Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict 2010. All rights reserved

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010 Fedict 2010. All rights reserved

What is Entity Authentication? Entity authentication is the process whereby one party is assured of the identity of a second party involved in a protocol, and that the second has actually participated (i.e., is active at, or immediately prior to, the time the evidence is acquired) Formal definition (A authenticated B if): Alice A, Bob B A believes freshness challenge_a A believes (B recently said challenge_a) Authentication vs. Session Key Establishment How to achieve this using an eid card? Fedict 2010. All rights reserved p. 2

eid Card Authentication Private Key (1024 bit RSA) PKCS1-RSA PIN authorization for Authn Key usage Card caches the authn PIN authorizations Log-off instruction to reset PIN authorization Creation of a signature: Set APDU: select the key. 0x82 = authn key Prepare DigestInfo PKCS1 DER sequence Verify PIN APDU: (PIN BCD encoded) Compute Digital Signature APDU Retrieve signature data eid can only sign (RSA decryption of DigestInfo) Fedict 2010. All rights reserved p. 3

eid Certificate Validation Authentication Certificate Chain GlobalSign CA Cert Root CA Cert same key Root CA Cert CRL Citizen CA Cert Gov CA Cert OCSP Responder CRL CRL Authn Cert SSL Cert Fedict 2010. All rights reserved p. 4

eid Certificate Validation (cont'd) jtrust: eid PKI Validation for Java http://code.google.com/p/jtrust/ Not using the Java Certification Path API (sucks) Flexible Architecture (eid Trust Service ready) Root CA CRL Set of Trust Points Public Key Trust Linker Certificate Repository CRL Trust Linker CRL Repo Trust Validator List of Trust Linkers OCSP Trust Linker OCSP Repo List of Cert Constraints Fallback Trust Linker eid Trust Service CRL Cache Trust Linker OCSP Responder Fedict 2010. All rights reserved p. 5

eid Entity Authentication eid Card authentication by itself is useless Remote Entities, e.g. web application context. We need an Authentication Protocol Different Authentication Protocols are possible Each Entity Authentication Protocol yields its own cryptographic goals. Of course Entity Authentication Session key via combined Key Agreement (SSL) DO NOT TRY TO INVENT YOUR OWN PROTOCOL! Needham-Schroeder protocol: replay attack Creativity is great for non-critical applications, like music. Fedict 2010. All rights reserved p. 6

Authentication Protocols Mutual SSL Browser initiated SSL handshake Relies on eid PIN authorization caching feature Tunneled Entity Authentication Uses unilateral SSL to authenticate the server Based on ISO/IEC 9798-3 Authentication SASL Mechanism (RFC 3163) Cryptographic channel binding to secure the channel (RFC 5056) Requires an eid Applet (or browser extension) Explicit eid card management possible Sequential eid card access possible Fedict 2010. All rights reserved p. 7

Validate cert chain Unilateral SSL (RFC 2246) Alice HelloClient(ciphers,Ra) HelloServer(cipher,Rb) Certificate(cert chain) ServerHelloDone ClientKeyExchange {pre_master_secret}kb+ ChangeCipherSpec Bob Ra: random by A Rb: random by B Kb+: public key of B pre_master_secret: random by A PRF: pseudo-random function ClientFinish (encrypted) PRF(master_secret,handshake_msgs) ChangeCipherSpec ServerFinish (encrypted) PRF(master_secret,handshake_msgs) master_secret=prf(pre_master_secret, Ra, Rb) Entity Authentication A believes freshness Ra A believes B recently said Ra session_key=f(master_secret) Fedict 2010. All rights reserved p. 8

Unilateral SSL features Resuming a TLS connection HelloClient(session_id) Reusing the same master_secret Reduces load due to a full TLS handshake Renegotiating the SSL handshake Over an already established SSL connection Useful when client authentication is required Both client and server can initiate a renegotiation Not all SSL stacks support this (Java does not) Security flaws in implementations Fedict 2010. All rights reserved p. 9

Mutual SSL using the eid Card Alice HelloClient(ciphers,Ra) HelloServer(cipher,Rb) Certificate(cert chain) CertificateRequest,ServerHelloDone Certificate(cert chain) ClientKeyExchange {pre_master_secret}kb+ Bob Ra: random by A Rb: random by B Kb+: public key of B pre_master_secret: random by A Ka-: private key of A PRF: pseudo-random function CertificateVerify sign_ka-(handshake_msgs) ChangeCipherSpec ClientFinish (encrypted) PRF(master_secret,handshake_msgs) ChangeCipherSpec ServerFinish (encrypted) PRF(master_secret,handshake_msgs) Entity Authentication A believes freshness Ra A believes (B recently said Ra) B believes freshness Rb B believes (A recently said Rb) Fedict 2010. All rights reserved p. 10

Tunneled Entity Authentication Alice Bob A trusts B Unilateral SSL Challenge sign_ka-(ra,challenge), Ra, cert A At this point B still doubts A What can B believe at this point? ISO/IEC 9798-3 Authentication SASL Mechanism RFC 3163 Unilateral client authentication: server already authenticated via unilateral SSL connection Did we achieve the same effect as mutual SSL? What if challenge actually is SHA1(contract)? B can abuse A's challenge signature. Fedict 2010. All rights reserved p. 11

Man-in-the-middle attack on SASL Alice Mallory Bob Unilateral SSL Unilateral SSL Challenge Challenge sign_ka-(ra,challenge), Ra, cert A sign_ka-(ra,challenge),ra,cert A Mallory can abuse the authentication token of Alice Why is this going wrong? SSL: sign_ka-(handshake_msgs) so the signature digests parts of the secure channel's identity SASL: sign_ka-(ra,challenge) does not digest any part of the secure channel's identity Fedict 2010. All rights reserved p. 12

Channel Binding to Secure Channels Alice Bob Unilateral SSL SSL context Challenge Sign_Ka-(Ra,challenge,channel_binding), Ra, cert A RFC 5056: cryptographic binding channel_binding = Hostname B (nice try) Inet address B (nice try) SSL certificate B (OK) SHA1(master_key) (even better) A channel binding should really digest part of the channel's identity. SSL stack must support this. Fedict 2010. All rights reserved p. 13

Web Applications Uses HTTP over TCP/IP HTTP is a stateless protocol How to create an HTTP session context? Via cookies: Set-Cookie, Cookie HTTP headers Via tokens: request token, response token in forms Via transport layer (SSL) How does an application session context correspond with the user eid login/logout experience? Vulnerable to remote attacks due to the evolutionary nature of the web protocol stack. Fedict 2010. All rights reserved p. 14

The Webshop Web Application Welcome Item list Add to Cart View Cart eid login pay eid logout We need a stateful protocol for the shopping cart We need to be able to trust the web application We want privacy during all steps We want eid authentication during payment Machine could be shared between users Different solutions are possible! Fedict 2010. All rights reserved p. 15

The Webshop: Trust and Privacy Using unilateral SSL using a trusted server cert. Different network topologies are possible. Internet firewall SSL Terminator Hardware or HTTPD Application Server Everything behind SSL to prevent session cookie stealing. AJP preferred between HTTPD and AS Fedict 2010. All rights reserved p. 16

The Webshop: Statefulness Using a session cookie initiated by the Application Server, protected by SSL. A B SSL connection GET index.html index.html GET list.jsf SSL session Browser Cookie Lifecycle list.jsf POST add_item.jsf Set-Cookie: 123456, success.jsf Cookie: 123456, GET list.jsf list.jsf Cookie: 123456, GET cart.jsf cart.jsf App Server HTTP Session context Fedict 2010. All rights reserved p. 17

The Webshop: eid SSL authentication First we try out the mutual SSL scheme Application Server driven SSL renegotiation to instantly enable mutual SSL is tricky, especially for hardware SSL termination. Internet firewall SSL Terminator Hardware or HTTPD SSL reneg? Application Server We don't want to enable mutual SSL during the entire web application user session. Fedict 2010. All rights reserved p. 18

The Webshop: eid SSL authentication So we need two SSL terminations: One for unilateral SSL One for the mutual SSL using eid Requires 2 IP addresses (+ DNS names), or at least 2 different ports. Internet firewall SSL Terminator eid SSL Terminator Application Server Problem: how to properly link the SSL sessions? If same IP address, via session cookies If different IP address, via signed SAML tickets Fedict 2010. All rights reserved p. 19

The Webshop: eid SSL authentication How about session life cycles? The Application Server cannot inform SSL to terminate that easily... A Unilaternal SSL B eid Login Magical SSL Session Linking Mutual SSL Handshake Server SSL eid SSL eid PIN authz caching Show profile, payments Logout index.html eid Login Show profile What if the web application wants to sign a contract with eid of citizen C??? eid SSL session still alive!!! Short SSL sessions? :) Fedict 2010. All rights reserved p. 20

The Webshop: eid authentication eid authentication using a tunneled solution. It just works as expected. No more SSL session life cycle issues No more SSL handshake exceptions due to missing eid card Can reuse the eid card for signing within webapp Can explicitly logoff the eid card Fedict 2010. All rights reserved p. 21

eid Applet Architecture Web Browser Web Container Web Page 1 eid Applet 2 eid Applet Service 3 SPI 5 4 3 Target Page HTTP Session Service Implementation 6 jtrust Fedict 2010. All rights reserved p. 22

Fedict cannot be held liable for any direct or indirect damages arising from the usage of the information provided by this presentation. The views expressed in this presentation can change over time due to new evolutions and/or new insights. Thank you Fedict Maria-Theresiastraat 1/3 Rue Marie-Thérèse Brussel 1000 Bruxelles TEL. +32 2 212 96 00 FAX +32 2 212 96 99 info@fedict.belgium.be www.fedict.belgium.be Fedict 2010. All rights reserved