
  service, and tickets can be issued, encrypted
  under the keys of the target services.

9
Protocols Single sign on

• Passport protocol makes Single sign-on on the web
  sites possible gaining authenticated access to
  multiple and independent web services
• Passport is a protocol that enables users to sign
  onto many different merchants' web pages by
  authenticating themselves only once to a common
  server

10
How Passport works

• Passport model has three entities the client at
  a web browser, the merchant store, and the
  Passport login server.
• Login server maintains authentication and
  customer profile information for the client and
  gives the merchant access to this information
  when permitted by the client
• Passport divides client data into profile info
  and the wallet, that contains credit card info
• Passport's protocols are designed to enable the
  secure transfer of the profile and wallet info
  between the Passport server and the merchants.

11
How Passport works
12
Benefits Single sign-on

• Reduction in the time taken by users in sign-on
  operations to individual domains.
• Improved security through the reduced need for a
  user to handle and remember multiple sets of
  authentication information.
• Reduction in time taken, and improved response,
  by system administrators in adding and removing
  users to the system or modifying their access
  rights.
• Single sign-on reduces human error, a major
  component of systems failure.

13
Benefits of single sign-on

• Improved security through the enhanced ability of
  system administrators to maintain the integrity
  of user account configuration including the
  ability to inhibit or remove an individual users
  access to all system resources in a
  co-coordinated and consistent manner.

14
Single User Sign-On To Multiple Services
15
Single User Sign-On To Multiple Services

• The information supplied by the end-user as part
  of the Primary Domain Sign-On procedure may be
  used in support of secondary domain sign-on in
  several ways
• Directly the information supplied by the user is
  passed to a secondary domain as part of a
  secondary sign-on.
• Indirectly the information supplied by the user
  is used to retrieve other user identification and
  user credential information stored within the a
  single sign-on management information base. The
  retrieved information is then used as the basis
  for a secondary domain sign-on operation.
• Immediately to establish a session with a
  secondary domain as part of the initial session
  establishment. This implies that application
  clients are automatically invoked and
  communications established at the time of the
  primary sign-on operation.
• Temporarily stored or cached and used at the
  time a request for the secondary domain services
  is made by the end-user.

16
Risks Single Sign on

• The secondary domains have to trust the primary
  domain to
• correctly assert the identity and authentication
  credentials of the end user, protect the
  authentication credentials used to verify the end
  user identity to the secondary domain from
  unauthorized use.
• The authentication credentials have to be
  protected when transferred between the primary
  and secondary domains against threats arising
  from interception or eavesdropping leading to
  possible impersonating attacks.
• Single sign-on highly desirable but difficult to
  implement.

17
Risk Single sign on

• When security is compromised, single sign on
  allows access to firewalls, systems, etc.
• Passport uses the existing web technologies to
  the best of its abilities. Unfortunately, the
  resulting implementing protocol poses several
  risks to the user
• User interface confusion Merchant site that uses
  Passport displays a Passport sign-out icon which
  is supposed to remove Passport cookies but a user
  may only sign-out in one account and not passport
  account.
• Passport establishes a centralized service
  trusted by all others to make authoritative
  decisions about the authenticity of a user.
  Compromise of this central service would be
  particularly disastrous since service maintains
  consumer profile info on all registered users

18
Risk Single sign on

• Passport system is too dependant on cookies.
  Passport cookies, are used as proofs of
  authentication and its lifetimes are determined
  only by the lifetime of the web browser and the
  (encrypted) time window in the cookie. If a user
  forget to logout on a public machine, a Passport
  account could leave valid authentication tokens
  behind on the machine for any user to recover.
• In Passport, where cookies stand in for tickets,
  possession of the cookie is all that is necessary
  to impersonate the valid user of that cookie. No
  further proof is required which is dangerous on
  public machine. At least in Kerberos, the client
  must send an authenticator that proves knowledge
  of the key inside the ticket.

19
Conclusion

• The best way to protect your interests is to
  ensure that any SSO software offered by any
  company provides some level of guarantee to meet
  the needs of the organization security.
• The need for tools to help users manage
  authentication and personal information across a
  variety of sites are increasingly critical.
  Passport is an ambitious attempt to meet those
  needs and requires no changes to existing
  browsers and servers. However, the system carries
  significant risks to users

20
Demo Two Site files

• Site one
• Public pages
• Default.aspx
• Web config
• Secure folder
• httpsPage.aspx
• login.aspx

• Site two
• Public Pages
• default.aspx
• Web config
• Secure folder
• httpsPage.aspx

21
Demos Default page on slide site 1
22
Demos Web config site one

• ltauthentication mode"Forms"gt
• ltforms loginUrl"Secure\login.aspx
  protection"All"
• requireSSL"true timeout"10
  name"FormsAuthCookie"
• path"/FormsAuth slidingExpiration"true" /gt
  
• lt/authenticationgt
• lt!-- For SSO Test --gt
• ltmachineKey
• validationKey"C50B3C89CB21F4F1422FF158A5B42D0E
  8DB8CB5CDA1742572A487D9401E34
  00267682B202B746511891C1BAF47F8D25C07F6C39A104696D
  B51F17C529AD3CABE"
• decryptionKey "8A9BE8FD67AF6979E7D20198CFEA50D
  D3D3799C77AF2B72F"
• validation"SHA1"/gt
• lt!-- The restricted folder is for authenticated
  and SSL access only. --gt
• ltlocation path"Secure" gt
• ltsystem.webgt
• ltauthorizationgt
• ltdeny users"?" /gt
• lt/authorizationgt
• lt/system.webgt
• lt/locationgt

23
Site one default.aspx.cs

• private void SecureButton_Click(object sender,
  System.EventArgs e)
• UriBuilder uri new UriBuilder(
• Uri.UriSchemeHttps, Request.Url.Host )
• uri.Path Path.Combine( Request.ApplicationPath
  ,
• "Secure/httpsPage.aspx" )
• Response.Redirect( uri.ToString() )

24
Secure folder One Login.aspx.cs

• private void Page_Load(object sender,
  System.EventArgs e)
• try
• // For different domains, should use the
  cookie domain
• HttpCookie formsCookie FormsAuthentication
  .GetAuthCookie(
• UserId.Text, false )
• formsCookie.Domain "localhost.com"
• Response.AppendCookie( formsCookie )
• Response.Redirect( FormsAuthentication.GetRedirec
  tUrl( UserId.Text, false ) )
• FormsAuthentication.RedirectFromLoginPage(
  UserId.Text, false )
• private void LoginButton_Click(object sender,
  System.EventArgs e)
• UriBuilder uri new UriBuilder(
  Uri.UriSchemeHttp, Request.Url.Host )
• uri.Path Path.Combine(
  Request.ApplicationPath , "default.aspx" )
• Response.Redirect( uri.ToString() )

25
Secure folder one httpsPage.aspx.cs

• private void LogoutButton_Click(object sender,
  System.EventArgs e)
• System.Web.Security.FormsAuthentication.SignOut
  ()
• HttpCookie formsCookie Request.Cookies
  FormsAuthentication.FormsCookieName
• formsCookie.Domain "localhost.com"
• formsCookie.Expires DateTime.Now.AddDays(-1)
  
• Response.Cookies.Add(formsCookie)
• Response.Redirect( Request.Url.ToString() )
• private void BackButton_Click(object sender,
  System.EventArgs e)
• UriBuilder uri new UriBuilder(
  Uri.UriSchemeHttp, Request.Url.Host )
• uri.Path Path.Combine( Request.ApplicationPat
  h , "default.aspx" )
• Response.Redirect( uri.ToString() )
• private void SiteTwoButton_Click(object sender,
  System.EventArgs e)
• Response.Redirect( "https//localhost/FormsAuth2/
  Secure/httpsPage.aspx" )

26
Demos Web config first site

• private void LinkButton1_Click(object sender,
  System.EventArgs e)
• UriBuilder uri new UriBuilder(
• Uri.UriSchemeHttps, Request.Url.Host
  )
• uri.Path Path.Combine(
• Request.ApplicationPath ,
• "Secure/httpsPage.aspx" )
• Response.Redirect( uri.ToString() )

27
References

• http//www.opengroup.org/security/sso/
• http//www.enterasys.com/solutions/secure-networks
  /single_sign-on/
• http//www.scmagazine.com/us/grouptest/details/2a1
  36ba7-b164-4346-974e-1afcc4d628e2/singlesign-on2
  005/
• http//www.imprivata.com/content3208.html
• http//avirubin.com/passport.html
• http//weblogs.asp.net/hernandl/archive/2004/06/09
  /ssoformsauth.aspx
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dnaspp/html/singlesignon.asp