Federated Identity and Single-Sign On

Similar documents
CS 6393 Lecture 7. Privacy. Prof. Ravi Sandhu Executive Director and Endowed Chair. March 8,

SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL

CS 356 Lecture 28 Internet Authentication. Spring 2013

Authentication. Agenda. IT Security course Lecture April 14 th Niels Christian Juul 2. April 14th, 2003

CS 4803 Computer and Network Security

Single Sign-On: Reviewing the Field

Authentication Applications

Authentication Application

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Authentication Applications

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Single Sign-on (SSO) technologies for the Domino Web Server

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

PrivateServer HSM Integration with Microsoft IIS

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Enhancing Web Application Security

Identity Management. Critical Systems Laboratory

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

Secure PostgreSQL Deployments

SSL/TLS: The Ugly Truth

Key Management and Distribution

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

A method to Implement the Kerberos User. Authentication and the secured Internet Service

Key Management and Distribution

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Cyber Security Research: A Personal Perspective

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

SAML-Based SSO Solution

Why Password- Enabled PKI

Using etoken for Securing s Using Outlook and Outlook Express

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

ACTIVID APPLIANCE AND MICROSOFT AD FS

Using Voltage Secur

TIBCO Spotfire Platform IT Brief

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Kerberos and Single Sign-On with HTTP

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Mobile Security. Policies, Standards, Frameworks, Guidelines

QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM

CS 392/681 - Computer Security

Implementing Identity Provider on Mobile Phone

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Entrust IdentityGuard

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Mid-Project Report August 14 th, Nils Dussart

Introduction to Computer Security

An Anti-Phishing mechanism for Single Sign-On based on QR-Code

How To Manage Your Web 2.0 Account On A Single Sign On On A Pc Or Mac Or Ipad (For A Free) On A Password Protected Computer (For Free) (For An Ipad) (Free) (Unhack)

OpenSSO: Cross Domain Single Sign On

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Single Sign-On: Reviewing the Field

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

How To Get A Single Sign On (Sso)

How To Use Kerberos

Architecture Guidelines Application Security

Using Entrust certificates with VPN

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

Public Key Infrastructure. A Brief Overview by Tim Sigmon

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

An Introduction to Entrust PKI. Last updated: September 14, 2004

Cryptography and Network Security

Check Point FDE integration with Digipass Key devices

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Chapter 17. Transport-Level Security

Trends in Mobile Authentication. cnlab security ag, obere bahnhofstr. 32b, CH-8640 rapperswil-jona

Data Protection: From PKI to Virtualization & Cloud

Scalable Authentication

PUBLIC-KEY CERTIFICATES

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Secure Login Issues & Solutions

Secure Web Access Solution

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

ADVANCE AUTHENTICATION TECHNIQUES

Is SAML An Effective Framework For Secure SSO? Category: Security Technology Secure Access And Defenses

Introduction to Network Security Key Management and Distribution

A mobile single sign on system

Network Security Protocols

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Internet Banking System Web Application Penetration Test Report

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Grid Computing - X.509

Agenda. How to configure

Secure distributed single sign-on with two-factor authentication

Transcription:

CS 6393 Lecture 5 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013 ravi.sandhu@utsa.edu www.profsandhu.com Ravi Sandhu 1

The Web Today User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password RP1 Client RP2 Relying Parties (Service Providers) Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle RP3 Ravi Sandhu 2

The Web Today User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password RP1 Relying Parties (Service Providers) Client RP2 Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle RP3 Signature: done by, Verified by Encryption: done by, Decrypted by Ravi Sandhu 3

The Web Today How to get a public key? Digital Certificates PKI: Infrastructure VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE Guarantees authentication and integrity But how does one verify this signature Need another Ravi Sandhu 4

The Web Today Root certificates are weakly protected in today s browsers X S T Q R A C E G I K M O a b c d e f g h i j k l m n o p Multi-rooted Certificate Hierarchy Ravi Sandhu 5

The PKI Vision (1980s Onwards) Relying Parties (Service Providers) RP1 Client RP2 Eliminates man-in-the-middle in the network. Remains vulnerable to man-in-thebrowser and man-in-the-pc RP3 Ravi Sandhu 6

The PKI Vision (1980s Onwards) Client User ID, Password Man-inthemiddle MITM User ID, Password RP RP s RP s Root MITM s Root MITM s Client Man-inthemiddle MITM RP RP s RP s Root MITM s Root Client s MITM s Ravi Sandhu 7

The PKI Vision (1980s Onwards) Store as password protected and use in insecure PC Store and use in smartcard Store and use in Trusted Platform Module (TPM) RP1 Relying Parties (Service Providers) Client RP2 RP3 Store and use in well protected server hardware security module (HSM) Ravi Sandhu 8

The PKI Vision (1980s Onwards) One authenticator for each client Protected by one or more additional factors Usable by every RP who trusts the client s root Built-in out-of-the box Single Sign-On (SSO) Massive expense by US DoD on Common Access Card Ravi Sandhu 9

Kerberos SSO (1980 s onward) Symmetric Key Technology Stored client symmetric key Kc Kerberos also TGS c {T c,tgs, K c,tgs } K c 1 2 Client password -> client symmetric key Kc Client Ravi Sandhu 10

Kerberos SSO (1980 s onward) Symmetric Key Technology TGS T c,tgs, A c,tgs, s {T c,s, K c,s } K c,tgs 3 4 5 Client Server T c,s, A c,s Ravi Sandhu 11

Kerberos SSO (1980 s onward) Kerberos Realm 1 Kerberos Realm 2 shared symmetric key public-private keys client server Ravi Sandhu 12

Kerberos SSO (1980 s onward) Successful in Enterprise SSO Scales to 10 s or 100 s of thousands of users Microsoft Active Directory login is based on Kerberos Inter-realm rarely deployed Ravi Sandhu 13

Microsoft SSO (1990 s) Failed Ravi Sandhu 14

Microsoft Infocard Identity Ecosystem (2000 s) Failed Ravi Sandhu 15

Liberty Alliance (2000 s) Failed Ravi Sandhu 16

OpenID (2000 s) Failing Ravi Sandhu 17

NSTIC (2010 s) Ravi Sandhu 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information