WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Transcription

1 WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004

2 Overview Password-based authentication is weak and smart cards offer a way to address this weakness, however smart cards have previously been difficult to integrate with backend services. The Microsoft Windows network operating system supports smart card authentication and Single Sign-On but does not extend this capability to Java application servers. By adding Windows Integrated Authentication to the application server, smart card authentication is automatically supported. This means that the benefits of Single Sign-On and smart card authentication can be easily extended to Java applications, providing security and usability at minimal cost to the enterprise without any extra programming or infrastructure. Increasingly governments and enterprises are seeking to implement new access control systems that verify a person s identity and privileges before granting them access to information and other online resources. Key requirements for these systems include more secure access control, improved user convenience, simpler identification or identity verification processes and lower overall administration and management costs. By enabling access control systems to implement more secure identity verification and by providing a technology platform for adding new applications that further enhance the user experience and simplify business processes, smart card technology is an obvious choice for fulfilling these requirements. This whitepaper discusses how smart card authentication can be achieved for J2EE applications using Vintela SSO for Java (VSJ). Intended Audience This whitepaper is intended for: Smart Cards CIOs and project managers planning smart card authentication projects Security architects evaluating security products from different vendors and architecting secure smart card solutions Developers of J2EE and smart card authentication solutions A smart card, within the context of a login, is simply a replacement for a username and a password. A smart card, containing a user s credentials, can be issued to each network user. Smart cards provide two-factor authentication, also known as strong authentication. Put simply, two-factor authentication is something you have (a smart card) and something you know (a PIN). Its strength lies in ensuring that a user s identification is reliant on two distinctive factors. Passwords, on the other hand, only provide single-factor authentication both the user id and the password are something you know and so the user presents a common point of weakness. Most people are already familiar with two-factor authentication in their everyday lives through the use of a keycard and a PIN to perform Automatic Teller Machine (ATM) transactions. Vintela 2 September 2004

3 Figure 1. Smart Card Smart Card Security Smart cards provide a tamper-resistant storage mechanism for protecting private keys and other forms of personal information. Importantly, they segregate security-critical functions, including authentication, digital signatures and key exchange form other part of a system, while enabling the portability of user credentials and other private information between computers at work, at home and on the road. Conversely, traditional password-based approaches have a number of failings: Weak passwords are easily compromised by dictionary and brute force attacks. Password compromise may go undetected. Passwords are often physically recorded by users, particularly where users are required to access systems with multiple IDs and passwords. Passwords can be compromised through keystroke and network monitoring ( packet sniffing ). Users are vulnerable to social engineering attacks, for example, a well-meaning employee may be manipulated into revealing a password through deception. Authentication of users and services. Authorization to control and protect access to resources. On the other hand, smart cards: Use a longer key and protection with a PIN avoids dictionary and brute force attacks. Smart cards are physically secure and loss or theft is detectable. The memory capacity of smart cards means that advanced cryptographic mechanisms can be used, resulting in better security. Credential information (for example Kerberos tickets) can be stored on smart cards when the card is removed from its reader slot, system resources cannot be accessed. Smart cards are one of the most common tokens used in two-factor authentication. Another example is biometric security which can work equally well with the solution discussed in this paper. The requirement for strong authentication is often found alongside the requirement for Single Sign-On as together they deliver security and usability. Single Sign-On (SSO) Single Sign-On (SSO) allows users to authenticate themselves just once to access information on any of several systems. When smart card desktop authentication is combined with network login, users can log in to their desktop and then access network resources Vintela 3 September 2004

4 without further authentication. This is known as Single Sign-On. SSO is often paired with smart card authentication because of the increased importance of that initial authentication. SSO can reduce the costs associated with password resets and improves user productivity as the user only needs to remember one password. Windows Integrated Login provides SSO using the Kerberos technology associated with Active Directory. Windows Integrated Login In addition to support for Kerberos through its Active Directory service, Microsoft has added Windows Integrated Login to Internet Explorer which allows it to participate in a Kerberosbased Single Sign-On environment. When a Web server receives a request from an Internet Explorer browser, it can request that the browser uses the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication via HTTP, and allows Internet Explorer to pass a delegated credential to allow a Web application to log in to subsequent Kerberized services on the user s behalf. Microsoft s Kerberos implementation uses the Authorization field of the Kerberos ticket to pass Privilege Attribute Certificates (PACs) to Kerberized applications. Applications that support Microsoft s PAC format can use this information to provide fine-grained access control to services. When a Windows user logs on to an Active Directory domain, Active Directory builds a token (a PAC) containing the list of all the groups of which the user is a member, and that are visible in the login domain. In addition to Active Directory group information, the PAC specifies the method of authentication. This allows authorization to be performed commensurate with the strength of the authentication method that is used. For example, an application that processes highly sensitive information or high-value transactions may only be accessed using a smart card. Microsoft Windows Smart Card Login Microsoft has smart card-enabled its Windows NT 4.0, Windows 95, Windows 98, Windows 2000 and Windows XP operating systems. Future releases of the Windows platform will also contain smart card support as part of the base platform. Windows Smart Card Login requires a PC/SC-compliant smart card or token which has been initialized with the user s credentials. When a desktop is configured to perform smart card login, the user is authenticated by inserting the smart card or token into a reader and authenticating themselves to the token using a PIN. The system can then access the key material on the card to perform a Windows login using the PKINIT protocol. PKINIT uses the public key material (private key and X.509 digital certificate) to perform the Kerberos login upon which Windows Integrated Login is based. In short, a cryptographic binding is created between the credential on the user s card and the network operating system credentials. These credentials can then be used to access network services. The system can be configured to lock the user s desktop or log the user off when the card is removed from the reader. Windows Integrated Login for J2EE Applications Smart card authentication for J2EE applications can be achieved using the VSJ solution which implements Windows Integrated Login. VSJ provides Windows Integrated Authentication for J2EE applications by implementing the SPNEGO protocol. This provides a higher degree of security and integration than cookie-based mechanisms. VSJ allows Vintela 4 September 2004

5 authorization using Active Directory groups by using the group information contained in the PAC. Figure 2. Windows Integrated Login for J2EE Applications Another advantage of using this Kerberos-based authentication is the ability to delegate credentials to other services such as.net applications. Integration can be achieved without modifying the source of the application which allows integration to be completed by application developers for in-house or off-the-shelf applications. VSJ is a pure Java implementation, so it supports a wide variety of server platforms. Because VSJ uses Windows Integrated Login, no client software installation is required. VSJ leverages you investment in Windows and J2EE to provide security, ease of use and ease of administration without additional heavyweight infrastructure. VSJ allows you to implement smart card authentication for J2EE applications with a minimum of cost. Conclusion With smart cards it is possible to make stronger assertions about the authenticity of transactions increasing security and enhancing trust in the system. By extending smart card authentication to a Single Sign-On environment integrated with the Windows desktop login, this trust can be extended to the entire enterprise. VSJ allows you to continue to leverage your investment in smart card technology by extending this trust base into J2EE applications. This whitepaper has demonstrated how the unique integration provided with VSJ supports smart card authentication using existing infrastructure and without deploying new services, installing software on clients or changing a single line of code. Vintela 5 September 2004

6 COPYRIGHT 2004 Vintela Inc. All Rights Reserved. Vintela documents are protected by the copyright laws of the United States and International Treaties. Permission to copy, view and print Vintela documents is authorized provided that: 1. It is used for non-commercial and informational purposes. 2. It is not modified. 3. The above copyright notice and this permission notice is contained in each Vintela document. Notwithstanding the above, nothing contained herein shall be construed as conferring any right or license under any copyright of Vintela. RESTRICTED RIGHTS LEGEND When licensed to a U.S., State, or Local Government, all Software produced by Vintela is commercial computer software as defined in FAR , and has been developed exclusively at private expense. All technical data, or Vintela commercial computer software/documentation is subject to the provisions of FAR "Technical Data", and FAR "Computer Software" respectively, or clauses providing Vintela equivalent protections in DFARS or other agency specific regulations. Manufacturer: Vintela Inc., 333 South 520 West, Lindon, Utah DISCLAIMER THE VINTELA DOCUMENTS ARE PROVIDED "AS IS" AND MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. VINTELA, INC. RESERVES THE RIGHT TO ADD, DELETE, CHANGE OR MODIFY THE VINTELA DOCUMENTS AT ANY TIME WITHOUT NOTICE. THE DOCUMENTS ARE FOR INFORMATION ONLY. VINTELA MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES OF ANY KIND. TRADEMARKS Vintela and the Vintela logo are trademarks or registered trademarks of Vintela, Inc. in the U.S.A. and other countries. Linux is a registered trademark of Linus Torvalds in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Java is a trademark of Sun Microsystems, Inc. in the U.S.A. and other countries. Netscape and Netscape Communicator are trademarks or registered trademarks of Netscape Communications Corporation. Microsoft, MS-DOS, Windows, Windows NT, Windows 2000/Windows 2003, Windows XP, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. All other brand and product names are trademarks or registered marks of the respective owners. Vintela 6 September 2004