extending a legacy platform providing a
play

Extending a Legacy Platform Providing a Minimalistic, Secure - PowerPoint PPT Presentation

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger


  1. Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Göschlberger/Göttfert 1

  2. Introduction • Research Studios Austria FG – MicroLearning and Information Environments • Bernhard Göschlberger – Research field: Technology Enhanced Learning • Sebastian Göttfert – Computer Science @JKU • Research Project: KnowledgeMgmt-Plattform – Extend existing plattform seamlessly 20/11/2015 Göschlberger/Göttfert 2

  3. Problem • Legacy system – 12.000 existing accounts – Continuous changes – Closed registration • Single Sign on – Use existing accounts – Authenticate users to third party apps 20/11/2015 Göschlberger/Göttfert 3

  4. Existing standards/solutions • Authorization: – OAuth 2.0 • Authentication: – SAML – OpenID Connect – JWT 20/11/2015 Göschlberger/Göttfert 4

  5. SAML – Security Assertion Markup Language • Identity Provider (IdP) – Issues Assertion • Digital Signature – Authentication and Message Integrity • Service Provider (SP) – Trusts IdP – Validates signature – Grants authorization based on Assertions 20/11/2015 Göschlberger/Göttfert 5

  6. JWT – JSON Web Tokens • Compact URL-save representation for claims • Self-contained – Header – Claim set – Signature • Less flexible but much simpler than SAML • Used by – OAuth 2.0 – OpenId Connect 20/11/2015 Göschlberger/Göttfert 6

  7. Standards Implementation • Service Provider: – Easy, cheap – Many frameworks and libraries • Identity Providers – Heavy weight – Complex – Full software solutions available • In general: – Standards try to cover (almost) every usecase – Tend to get complex and bulky 20/11/2015 Göschlberger/Göttfert 7

  8. Previous Approach • No single sign on • Authorization via Backend-Webservice: – Is this a valid user? • Problems: – Weak WS protection (static API key) – Password is sent in cleartext – Phishing (third party gets the password) 20/11/2015 Göschlberger/Göttfert 8

  9. Chosen Approach • Claim based – Authorisation – Authentication • Simple issuence by legacy system • Signed and encrypted • POST binding • Additional security on top of TLS 20/11/2015 Göschlberger/Göttfert 9

  10. Authentication flow 20/11/2015 Göschlberger/Göttfert 10

  11. First step – Service Provider I • Generate a random one-time secret for symmetric encryption (=nonce) – Nonce has to be attached to user session to detect replay attacks • Encrypt nonce and return-URL with Public Key of IDP – Only IDP should be able to decrypt this! • Outside library: Send nonce and return-URL to IDP 20/11/2015 Göschlberger/Göttfert 11

  12. First step – Service Provider II 20/11/2015 Göschlberger/Göttfert 12

  13. Second step – Identity Provider I • (Precondition: User has successfully logged in) • Decrypt nonce & return URL • Calculate signature of user info • Encrypt user info with nonce • Encrypt nonce with public key of SP • Outside library: Send signature, encrypted nonce and encrypted user info to the return URL 20/11/2015 Göschlberger/Göttfert 13

  14. Second step – Identity Provider II 20/11/2015 Göschlberger/Göttfert 14

  15. Third step – Service Provider I • Decrypt nonce – Equal to initial nonce? • Decrypt user info with nonce – Does user info meet the signature? 20/11/2015 Göschlberger/Göttfert 15

  16. Third step – Service Provider II 20/11/2015 Göschlberger/Göttfert 16

  17. Live demo http://localhost/deepsec/legacy 20/11/2015 Göschlberger/Göttfert 17

  18. Result & Conclusion • minSSO Library – IdP: 114 loc (92 sloc) – SP: 156 loc (129 sloc) – https://github.com/bgoeschi/minSSO • Conclusions – SSO doesn‘t need to be a hassle – Legacy system as IdP feasable 20/11/2015 Göschlberger/Göttfert 18

  19. Questions & Answers Any questions? 20/11/2015 Göschlberger/Göttfert 19

Recommend


More recommend