Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Göschlberger/Göttfert 1
Introduction • Research Studios Austria FG – MicroLearning and Information Environments • Bernhard Göschlberger – Research field: Technology Enhanced Learning • Sebastian Göttfert – Computer Science @JKU • Research Project: KnowledgeMgmt-Plattform – Extend existing plattform seamlessly 20/11/2015 Göschlberger/Göttfert 2
Problem • Legacy system – 12.000 existing accounts – Continuous changes – Closed registration • Single Sign on – Use existing accounts – Authenticate users to third party apps 20/11/2015 Göschlberger/Göttfert 3
Existing standards/solutions • Authorization: – OAuth 2.0 • Authentication: – SAML – OpenID Connect – JWT 20/11/2015 Göschlberger/Göttfert 4
SAML – Security Assertion Markup Language • Identity Provider (IdP) – Issues Assertion • Digital Signature – Authentication and Message Integrity • Service Provider (SP) – Trusts IdP – Validates signature – Grants authorization based on Assertions 20/11/2015 Göschlberger/Göttfert 5
JWT – JSON Web Tokens • Compact URL-save representation for claims • Self-contained – Header – Claim set – Signature • Less flexible but much simpler than SAML • Used by – OAuth 2.0 – OpenId Connect 20/11/2015 Göschlberger/Göttfert 6
Standards Implementation • Service Provider: – Easy, cheap – Many frameworks and libraries • Identity Providers – Heavy weight – Complex – Full software solutions available • In general: – Standards try to cover (almost) every usecase – Tend to get complex and bulky 20/11/2015 Göschlberger/Göttfert 7
Previous Approach • No single sign on • Authorization via Backend-Webservice: – Is this a valid user? • Problems: – Weak WS protection (static API key) – Password is sent in cleartext – Phishing (third party gets the password) 20/11/2015 Göschlberger/Göttfert 8
Chosen Approach • Claim based – Authorisation – Authentication • Simple issuence by legacy system • Signed and encrypted • POST binding • Additional security on top of TLS 20/11/2015 Göschlberger/Göttfert 9
Authentication flow 20/11/2015 Göschlberger/Göttfert 10
First step – Service Provider I • Generate a random one-time secret for symmetric encryption (=nonce) – Nonce has to be attached to user session to detect replay attacks • Encrypt nonce and return-URL with Public Key of IDP – Only IDP should be able to decrypt this! • Outside library: Send nonce and return-URL to IDP 20/11/2015 Göschlberger/Göttfert 11
First step – Service Provider II 20/11/2015 Göschlberger/Göttfert 12
Second step – Identity Provider I • (Precondition: User has successfully logged in) • Decrypt nonce & return URL • Calculate signature of user info • Encrypt user info with nonce • Encrypt nonce with public key of SP • Outside library: Send signature, encrypted nonce and encrypted user info to the return URL 20/11/2015 Göschlberger/Göttfert 13
Second step – Identity Provider II 20/11/2015 Göschlberger/Göttfert 14
Third step – Service Provider I • Decrypt nonce – Equal to initial nonce? • Decrypt user info with nonce – Does user info meet the signature? 20/11/2015 Göschlberger/Göttfert 15
Third step – Service Provider II 20/11/2015 Göschlberger/Göttfert 16
Live demo http://localhost/deepsec/legacy 20/11/2015 Göschlberger/Göttfert 17
Result & Conclusion • minSSO Library – IdP: 114 loc (92 sloc) – SP: 156 loc (129 sloc) – https://github.com/bgoeschi/minSSO • Conclusions – SSO doesn‘t need to be a hassle – Legacy system as IdP feasable 20/11/2015 Göschlberger/Göttfert 18
Questions & Answers Any questions? 20/11/2015 Göschlberger/Göttfert 19
Recommend
More recommend