MashSSL - Extending SSL for securing mashups

Similar documents
2014 IBM Corporation

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Chapter 7 Transport-Level Security

TLS/SSL in distributed systems. Eugen Babinciuc

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

History of the TLS Authentication Gap Bug. Marsh Ray Steve Dispensa PhoneFactor

How To Secure Cloud Computing

Flexible Identity Federation

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

GT 6.0 GSI C Security: Key Concepts

OPENID AUTHENTICATION SECURITY

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

SBClient SSL. Ehab AbuShmais

SSL Server Rating Guide

Chapter 17. Transport-Level Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

HTTP Mutual authentication and Web security

Network Security Essentials Chapter 5

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

By Jan De Clercq. Understanding. and Leveraging SSL-TLS. for Secure Communications

Angel Dichev RIG, SAP Labs

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Using Entrust certificates with VPN

Agenda. How to configure

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Mobile Security. Policies, Standards, Frameworks, Guidelines

Public Key Infrastructure (PKI)

Java Security Web Services Security (Overview) Lecture 9

ERserver. iseries. Secure Sockets Layer (SSL)

Web Security Considerations

SSL/TLS: The Ugly Truth

APIs The Next Hacker Target Or a Business and Security Opportunity?

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Transport Layer Security Protocols

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Lecture 7: Transport Level Security SSL/TLS. Course Admin

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Running Secure Server Software on Insecure Hardware without a Parachute

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Security Protocols/Standards

Enabling SSL and Client Certificates on the SAP J2EE Engine

Certificates and network security

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Introduction to Computer Security

Security of smart grid communication protocols


Extending APS Packages with Single Sign On. Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Configuring Secure Socket Layer (SSL)

SSL and Browsers: The Pillars of Broken Security

The Belgian e-id: hacker vs developer

Security Characteristics of Cryptographic Mobility Solutions

Chapter 32 Internet Security

WHITE PAPER SECURE, DEPLOYABLE BILATERAL (CLIENT/SERVER) AUTHENTICATION

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

DEF CON 19: Getting SSLizzard. Nicholas J. Percoco Trustwave SpiderLabs Paul Kehrer Trustwave SSL

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

CS5008: Internet Computing

Authenticity of Public Keys

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

White Paper: Multi-Factor Authentication Platform

ERserver. iseries. Securing applications with SSL

Generating a Certificate Signing Request (CSR) from LoadMaster

ISA 562 Information System Security

Repeater. BrowserStack Local. browserstack.com 1. BrowserStack Local makes a REST call using the user s access key to browserstack.

Secure Frequently Asked Questions

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

SSL Certificates 101

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

T Cryptography and Data Security

TELNET CLIENT 5.0 SSL/TLS SUPPORT

Web Security. Mahalingam Ramkumar

End-to-End Security in Wireless Sensor Networks (WSNs) Talk by Claudio Anliker Supervised by Dr. Corinna Schmitt University of Zurich

This Working Paper provides an introduction to the web services security standards.

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec

Network Security - ISA 656 Review

More on SHA-1 deprecation:

HTTPS Inspection with Cisco CWS

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Wireless Robust Security Networks: Keeping the Bad Guys Out with i (WPA2)

Introduction to Cryptography

Managing SSL Security in Multi-Server Environments

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Strong Security in Multiple Server Environments

How SSL-Encrypted Web Connections are Intercepted

Web Security: Encryption & Authentication

Transcription:

MashSSL - Extending SSL for securing mashups Siddharth Bajaj VeriSign Inc. sbajaj@verisign.com www.verisign.com info@mashssl.org www.mashssl.org

Outline Motivation for a new security protocol Why start with SSL/TLS? Introducing MashSSL How MashSSL and TLS work together Bringing it all together some examples Towards standardization Q&A 2

What are mashups? Internet Mashups are composite applications that combine data and/or functionality from multiple sources to deliver rich functionality. Are gaining traction in both consumer and enterprise markets.

The buzz about mashups Mashups are hot... Gartner Group: By 2010, Web mashups will be the dominant model (80 percent) for the creation of composite enterprise applications. Forrester Research: Mashups will mature and eat into other major markets. Tim Berners-Lee: It's about creating a seamless web of all the data in your life." Mashups are the most interesting development in the last 20 years, Douglas Crockford, Architect, Yahoo! But... Gartner Group: The potential for security risks increases as more business users morph into application developers by building mashups. KPMG: Survey of 472 executives found that half of them viewed security problems as a limiting factor in the uptake of Web 2.0 type tools in the enterprise. Mashups are insecure. Mashups must not have access to any confidential information or any privileged connections to any servers. Until this is fixed, mashups are constrained to only trivial applications. Douglas Crockford, Architect, Yahoo!

Motivation for MashSSL Mutual Authentication Data Encryption Site A talks through Alice to various other sites Site B provides a payment button Site C acts as an Identity Provider to Site A Site D is an OAuth Service Provider to Site A Site E wants to accept cross domain XHR from Site A And so on Web experiences are increasingly mashups! But Alice could be Evil Eve! How do sites authenticate each other via browser? Today for each problem different underlying crypto protocols are ginned up and credentials distributed. Site A has crypto s/w and credential management headache! Would be nice if we could build standard secure pipe from site to browser to site. 5

Deconstructing mashups In server side mashups the user authorizes the masher to get her data from multiple sources and serve it to her mashed. Industry moving towards standard called OAuth to avoid user having to give up her credentials. All the parties in the mashup need to either provision or obtain OAuth credentials and manage them. And they have to repeat expensive cryptographic operations for each mashup. For good security reasons XHR was restricted by the Same Origin Policy. But the new cross domain XHR specification allows for creation of client side mashups. The mashees examine ORIGIN header and their Access Control List (ACL) to allow or deny access. Does not protect the business. ORIGIN header can easily be spoofed. Managing ACLs can be cumbersome. Additional new cryptography and new credentials are likely required to layer in real trust, as cross domain XHR can otherwise be very dangerous. This architecture is also gaining popularity, e.g. OpenAJAX. Microsoft is working on approaches to sandbox widgets IBM has contributed ways to police inter widget communication. Google s CAJA provides ways of writing safer widgets. All these efforts have merit and this line of work in increasing mashup security is important and must continue. But they do not address the issue of WHERE a widget came from. Joe the CSO would like to ensure his users are only downloading widgets from trusted partners.

Why start with TLS? Pros: New protocols take years to mature. TLS handshake is probably the world s most carefully studied mutual authentication and key exchange protocol. Very efficient: Only initial handshake needs PKI processing. Trust infrastructure exists (get and manage SSL certificates) Cons: TLS does not allow MITMs. Our problem is multi-party. TLS usually runs over TCP. For us the transport is HTTP. TLS (for very good reason) is large and complex. World seems to want simple RESTful protocol Very powerful pros suggest we start with TLS, and try and address the cons. 7

MashSSL in a nutshell Introduces concept of friend in the middle to make TLS multi-party. Takes RFC 5246 handshake messages and exchanges them as name value pairs over HTTP via browser. Only implements core subset of TLS (e.g. no renego!) to keep it simple. Adding optimization to make abbreviated handshake two step. http://www.ietf.org/mail-archive/web/tls/current/msg05728.html In general never defines something already defined in RFC 5246 and simply points to it. 8

MashSSL in a picture Absolutely no change at user agent, no add ons, downloads, etc. MashSSL Web Toolkit MashSSL Web Toolkit Standard SSL cert Standard SSL cert Result: Secure pipe between two web apps over which any mashup protocol can be run. 9

MashSSL and TLS Likely scenario: Two independent TLS sessions over TCP pipes Over which are two independent HTTP sessions Over which is overlaid a MashSSL pipe On top of which one can run OAUth, OpenID, cdxhr, etc. 10

MashSSL: Actors and Layers Legend (opt) SSL Pipe HTTP Session MashSSL Payload MashSSL Protocol End user at User Agent (UA) MashSSL abbreviated optimized handshake messages runs via UA. MashSSL encrypts payload using encryption keys derived uniquely for each session from master_secret and abbv. handshake params. Web App 1 Web App 2 MashSSL full handshake runs directly between Web App 1 and Web App 2. Uses long term SSL certificate and private key to exchange short term master_secret. 11

e.g. MashSSL for Cross Domain XHR Alice Alice is on Movie_site Movie_site Rare_footage Alice clicks on Rare_footage link. Cross domain XHR invoked. Rare_footage runs MashSSL with Movie_site via Alice s browser. Once Rare_footage is convinced it is dealing with a valid business partner, it returns appropriate response in ACL and browser allows transaction. Note browser not trusted Rare_footage is the policy enforcement point.

e.g. OpenID over MashSSL Legend (opt) SSL Pipe HTTP Session MashSSL Payload MashSSL Protocol OpenID Msgs End user at User Agent (UA) MashSSL abbreviated optimized handshake Encrypt OpenID auth req and assertion handshake. Note encryption key is unique to each handshake. Relying Party (RP) OpenID Provider Define additional association types MashSSL-SHA1 and MASHSSL-SHA256. Use (OP) MashSSL full handshake (instead of DH) to establish association MAC key-source. 13

How does MashSSL stack up? 1. Single solution for all situations where problem manifests. MashSSL is a fundamental Internet building block that has countless uses. 2. Lightweight RESTful application level protocol (HTTP). Standard defined in simple RESTful fashion. 3. No new crypto protocol please. Takes up to a decade to build trust. Reuses SSL. Reuses whatever authentication is in place for scrambling. 4. Trust browser as little as possible. Browser cannot spoof either web application! 5. Don t ask us to get and manage new credentials from new authorities. Standard SSL certificates can be used. 6. Don t use user authentication as proxy for B2B authentication. Web applications authenticating each other (through browser) 7. Think scale. Do not repeat expensive PKI operations. Reuses SSL abbreviated handshake to avoid repeating PKI operations. 14

Towards standardization For current specification and open source software please visit MashSSL Alliance site. http://www.mashssl.org W3C Incubator: http://www.w3.org/2005/incubator/mashssl Final Report in a few weeks. Welcome participation from all! 15

Questions & Answers Thank You! 16

SSL revisited sessionid, R1 Client Cert R2, server_certificate, client_authentication_request encrypt(r3,server_public_key), sign(rhash, client_private_key), client_certificate, client.verify server.verify Server Cert CLIENT encrypt(data, master_secret) A conceptual view of the SSL handshake in the case where both parties have digital certificates and will mutually authenticate. After the four messages, both sides can encrypt data using a shared master_secret which is derived from R1, R2 and R3. SERVER SSL protocol is widely used and trusted. Ability to reuse session without repeating PKI operations. Trust infrastructure CAs already exist. And is constantly being improved (TLS 1.2, EV certs). Many mashup apps already have SSL certs! 17

SSL revisited sessionid, R1 Client Cert R2, server_certificate, client_authentication_request encrypt(r3,server_public_key), sign(rhash, client_private_key), client_certificate, client.verify server.verify Server Cert CLIENT encrypt(data, master_secret) A conceptual view of the SSL handshake in the case where both parties have digital certificates and will mutually authenticate. After the four messages, both sides can encrypt data using a shared master_secret which is derived from R1, R2 and R3. SERVER And, it is believed that the protocol is secure even in the presence of one or more MITM(s). One of the strongest claims one can make of a crypto protocol! 18

Lets ask for the impossible sessionid, R1 Client Cert R2, server_certificate, client_authentication_request encrypt(r3,server_public_key), sign(rhash, client_private_key), client_certificate, client.verify server.verify Server Cert CLIENT encrypt(data, master_secret) A conceptual view of the SSL handshake in the case where both parties have digital certificates and will mutually authenticate. After the four messages, both sides can encrypt data using a shared master_secret which is derived from R1, R2 and R3. SERVER Can we insert MITMs that manipulate protocol messages, but which 1.Allow successful execution of protocol 2.Do not compromise underlying security of protocol The very surprising non-intuitive answer is: YES WE CAN! 19

Introducing MashSSL And, if they subsequently do mashup for another user Fran they simply use the SSL abbreviated handshake which avoids repeating the PKI operations. (In practice we will use optimized handshake and encrypted payload will accompany initial message.) 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information